Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
V6bBcEdp5a.dll

Overview

General Information

Sample name:V6bBcEdp5a.dll
renamed because original name is a hash value
Original sample name:794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll
Analysis ID:1557663
MD5:791a88d0cafa95f8fa4a548f242f032a
SHA1:ea872c3ecd14e55ec4b013278aed286b0da9e1ed
SHA256:794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
Tags:103-45-64-91dlluser-JAMESWT_MHT
Infos:

Detection

GhostRat, Mimikatz, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7780 cmdline: loaddll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7832 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7856 cmdline: rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 7892 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7916 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7840 cmdline: rundll32.exe C:\Users\user\Desktop\V6bBcEdp5a.dll,Shellex MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7884 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7908 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
V6bBcEdp5a.dllJoeSecurity_GhostRatYara detected GhostRatJoe Security
    V6bBcEdp5a.dllJoeSecurity_NitolYara detected NitolJoe Security
      V6bBcEdp5a.dllJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        V6bBcEdp5a.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
        • 0x11fcff:$x1: sekurlsa::logonpasswords
        V6bBcEdp5a.dllINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x10444a:$h1: Hid_State
        • 0x1169b0:$h1: Hid_State
        • 0x10445e:$h2: Hid_StealthMode
        • 0x1169d0:$h2: Hid_StealthMode
        • 0x10447e:$h3: Hid_HideFsDirs
        • 0x1169f0:$h3: Hid_HideFsDirs
        • 0x10449c:$h4: Hid_HideFsFiles
        • 0x116a10:$h4: Hid_HideFsFiles
        • 0x1044bc:$h5: Hid_HideRegKeys
        • 0x116a30:$h5: Hid_HideRegKeys
        • 0x1044dc:$h6: Hid_HideRegValues
        • 0x116a50:$h6: Hid_HideRegValues
        • 0x104500:$h7: Hid_IgnoredImages
        • 0x116a80:$h7: Hid_IgnoredImages
        • 0x104524:$h8: Hid_ProtectedImages
        • 0x116ab0:$h8: Hid_ProtectedImages
        • 0x108d66:$s1: FLTMGR.SYS
        • 0x11c6da:$s1: FLTMGR.SYS
        • 0x1092e2:$s2: HAL.dll
        • 0x105e86:$s3: \SystemRoot\System32\csrss.exe
        • 0x118630:$s3: \SystemRoot\System32\csrss.exe
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
              Process Memory Space: loaddll32.exe PID: 7780JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                Process Memory Space: rundll32.exe PID: 7840JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.2.rundll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  4.2.rundll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  3.2.rundll32.exe.1010b380.2.raw.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xb630:$h1: Hid_State
                  • 0xb650:$h2: Hid_StealthMode
                  • 0xb670:$h3: Hid_HideFsDirs
                  • 0xb690:$h4: Hid_HideFsFiles
                  • 0xb6b0:$h5: Hid_HideRegKeys
                  • 0xb6d0:$h6: Hid_HideRegValues
                  • 0xb700:$h7: Hid_IgnoredImages
                  • 0xb730:$h8: Hid_ProtectedImages
                  • 0x1135a:$s1: FLTMGR.SYS
                  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  0.2.loaddll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  0.2.loaddll32.exe.1010b380.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  Click to see the 25 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7884, TargetFilename: C:\Users\Public\Documents\MM

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: V6bBcEdp5a.dllAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: V6bBcEdp5a.dllReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.4% probability
                  Machine Learning detection for sample
                  Source: V6bBcEdp5a.dllJoe Sandbox ML: detected
                  Source: V6bBcEdp5a.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.3793331902.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.3793331902.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dll
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100255D0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,0_2_100255D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100255D0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,3_2_100255D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AC20 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AC20
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,3_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,3_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009B60 FindFirstFileA,FindClose,FindClose,3_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002AC20 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,3_2_1002AC20
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,3_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,3_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_1002E150
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then test byte ptr [10121904h], 00000008h0_2_1003E428
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm70_2_1003E5A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_1002E150
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test byte ptr [10121904h], 00000008h3_2_1003E428
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm73_2_1003E5A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014060 InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,#823,HttpQueryInfoA,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strstr,strstr,#825,strstr,strncpy,strstr,#825,strstr,strncat,strstr,#825,InternetOpenA,InternetConnectA,InternetCloseHandle,sprintf,sprintf,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,sprintf,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,atol,#823,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,MultiByteToWideChar,#823,MultiByteToWideChar,#825,WideCharToMultiByte,#823,WideCharToMultiByte,#825,strstr,#825,#825,0_2_10014060
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: http://ptlogin2.qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: http://qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt
                  Source: loaddll32.exe, 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: https://ssl.ptlogin2.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
                  Source: rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture and log keystrokes
                  Source: C:\Windows\System32\loaddll32.exeCode function: <BackSpace>0_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: <Enter>0_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <BackSpace>3_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <Enter>3_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_100026B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_10002770
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_100029D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10016F10 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_10016F10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,3_2_100026B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,3_2_10002770
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_100029D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016F10 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,3_2_10016F10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B840 GetKeyState,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,0_2_1000B840

                  E-Banking Fraud

                  barindex
                  Checks if browser processes are running
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: V6bBcEdp5a.dll, type: SAMPLEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: V6bBcEdp5a.dll, type: SAMPLEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: V6bBcEdp5a.dll, type: SAMPLEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 3.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010190 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,#823,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,#825,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcatA,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,0_2_10010190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010640 ExitWindowsEx,0_2_10010640
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010640 ExitWindowsEx,3_2_10010640
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,3_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100940600_2_10094060
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100240700_2_10024070
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100790900_2_10079090
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100811600_2_10081160
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100581800_2_10058180
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100041D00_2_100041D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100972B00_2_100972B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003B3200_2_1003B320
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A3700_2_1002A370
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E3A00_2_1007E3A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100933D00_2_100933D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A4C00_2_1001A4C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100375000_2_10037500
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E5800_2_1003E580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003C5360_2_1003C536
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005B5400_2_1005B540
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A5800_2_1000A580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E6500_2_1007E650
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100966A00_2_100966A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100937000_2_10093700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100947000_2_10094700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100357A70_2_100357A7
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100288C00_2_100288C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100298E00_2_100298E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E5A00_2_1003E5A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100309E00_2_100309E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100809E00_2_100809E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10059A200_2_10059A20
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007EA300_2_1007EA30
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10095B300_2_10095B30
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007FBC00_2_1007FBC0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005BBD00_2_1005BBD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10081C100_2_10081C10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10091C500_2_10091C50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003BCA00_2_1003BCA0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10082E900_2_10082E90
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10059ED00_2_10059ED0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10083ED00_2_10083ED0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007AEF00_2_1007AEF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10084EF00_2_10084EF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037F200_2_10037F20
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005AFC00_2_1005AFC0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100940603_2_10094060
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100240703_2_10024070
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100790903_2_10079090
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100811603_2_10081160
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100581803_2_10058180
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100041D03_2_100041D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100972B03_2_100972B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003B3203_2_1003B320
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002A3703_2_1002A370
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E3A03_2_1007E3A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100933D03_2_100933D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001A4C03_2_1001A4C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100375003_2_10037500
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E5803_2_1003E580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003C5363_2_1003C536
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005B5403_2_1005B540
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000A5803_2_1000A580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E6503_2_1007E650
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100966A03_2_100966A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100937003_2_10093700
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100947003_2_10094700
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100357A73_2_100357A7
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100288C03_2_100288C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100298E03_2_100298E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E5A03_2_1003E5A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100309E03_2_100309E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100809E03_2_100809E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10059A203_2_10059A20
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007EA303_2_1007EA30
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10095B303_2_10095B30
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007FBC03_2_1007FBC0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005BBD03_2_1005BBD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10081C103_2_10081C10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10091C503_2_10091C50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003BCA03_2_1003BCA0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10082E903_2_10082E90
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10059ED03_2_10059ED0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10083ED03_2_10083ED0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007AEF03_2_1007AEF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10084EF03_2_10084EF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10037F203_2_10037F20
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005AFC03_2_1005AFC0
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 1001B7A0 appears 31 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001B7A0 appears 31 times
                  Source: V6bBcEdp5a.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: V6bBcEdp5a.dll, type: SAMPLEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: V6bBcEdp5a.dll, type: SAMPLEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: V6bBcEdp5a.dll, type: SAMPLEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 3.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: V6bBcEdp5a.dllBinary string: \Device\QAssist\DosDevices\QAssistQAssist!InitializeDevice[irql:%d,pid:%d][error]: Error, device creation failed with code:%08x
                  Source: V6bBcEdp5a.dllBinary string: \Device\QAssist\DosDevices\QAssist
                  Source: V6bBcEdp5a.dllBinary string: \??\\Device\\SystemRoot\QAssist!CheckProtectedOperation[irql:%d,pid:%d][warning]: Warning, can't update initial state for process: %p
                  Source: V6bBcEdp5a.dllBinary string: \Device\
                  Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100291D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_100291D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B7A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_1001B7A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100291D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,3_2_100291D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001B7A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_1001B7A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A2D0 malloc,GetDiskFreeSpaceExA,GetDriveTypeA,malloc,GetIfTable,free,free,malloc,GetIfTable,free,0_2_1001A2D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10027050 CreateToolhelp32Snapshot,Module32First,lstrcmpiA,lstrcmpiA,Module32Next,lstrcmpiA,CloseHandle,0_2_10027050
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A100 CoInitialize,CoCreateInstance,GetDriveTypeA,SysFreeString,SysFreeString,CoUninitialize,0_2_1001A100
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001F0E0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001F0E0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V6bBcEdp5a.dll,Shellex
                  Source: V6bBcEdp5a.dllReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V6bBcEdp5a.dll,Shellex
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V6bBcEdp5a.dll,ShellexJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: V6bBcEdp5a.dllStatic file information: File size 1269760 > 1048576
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.3793331902.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.3793331902.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dll
                  Source: svchos1.exe.4.drStatic PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: V6bBcEdp5a.dllStatic PE information: section name: .rodata
                  Source: V6bBcEdp5a.dllStatic PE information: section name: .rotext
                  Source: svchos1.exe.4.drStatic PE information: section name: .didat
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002D190 push eax; ret 0_2_1002D1BE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002D190 push eax; ret 3_2_1002D1BE

                  Persistence and Installation Behavior

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE03_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10025BB0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,0_2_10025BB0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to dropped file

                  Boot Survival

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE03_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001F0E0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001F0E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D260 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,0_2_1001D260
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D260 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_1001D260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E540 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000E540
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,0_2_10001140
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D5B00_2_1001D5B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DB800_2_1001DB80
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D5B03_2_1001D5B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DB803_2_1001DB80
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-21819
                  Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                  Source: C:\Windows\System32\loaddll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,0_2_10019930
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,3_2_10019930
                  Source: C:\Windows\System32\loaddll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-21958
                  Source: C:\Windows\System32\loaddll32.exeAPI coverage: 2.3 %
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.8 %
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DB800_2_1001DB80
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DB803_2_1001DB80
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AC20 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AC20
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,3_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,3_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009B60 FindFirstFileA,FindClose,FindClose,3_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002AC20 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,3_2_1002AC20
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,3_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,3_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B360 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B360
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10016530 InterlockedExchange,InterlockedExchange,InterlockedExchange,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,ReleaseDC,BlockInput,DestroyCursor,DestroyCursor,0_2_10016530
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A580 LocalAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,LocalFree,LocalFree,LocalFree,FreeLibrary,LocalReAlloc,0_2_1000A580

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to automate explorer (e.g. start an application)
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,3_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,3_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe0_2_1000ED10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe3_2_1000ED10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021520 _access,GetModuleFileNameA,ShellExecuteExA,ShellExecuteExA,GetLastError,exit,_access,_access,Sleep,WinExec,WinExec,_access,WinExec,Sleep,_access,Sleep,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,Shellex,0_2_10021520
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001F0E0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001F0E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10020AE0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_10020AE0
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                  Source: V6bBcEdp5a.dllBinary or memory string: Shell_TrayWndProgmanDwmapi.dllDwmIsCompositionEnabledDwmEnableCompositiondwmapi.dllrunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\\AppData\Roaming\Microsoft\Skype for DesktopSkype.exedel /s /f %appdata%\Mozilla\Firefox\Profiles\*.dbfirefox.exe\AppData\Roaming\360se6\User Data\Default360se6.exe\AppData\Local\Tencent\QQBrowser\User Data\DefaultQQBrowser.exe\AppData\Roaming\SogouExplorerSogouExplorer.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SetupSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Progman
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A8230 cpuid 0_2_100A8230
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002340 GetWindowLongA,PostQuitMessage,SetWindowLongA,GetModuleHandleA,LoadIconA,SetClassLongA,DestroyWindow,GetDlgItemTextA,GetDlgItem,SetFocus,GetLocalTime,sprintf,GetDlgItem,GetDlgItem,GetWindowTextLengthA,GetWindowTextLengthA,SetWindowTextA,GetWindowTextLengthA,SendMessageA,SendMessageA,SendMessageA,SetDlgItemTextA,GetDlgItem,SetFocus,0_2_10002340
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A370 RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,wsprintfA,RegCloseKey,wsprintfA,GetComputerNameA,GetTickCount,wsprintfA,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,wsprintfA,ReleaseDC,wsprintfA,wsprintfA,wsprintfA,GetCommandLineA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,FindWindowA,GetWindow,GetWindowTextA,GetWindow,GetClassNameA,GlobalMemoryStatusEx,0_2_1002A370
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10020040 GetModuleFileNameA,_strnicmp,Sleep,GetVersionExA,GetLastError,0_2_10020040

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Contains functionality to modify windows services which are used for security filtering and protection
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10026A90 OpenServiceA 00000000,sharedaccess,000F01FF0_2_10026A90

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: V6bBcEdp5a.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Mimikatz
                  Source: Yara matchFile source: V6bBcEdp5a.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7780, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7840, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7856, type: MEMORYSTR
                  Yara detected Nitol
                  Source: Yara matchFile source: V6bBcEdp5a.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: V6bBcEdp5a.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Nitol
                  Source: Yara matchFile source: V6bBcEdp5a.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023760 socket,bind,getsockname,inet_addr,0_2_10023760
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023B20 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,0_2_10023B20
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023760 socket,bind,getsockname,inet_addr,3_2_10023760
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023B20 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,3_2_10023B20

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		111
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Service Execution                  		1
                  Create Account                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt111
                  Windows Service                  		1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit                  		111
                  Windows Service                  		1
                  Timestomp                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script23
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets15
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Network Share Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync12
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
                  Process Injection                  		Proc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Rundll32                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Indicator Removal                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557663 Sample: V6bBcEdp5a.dll Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 loaddll32.exe 1 2->9         started        process3 signatures4 48 Found evasive API chain (may stop execution after checking mutex) 9->48 50 Contains functionality to automate explorer (e.g. start an application) 9->50 52 Contains functionality to infect the boot sector 9->52 54 4 other signatures 9->54 12 rundll32.exe 1 9->12         started        15 cmd.exe 1 9->15         started        17 conhost.exe 9->17         started        process5 signatures6 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Contains functionality to automate explorer (e.g. start an application) 12->58 60 Contains functionality to infect the boot sector 12->60 62 3 other signatures 12->62 19 cmd.exe 2 12->19         started        21 cmd.exe 12->21         started        23 rundll32.exe 1 15->23         started        process7 file8 26 conhost.exe 19->26         started        28 conhost.exe 21->28         started        38 C:\Users\Public\Documents\MM\svchos1.exe, PE32 23->38 dropped 30 cmd.exe 23->30         started        32 cmd.exe 23->32         started        process9 process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  V6bBcEdp5a.dll68%ReversingLabsWin32.Downloader.GhostRAT
                  V6bBcEdp5a.dll100%AviraBDS/Zegost.lloamn
                  V6bBcEdp5a.dll100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Documents\MM\svchos1.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ssl.ptlogin2.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                      		high
                      https://localhost.ptlogin2.qq.com:4301%sAccept-Language:loaddll32.exe, rundll32.exefalse
                        		high
                        https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                          		high
                          https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ssl.ptlogin2.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                            		high
                            http://ptlogin2.qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                              		high
                              http://ptlogin2.qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                                		high
                                http://qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                                  		high
                                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://localhost.ptlogin2.qq.com:4301%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.3793791266.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793864038.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                                    		high
                                    http://qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                                      		high
                                      https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://loaddll32.exe, 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, V6bBcEdp5a.dllfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1557663
                                      Start date and time:2024-11-18 14:19:12 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 32s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:20
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:V6bBcEdp5a.dll
                                      renamed because original name is a hash value
                                      Original Sample Name:794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll
                                      Detection:MAL
                                      Classification:mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 9
                                      • Number of non-executed functions: 272
                                      Cookbook Comments:
                                      • Found application associated with file extension: .dll
                                      • Override analysis time to 240s for rundll32

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • VT rate limit hit for: V6bBcEdp5a.dll

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      s-part-0017.t-0009.t-msedge.netPD5dVJNpz7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                      • 13.107.246.45
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 13.107.246.45
                                      emes.batGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      PO 20495088.exeGet hashmaliciousFormBookBrowse
                                      • 13.107.246.45
                                      ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 13.107.246.45
                                      31464142153188329643.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 13.107.246.45
                                      PO-000041492.exeGet hashmaliciousFormBookBrowse
                                      • 13.107.246.45
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 13.107.246.45
                                      http://login.nojustgive.com/ueAQYUzzGet hashmaliciousHTMLPhisherBrowse
                                      • 13.107.246.45

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\Public\Documents\MM\svchos1.exel10U7QN0CY.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                        KlzXRW4Ag7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                          ZfJheGhddq.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                            PD5dVJNpz7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                              7YtmCkMUx3.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                                tROeAyXq2X.exeGet hashmaliciousMimikatz, RunningRATBrowse
                                                  me.exeGet hashmaliciousRunningRATBrowse
                                                    gE4NVCZDRk.exeGet hashmaliciousBdaejec, RunningRATBrowse
                                                      uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                                        ofR1Hd4NPM.exeGet hashmaliciousRunningRATBrowse

                                                          Created / dropped Files

                                                          C:\Users\Public\Documents\MM\svchos1.exe

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):61440
                                                          Entropy (8bit):6.199746098562656
                                                          Encrypted:false
                                                          SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                          MD5:889B99C52A60DD49227C5E485A016679
                                                          SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                          SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                          SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: l10U7QN0CY.dll, Detection: malicious, Browse
                                                          • Filename: KlzXRW4Ag7.dll, Detection: malicious, Browse
                                                          • Filename: ZfJheGhddq.dll, Detection: malicious, Browse
                                                          • Filename: PD5dVJNpz7.dll, Detection: malicious, Browse
                                                          • Filename: 7YtmCkMUx3.dll, Detection: malicious, Browse
                                                          • Filename: tROeAyXq2X.exe, Detection: malicious, Browse
                                                          • Filename: me.exe, Detection: malicious, Browse
                                                          • Filename: gE4NVCZDRk.exe, Detection: malicious, Browse
                                                          • Filename: uHmFQqHIIA.exe, Detection: malicious, Browse
                                                          • Filename: ofR1Hd4NPM.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.333387235751796
                                                          TrID:
                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                          • DOS Executable Generic (2002/1) 0.20%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:V6bBcEdp5a.dll
                                                          File size:1'269'760 bytes
                                                          MD5:791a88d0cafa95f8fa4a548f242f032a
                                                          SHA1:ea872c3ecd14e55ec4b013278aed286b0da9e1ed
                                                          SHA256:794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
                                                          SHA512:ef6357e33a2c0962b66485d03f51bcab1456eb3985113c074ad5524dab98e8cdd82fba0f281ca3b7f3f2d71f274cd65b797c0c66f4c33bdae8b60b4a8293355c
                                                          SSDEEP:24576:wTuZCN0qRwoDFGMmtci8l8cq1PXv0uM5GrkQPXHMtR1tD1bqtT6RqK0Xcda:PgZrLsT6a
                                                          TLSH:C9455B43E2764CA3D7D80034DC6AE7B677347A1C97F786737280EDDAB5A22907D2421A
                                                          File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........q!_..r_..r_..r...r^..ri..rY..rx.dr]..r../re..r_..r...r0..r^..r0..r[..r0..r[..r$..rX..r...rX..ri..r]..ri..r]..r..@r[..r..Br@..

                                                          File Icon

                                                          Icon Hash:7ae282899bbab082

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x1002d3fb
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x10000000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                          DLL Characteristics:
                                                          Time Stamp:0x67289D35 [Mon Nov 4 10:08:53 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:6718574bfa82ab04bcaf82fa9136fc6c

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          push ebx
                                                          mov ebx, dword ptr [ebp+08h]
                                                          push esi
                                                          mov esi, dword ptr [ebp+0Ch]
                                                          push edi
                                                          mov edi, dword ptr [ebp+10h]
                                                          test esi, esi
                                                          jne 00007F781CDD674Bh
                                                          cmp dword ptr [1012F324h], 00000000h
                                                          jmp 00007F781CDD6768h
                                                          cmp esi, 01h
                                                          je 00007F781CDD6747h
                                                          cmp esi, 02h
                                                          jne 00007F781CDD6764h
                                                          mov eax, dword ptr [10158750h]
                                                          test eax, eax
                                                          je 00007F781CDD674Bh
                                                          push edi
                                                          push esi
                                                          push ebx
                                                          call eax
                                                          test eax, eax
                                                          je 00007F781CDD674Eh
                                                          push edi
                                                          push esi
                                                          push ebx
                                                          call 00007F781CDD665Ah
                                                          test eax, eax
                                                          jne 00007F781CDD6746h
                                                          xor eax, eax
                                                          jmp 00007F781CDD6790h
                                                          push edi
                                                          push esi
                                                          push ebx
                                                          call 00007F781CDCA8BAh
                                                          cmp esi, 01h
                                                          mov dword ptr [ebp+0Ch], eax
                                                          jne 00007F781CDD674Eh
                                                          test eax, eax
                                                          jne 00007F781CDD6779h
                                                          push edi
                                                          push eax
                                                          push ebx
                                                          call 00007F781CDD6636h
                                                          test esi, esi
                                                          je 00007F781CDD6747h
                                                          cmp esi, 03h
                                                          jne 00007F781CDD6768h
                                                          push edi
                                                          push esi
                                                          push ebx
                                                          call 00007F781CDD6625h
                                                          test eax, eax
                                                          jne 00007F781CDD6745h
                                                          and dword ptr [ebp+0Ch], eax
                                                          cmp dword ptr [ebp+0Ch], 00000000h
                                                          je 00007F781CDD6753h
                                                          mov eax, dword ptr [10158750h]
                                                          test eax, eax
                                                          je 00007F781CDD674Ah
                                                          push edi
                                                          push esi
                                                          push ebx
                                                          call eax
                                                          mov dword ptr [ebp+0Ch], eax
                                                          mov eax, dword ptr [ebp+0Ch]
                                                          pop edi
                                                          pop esi
                                                          pop ebx
                                                          pop ebp
                                                          retn 000Ch
                                                          jmp dword ptr [100B7424h]
                                                          jmp dword ptr [100B7420h]
                                                          jmp dword ptr [100B7418h]
                                                          jmp dword ptr [100B73F4h]
                                                          jmp dword ptr [100B73BCh]
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          jmp dword ptr [00000000h]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS98 (6.0) SP6 build 8804
                                                          • [IMP] VS2005 build 50727
                                                          • [C++] VS98 (6.0) SP6 build 8804
                                                          • [ C ] VS98 (6.0) build 8168
                                                          • [C++] VS98 (6.0) build 8168
                                                          • [EXP] VC++ 6.0 SP5 build 8804
                                                          • [LNK] VS98 (6.0) imp/exp build 8168

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xf97400x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xf70880x190.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1990000x10.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x19a0000x66a8.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0xb70000x754.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x97e8a0x98000af7ec09dbe37e9423c919bc362ea7425False0.40285291169819076data6.77316314365638IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rodata0x990000x2e500x30000ca3681ca0d1b13e402ba8d29971b5f2False0.28173828125data6.052273401613891IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rotext0x9c0000x1ae920x1b000684c29f5d94727cf92e54d9ff913f402False0.14991138599537038data5.995820144881303IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0xb70000x427800x43000b49bbf8a504e6f99a601af2b8cfc8d03False0.09638453241604478data3.586096378480839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xfa0000x9e8e00x3200063c8378520af27cc0a246ab6a2444c7eFalse0.29939453125data5.522806327162376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x1990000x100x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x19a0000x805a0x9000cde4ede8a458d08b4c9bac807cccadd4False0.5585666232638888data5.564515763826153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllProcess32First, GetSystemDirectoryA, TerminateProcess, OpenProcess, ExitProcess, GetVersion, DeviceIoControl, Beep, GetVersionExA, GetModuleFileNameA, WinExec, TerminateThread, GetTickCount, GetCommandLineA, FreeConsole, GetCurrentProcessId, GetConsoleProcessList, AttachConsole, GetWindowsDirectoryA, WideCharToMultiByte, MultiByteToWideChar, GlobalSize, QueryPerformanceFrequency, QueryPerformanceCounter, LoadLibraryW, GlobalMemoryStatusEx, GetDriveTypeA, ReleaseMutex, CreateMutexA, GetCurrentThread, GetEnvironmentVariableA, GetCurrentThreadId, CreatePipe, CopyFileA, lstrcpyW, Module32Next, lstrcmpiA, Module32First, CreateRemoteThread, GetProcessId, ResumeThread, OpenThread, Thread32Next, Thread32First, SuspendThread, Process32Next, GlobalMemoryStatus, GetComputerNameA, GetPrivateProfileStringA, SystemTimeToTzSpecificLocalTime, lstrcpynA, lstrcmpA, lstrcatA, CreateProcessA, GetProcAddress, lstrcpyA, CreateDirectoryA, GetLastError, DeleteFileA, GetCurrentProcess, IsWow64Process, SetFilePointer, WriteFile, CreateFileA, GetFileSize, ReadFile, lstrlenA, FreeLibrary, IsBadReadPtr, VirtualProtect, HeapReAlloc, HeapAlloc, GetProcessHeap, HeapFree, CancelIo, SetEvent, ResetEvent, CreateEventA, LocalAlloc, LocalReAlloc, LocalSize, LocalFree, Sleep, GetFileAttributesA, GetModuleHandleA, GetLocalTime, GlobalAlloc, GlobalLock, GlobalFree, GlobalUnlock, CreateThread, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, VirtualFree, DeleteCriticalSection, InitializeCriticalSection, InterlockedExchange, CreateToolhelp32Snapshot, GetFileAttributesExA, FileTimeToSystemTime, MoveFileA, SetFileAttributesA, RemoveDirectoryA, FindFirstFileA, FindNextFileA, FindClose, GetLogicalDriveStringsA, GetVolumeInformationA, GetPriorityClass, GetDiskFreeSpaceExA, WaitForSingleObject, CloseHandle, LoadLibraryA, GetSystemInfo
                                                          USER32.dllSetRect, GetCursorPos, GetCursorInfo, PostMessageA, SetCursorPos, WindowFromPoint, SetCapture, MapVirtualKeyA, SystemParametersInfoA, ReleaseDC, BlockInput, DestroyCursor, LoadCursorA, GetDC, GetSystemMetrics, ChangeDisplaySettingsA, FindWindowA, ShowWindow, MoveWindow, GetWindowRect, SwapMouseButton, ExitWindowsEx, EnumWindows, GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA, CharNextA, GetDesktopWindow, wsprintfA, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, GetWindowLongA, PostQuitMessage, SetWindowLongA, LoadIconA, SetClassLongA, DestroyWindow, SetFocus, GetWindowTextLengthA, SetWindowTextA, SetDlgItemTextA, CreateDialogIndirectParamA, GetDlgItem, SetWindowPos, OpenInputDesktop, GetDlgItemTextA, CloseDesktop, GetThreadDesktop, GetUserObjectInformationA, SetThreadDesktop, GetWindowThreadProcessId, WaitForInputIdle, GetClassNameA, GetWindow, GetLastInputInfo, IsIconic, MessageBoxA, IsWindowVisible, GetMessageA, IsDialogMessageA, TranslateMessage, SendMessageA, DispatchMessageA
                                                          GDI32.dllGetDeviceCaps, CreateDIBSection, CreateCompatibleDC, DeleteObject, DeleteDC, BitBlt, GetRegionData, CombineRgn, CreateRectRgnIndirect, GetDIBits, CreateCompatibleBitmap, SelectObject
                                                          ADVAPI32.dllRegOpenKeyA, GetTokenInformation, LookupAccountSidA, AbortSystemShutdownA, RegCloseKey, RegOpenKeyExA, GetUserNameA, CloseEventLog, ClearEventLogA, OpenEventLogA, RegSetValueExA, RegCreateKeyA, StartServiceA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, SetServiceStatus, DeleteService, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AllocateAndInitializeSid, RegEnumValueA, RegEnumKeyExA, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegQueryInfoKeyA, RegCreateKeyExA, UnlockServiceDatabase, ChangeServiceConfigA, LockServiceDatabase, ControlService, QueryServiceStatus, QueryServiceConfig2A, QueryServiceConfigA, EnumServicesStatusA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CheckTokenMembership
                                                          SHELL32.dllShellExecuteExA, SHGetFolderPathA, SHGetSpecialFolderPathA, SHGetFileInfoA, ShellExecuteA
                                                          ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                                          OLEAUT32.dllSysFreeString
                                                          MFC42.DLL
                                                          MSVCRT.dll_adjust_fdiv, _initterm, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _snprintf, swprintf, _splitpath, strncpy, atol, strncat, realloc, fgets, srand, time, isdigit, _iob, _access, wcstombs, mbstowcs, _errno, _wcsupr, _strcmpi, _itoa, _strnicmp, fprintf, sscanf, getenv, vsprintf, exit, __CxxFrameHandler, memmove, ceil, _ftol, strstr, wcslen, wcscpy, sprintf, printf, fclose, fopen, remove, atoi, free, malloc, strncmp, _CIpow, floor, strchr, tolower, _CxxThrowException, _stricmp, _except_handler3, strrchr, _strlwr, wcsstr, rand, system
                                                          MSVCP60.dll??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ?_Xlen@std@@YAXXZ, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ??0Init@ios_base@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ
                                                          WINMM.dllmciSendStringA, waveInGetNumDevs
                                                          WS2_32.dllgethostname, inet_addr, getsockname, bind, getpeername, accept, listen, sendto, recvfrom, ntohs, inet_ntoa, send, closesocket, recv, select, gethostbyname, connect, setsockopt, WSAIoctl, WSACleanup, WSAStartup, __WSAFDIsSet, ioctlsocket, socket, htons
                                                          iphlpapi.dllGetIfTable
                                                          dwmapi.dllDwmIsCompositionEnabled
                                                          SHLWAPI.dllPathFindFileNameA, PathUnquoteSpacesA, PathRemoveArgsA, PathGetArgsA, SHDeleteKeyA
                                                          WININET.dllInternetGetConnectedState, InternetReadFile, HttpSendRequestA, InternetOpenUrlA, HttpOpenRequestA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpQueryInfoA
                                                          NETAPI32.dllNetUserSetInfo, NetUserAdd, NetUserGetLocalGroups, NetApiBufferFree, NetUserGetInfo, NetUserEnum, NetLocalGroupAddMembers, NetUserDel
                                                          PSAPI.DLLGetProcessMemoryInfo, GetModuleFileNameExA
                                                          WTSAPI32.dllWTSEnumerateSessionsA, WTSDisconnectSession, WTSLogoffSession, WTSQuerySessionInformationA, WTSFreeMemory, WTSQuerySessionInformationW

                                                          Exports

                                                          NameOrdinalAddress
                                                          Shellex10x1001f0e0

                                                          Network Behavior

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 18, 2024 14:20:07.480741978 CET1.1.1.1192.168.2.110x4feaNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                          Nov 18, 2024 14:20:07.480741978 CET1.1.1.1192.168.2.110x4feaNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\System32\loaddll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:loaddll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll"
                                                          Imagebase:0x820000
                                                          File size:126'464 bytes
                                                          MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:1
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:2
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1
                                                          Imagebase:0xc30000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:3
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\V6bBcEdp5a.dll,Shellex
                                                          Imagebase:0x530000
                                                          File size:61'440 bytes
                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000003.00000002.3793827246.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\V6bBcEdp5a.dll",#1
                                                          Imagebase:0x530000
                                                          File size:61'440 bytes
                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000004.00000002.3793901949.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                          Imagebase:0xc30000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                          Imagebase:0xc30000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                          Imagebase:0xc30000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                          Imagebase:0xc30000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:08:20:10
                                                          Start date:18/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:1%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:50.4%
                                                            Total number of Nodes:244
                                                            Total number of Limit Nodes:11
                                                            execution_graph 21796 1001f0e0 12 API calls 21877 1001b770 GetModuleHandleA 21796->21877 21798 1001f2e6 21799 1001b770 3 API calls 21798->21799 21800 1001f368 21799->21800 21801 1001b770 3 API calls 21800->21801 21802 1001f3d9 21801->21802 21803 1001b770 3 API calls 21802->21803 21804 1001f4fd 21803->21804 21805 1001b770 3 API calls 21804->21805 21806 1001f65e 21805->21806 21807 1001b770 3 API calls 21806->21807 21808 1001f78b 21807->21808 21809 1001b770 3 API calls 21808->21809 21810 1001f839 21809->21810 21811 1001b770 3 API calls 21810->21811 21812 1001f8d3 21811->21812 21813 1001b770 3 API calls 21812->21813 21814 1001f91d 21813->21814 21815 1001b770 3 API calls 21814->21815 21816 1001f9a3 21815->21816 21817 1001b770 3 API calls 21816->21817 21818 1001fa4e GetCurrentThreadId PostThreadMessageA 21817->21818 21819 1001fa69 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 21818->21819 21821 1001fb73 21819->21821 21822 1001fb62 GetLastError 21819->21822 21824 1001ff96 21821->21824 21825 1001fbef 21821->21825 21822->21821 21823 1001ffd6 21822->21823 21881 1001ac30 21824->21881 21827 1001fd50 21825->21827 21828 1001fbfb strstr 21825->21828 21827->21823 21830 1001fd5c 21827->21830 21831 1001fc17 Sleep 21828->21831 21832 1001fc28 21828->21832 21829 1001ffb1 21834 1001ffc5 Sleep 21829->21834 21835 1001ffb8 21829->21835 21896 1001e550 15 API calls 21830->21896 21842 1001f0a0 24 API calls 21831->21842 21891 1001fff0 OpenSCManagerA OpenServiceA CloseServiceHandle CloseServiceHandle CloseServiceHandle 21832->21891 21888 1001f0a0 21834->21888 21899 1001e550 15 API calls 21835->21899 21838 1001fc32 21843 1001fcc6 sprintf 21838->21843 21844 1001fc3d 21838->21844 21841 1001fd6f 21841->21823 21849 1001fda8 sprintf 21841->21849 21842->21831 21893 1001e550 15 API calls 21843->21893 21851 1001fc62 OpenSCManagerA 21844->21851 21852 1001fcb5 Sleep 21844->21852 21845 1001ffc2 21845->21834 21848 1001fd25 21894 10020040 9 API calls 21848->21894 21853 1001fe11 21849->21853 21851->21852 21855 1001fc75 OpenServiceA 21851->21855 21861 1001f0a0 24 API calls 21852->21861 21857 1001fe1a GetModuleFileNameA sprintf 21853->21857 21869 1001ff85 Sleep 21853->21869 21854 1001fd41 21895 1001eb70 9 API calls 21854->21895 21859 1001fcb2 CloseServiceHandle 21855->21859 21860 1001fc8f StartServiceA 21855->21860 21867 1001fecc Sleep 21857->21867 21859->21852 21863 1001fcb0 CloseServiceHandle 21860->21863 21864 1001fc9d CloseServiceHandle CloseServiceHandle 21860->21864 21861->21852 21862 1001fd49 ExitProcess 21863->21859 21892 1001eb70 9 API calls 21864->21892 21866 1001f0a0 24 API calls 21866->21869 21871 1001ff22 21867->21871 21869->21866 21870 1001fca9 ExitProcess 21897 1001e910 GetModuleHandleA LoadLibraryA GetProcAddress CloseHandle 21871->21897 21873 1001ff3d sprintf 21874 1001ff79 21873->21874 21898 1001eb70 9 API calls 21874->21898 21876 1001ff7e ExitProcess 21878 1001b780 LoadLibraryA 21877->21878 21879 1001b78b GetProcAddress 21877->21879 21878->21879 21880 1001b799 21878->21880 21879->21798 21880->21798 21900 10014700 LoadLibraryA GetProcAddress #823 #823 RegOpenKeyExA 21881->21900 21883 1001acd8 lstrlenA 21884 1001ad47 lstrlenA 21883->21884 21885 1001ace6 CreateFileA 21883->21885 21884->21829 21886 1001ad40 CloseHandle 21885->21886 21887 1001ad27 GetFileSize ReadFile 21885->21887 21886->21884 21887->21886 21928 1002bec0 LoadLibraryA GetProcAddress 21888->21928 21890 1001f0b7 WaitForSingleObject CloseHandle 21890->21834 21891->21838 21892->21870 21893->21848 21894->21854 21895->21862 21896->21841 21897->21873 21898->21876 21899->21845 21901 10014881 21900->21901 21902 10014899 21900->21902 21926 10014c12 RegCloseKey RegCloseKey 21901->21926 21904 10014a03 RegQueryValueExA 21902->21904 21905 100148c2 RegQueryValueExA 21902->21905 21906 10014ba2 wsprintfA 21902->21906 21907 10014908 RegQueryValueExA 21902->21907 21908 100148ac 21902->21908 21909 10014acc RegEnumValueA 21902->21909 21910 10014bcf wsprintfA 21902->21910 21911 10014a30 RegEnumKeyExA 21902->21911 21912 10014bf5 lstrcatA 21902->21912 21913 10014b58 wsprintfA 21902->21913 21914 10014b7d wsprintfA 21902->21914 21915 100149bc RegQueryValueExA 21902->21915 21924 100148f2 21902->21924 21904->21924 21905->21924 21906->21912 21923 10014934 21907->21923 21907->21924 21908->21904 21908->21905 21908->21906 21908->21907 21908->21910 21908->21912 21908->21913 21908->21914 21908->21915 21908->21924 21920 10014b44 21909->21920 21909->21924 21910->21912 21919 10014a78 wsprintfA 21911->21919 21911->21924 21912->21883 21913->21912 21914->21912 21918 100149e8 wsprintfA 21915->21918 21915->21924 21916 10014894 #825 #825 21916->21883 21918->21924 21919->21911 21920->21906 21920->21910 21920->21912 21920->21913 21920->21914 21923->21924 21925 1001494e strncat strncat strchr 21923->21925 21927 10014c12 RegCloseKey RegCloseKey 21924->21927 21925->21923 21926->21916 21927->21916 21929 1002bf03 CreateThread LoadLibraryA GetProcAddress 21928->21929 21930 1002bf45 CloseHandle 21929->21930 21931 1002bdc0 21929->21931 21930->21890 21937 10010ca0 21931->21937 21933 1002bdfe LoadLibraryA GetProcAddress 21934 1002be6e 21933->21934 21935 1002be79 21934->21935 21938 1002c0b0 14 API calls 21934->21938 21937->21933 21938->21935 21939 1002d3fb 21940 1002d40e 21939->21940 21946 1002d417 21939->21946 21941 1002d43f 21940->21941 21954 100215c0 21940->21954 21942 1002d433 21968 1002d350 malloc _initterm free 21942->21968 21946->21940 21946->21941 21946->21942 21947 1002d43b 21947->21940 21948 1002d45f 21948->21941 21950 1002d468 21948->21950 21949 1002d457 21969 1002d350 malloc _initterm free 21949->21969 21970 1002d350 malloc _initterm free 21950->21970 21953 1002d470 21953->21941 21955 10021698 21954->21955 21956 100215ce 21954->21956 21955->21941 21955->21948 21955->21949 21971 10021520 _access 21956->21971 21958 100215d3 _access 21959 100215f0 WinExec _access 21958->21959 21960 10021631 Sleep 21958->21960 21959->21960 21961 10021610 WinExec Sleep _access 21959->21961 21994 10021080 21960->21994 21961->21960 21961->21961 21963 1002163d CreateThread 21964 10021661 CreateThread 21963->21964 21965 1002165e CloseHandle 21963->21965 22078 100210e0 96 API calls 21963->22078 21966 10021676 CloseHandle 21964->21966 21967 10021679 Shellex 21964->21967 22077 100212d0 41 API calls 21964->22077 21965->21964 21966->21967 21967->21955 21968->21947 21969->21948 21970->21953 21972 10021544 21971->21972 21973 1002153b 21971->21973 21972->21958 21999 10020ae0 AllocateAndInitializeSid 21973->21999 21976 1002154d GetModuleFileNameA 21976->21972 21977 10021563 21976->21977 21978 1002156b ShellExecuteExA 21977->21978 21979 100215a7 GetLastError 21978->21979 21980 100215af exit 21978->21980 21979->21978 21981 100215c0 21980->21981 21982 10021698 21981->21982 21983 10021520 123 API calls 21981->21983 21982->21958 21984 100215d3 _access 21983->21984 21985 100215f0 WinExec _access 21984->21985 21986 10021631 Sleep 21984->21986 21985->21986 21987 10021610 WinExec Sleep _access 21985->21987 21988 10021080 8 API calls 21986->21988 21987->21986 21987->21987 21989 1002163d CreateThread 21988->21989 21990 10021661 CreateThread 21989->21990 21991 1002165e CloseHandle 21989->21991 22025 100210e0 _access 21989->22025 21992 10021676 CloseHandle 21990->21992 21993 10021679 Shellex 21990->21993 22002 100212d0 _access 21990->22002 21991->21990 21992->21993 21993->21982 22074 10021040 GetModuleFileNameA 21994->22074 21996 1002108a 21997 10021091 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21996->21997 21998 100210af GetLastError ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21996->21998 21997->21963 21998->21963 22000 10020b46 21999->22000 22001 10020b2a CheckTokenMembership FreeSid 21999->22001 22000->21972 22000->21976 22001->22000 22003 100213f1 Sleep CreateFileA 22002->22003 22004 10021308 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22002->22004 22005 10021420 MessageBoxA 22003->22005 22006 10021437 GetFileSize 22003->22006 22007 10021338 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22004->22007 22008 1002135c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22004->22008 22011 10021500 22005->22011 22009 10021445 MessageBoxA 22006->22009 22010 1002145e VirtualAlloc 22006->22010 22007->22008 22070 10020920 22 API calls 22008->22070 22013 100214f9 CloseHandle 22009->22013 22014 10021479 MessageBoxA 22010->22014 22015 1002148d ReadFile 22010->22015 22013->22011 22014->22013 22017 100214d7 MessageBoxA VirtualFree 22015->22017 22018 1002149e 22015->22018 22016 1002139d 22019 100213b5 22016->22019 22020 100213bb #825 22016->22020 22017->22013 22018->22017 22021 100214a3 CloseHandle 22018->22021 22019->22003 22022 100213e8 #825 22019->22022 22023 100213e2 22019->22023 22020->22019 22024 100214b0 VirtualFree 22021->22024 22022->22003 22023->22003 22026 10021233 22025->22026 22027 10021119 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22025->22027 22030 10020ae0 3 API calls 22026->22030 22028 10021173 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22027->22028 22029 1002114f ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22027->22029 22071 10020920 22 API calls 22028->22071 22029->22028 22031 10021238 22030->22031 22033 1002125e GetModuleFileNameA 22031->22033 22034 1002123c 22031->22034 22037 10021273 22033->22037 22038 10021241 22033->22038 22072 10020d30 41 API calls 22034->22072 22035 100211c4 22039 100211e3 #825 22035->22039 22044 100211dd 22035->22044 22040 1002127e ShellExecuteExA 22037->22040 22039->22044 22042 100212b6 GetLastError 22040->22042 22043 100212be exit 22040->22043 22041 10021228 Sleep 22041->22026 22042->22040 22046 100212d0 _access 22043->22046 22044->22041 22045 1002121f #825 22044->22045 22047 10021219 22044->22047 22045->22041 22048 100213f1 Sleep CreateFileA 22046->22048 22049 10021308 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22046->22049 22047->22041 22050 10021420 MessageBoxA 22048->22050 22051 10021437 GetFileSize 22048->22051 22052 10021338 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22049->22052 22053 1002135c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22049->22053 22056 10021500 22050->22056 22054 10021445 MessageBoxA 22051->22054 22055 1002145e VirtualAlloc 22051->22055 22052->22053 22073 10020920 22 API calls 22053->22073 22058 100214f9 CloseHandle 22054->22058 22059 10021479 MessageBoxA 22055->22059 22060 1002148d ReadFile 22055->22060 22058->22056 22059->22058 22062 100214d7 MessageBoxA VirtualFree 22060->22062 22063 1002149e 22060->22063 22061 1002139d 22064 100213bb #825 22061->22064 22066 100213b5 22061->22066 22062->22058 22063->22062 22065 100214a3 CloseHandle 22063->22065 22064->22066 22069 100214b0 VirtualFree 22065->22069 22066->22048 22067 100213e8 #825 22066->22067 22068 100213e2 22066->22068 22067->22048 22068->22048 22070->22016 22071->22035 22072->22038 22073->22061 22075 10021063 CopyFileA 22074->22075 22076 1002105c 22074->22076 22075->21996 22076->21996

                                                            Executed Functions

                                                            Function 1001F0E0 Relevance: 417.3, APIs: 40, Strings: 198, Instructions: 780stringservicesleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 1001f0e0-1001fb60 #823 lstrcpyA * 11 call 1001b770 * 11 GetCurrentThreadId PostThreadMessageA InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 25 1001fb73-1001fbca 0->25 26 1001fb62-1001fb6d GetLastError 0->26 29 1001fbe0-1001fbe9 25->29 30 1001fbcc-1001fbda 25->30 26->25 27 1001ffd6-1001ffe2 26->27 31 1001ff96-1001ffb6 call 1001ac30 29->31 32 1001fbef-1001fbf5 29->32 30->29 41 1001ffc5 31->41 42 1001ffb8-1001ffc2 call 1001e550 31->42 34 1001fd50-1001fd56 32->34 35 1001fbfb-1001fc15 strstr 32->35 34->27 37 1001fd5c-1001fda2 call 1001e550 34->37 38 1001fc17 35->38 39 1001fc28-1001fc37 call 1001fff0 35->39 37->27 60 1001fda8-1001fe14 sprintf 37->60 44 1001fc1d-1001fc26 Sleep call 1001f0a0 38->44 50 1001fcc6-1001fd4a sprintf call 1001e550 call 10020040 call 1001eb70 ExitProcess 39->50 51 1001fc3d-1001fc60 39->51 47 1001ffcb-1001ffcf Sleep call 1001f0a0 41->47 42->41 56 1001ffd4 47->56 62 1001fc62-1001fc73 OpenSCManagerA 51->62 63 1001fcb5 51->63 56->47 68 1001ff85 60->68 69 1001fe1a-1001ff7f GetModuleFileNameA sprintf Sleep call 1001e910 sprintf call 1001eb70 ExitProcess 60->69 62->63 66 1001fc75-1001fc8d OpenServiceA 62->66 67 1001fcbb-1001fcc4 Sleep call 1001f0a0 63->67 71 1001fcb2-1001fcb3 CloseServiceHandle 66->71 72 1001fc8f-1001fc9b StartServiceA 66->72 78 1001ff8b-1001ff94 Sleep call 1001f0a0 68->78 71->63 76 1001fcb0 CloseServiceHandle 72->76 77 1001fc9d-1001fcaa CloseServiceHandle * 2 call 1001eb70 ExitProcess 72->77 76->71
                                                            APIs
                                                            • #823.MFC42(00000849), ref: 1001F0EF
                                                            • lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F116
                                                            • lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F124
                                                            • lstrcpyA.KERNEL32(Default,00000260), ref: 1001F132
                                                            • lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F140
                                                            • lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F14E
                                                            • lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F15C
                                                            • lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F16A
                                                            • lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F178
                                                            • lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F186
                                                            • lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F194
                                                            • lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F1A2
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • GetCurrentThreadId.KERNEL32 ref: 1001FA5E
                                                            • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001FA65
                                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001FA83
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001FA97
                                                            • GetCommandLineA.KERNEL32 ref: 1001FAC1
                                                            • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001FB53
                                                            • GetLastError.KERNEL32 ref: 1001FB62
                                                            • strstr.MSVCRT ref: 1001FC0A
                                                            • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001FC1F
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001FC69
                                                            • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 1001FC7D
                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001FC92
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FC9F
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FCA2
                                                            • ExitProcess.KERNEL32 ref: 1001FCAA
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FCB0
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FCB3
                                                            • ExitProcess.KERNEL32 ref: 1001FD4A
                                                            • sprintf.MSVCRT ref: 1001FD15
                                                              • Part of subcall function 1001E550: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E594
                                                              • Part of subcall function 1001E550: GetLocalTime.KERNEL32(?), ref: 1001E5DE
                                                              • Part of subcall function 1001E550: sprintf.MSVCRT ref: 1001E6A9
                                                            • Sleep.KERNEL32(00000032), ref: 1001FCBD
                                                              • Part of subcall function 1001F0A0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,756F0F00,1001FFD4), ref: 1001F0BF
                                                              • Part of subcall function 1001F0A0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,756F0F00,1001FFD4,?,?,?,?,?,?,?,?), ref: 1001F0C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$HandleService$Close$CreateDescriptorExitOpenProcessSecuritySleepThreadsprintf$#823AddressCommandCurrentDaclErrorFileInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                                                            • String ID: -acsi$%$%$%$%$%$%$.$.$1.0$2$2$2$2$27.124.13.32$3$3$A$A$A$A$A$A$A$A$A$A$A$A$A$A$C$C$D$D$D$D$Default$E$E$E$E$F$F$F$F$G$G$G$G$Global\$I$I$K$L$L$M$M$N$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$a$a$b$b$c$c$c$c$c$d$d$d$g$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$v$v$v$x$y
                                                            • API String ID: 351596864-2051936253
                                                            • Opcode ID: 2dd4eb9a7defbc3dcb3db94aa8b7f5db89628b6d3e7050dfb304bf29b7975c34
                                                            • Instruction ID: 4e8b3251316168863d52aa18943a29d91bf72b1253dd9a464b334baa2e83e2f0
                                                            • Opcode Fuzzy Hash: 2dd4eb9a7defbc3dcb3db94aa8b7f5db89628b6d3e7050dfb304bf29b7975c34
                                                            • Instruction Fuzzy Hash: C582067050C3C0DDE332C7688848BDFBED5ABA6348F48499DE5CC4A292D7BA5648C767
                                                            Function 10014700 Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 428libraryregistryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 91 10014700-1001487f LoadLibraryA GetProcAddress #823 * 2 RegOpenKeyExA 92 10014881-10014894 call 10014c12 91->92 93 10014899-1001489f 91->93 122 10014c28-10014c53 #825 * 2 92->122 94 100148a5 93->94 95 100149ab-100149b7 call 10014c12 93->95 94->95 97 10014a03-10014a29 RegQueryValueExA 94->97 98 100148c2-100148ec RegQueryValueExA 94->98 99 10014ba2-10014bcd wsprintfA 94->99 100 100149a4 94->100 101 10014908-10014932 RegQueryValueExA 94->101 102 100148ac-100148b5 94->102 103 10014acc-10014b3e RegEnumValueA 94->103 104 10014bcf-10014bd4 94->104 105 10014a30-10014a72 RegEnumKeyExA 94->105 106 10014bf5-10014c0d lstrcatA 94->106 107 10014bd6 94->107 108 10014b58-10014b7b wsprintfA 94->108 109 10014b7d-10014ba0 wsprintfA 94->109 110 100149bc-100149e6 RegQueryValueExA 94->110 95->122 97->95 118 10014a2b 97->118 98->95 114 100148f2-10014906 call 10010c70 98->114 99->106 100->95 101->95 115 10014934-10014943 101->115 102->95 113 100148bb 102->113 103->95 120 10014b44-10014b4b 103->120 121 10014bdb-10014bf2 wsprintfA 104->121 105->95 119 10014a78-10014ac7 wsprintfA 105->119 107->121 108->106 109->106 110->95 117 100149e8-10014a01 wsprintfA 110->117 113->95 113->97 113->98 113->99 113->101 113->104 113->106 113->107 113->108 113->109 113->110 129 10014986-100149a2 114->129 124 10014949-1001494c 115->124 117->100 118->100 119->105 120->106 125 10014b51 120->125 121->106 127 10014980 124->127 128 1001494e-1001497e strncat * 2 strchr 124->128 125->99 125->104 125->106 125->107 125->108 125->109 127->129 128->124 129->100
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                            • #823.MFC42(?), ref: 10014763
                                                            • #823.MFC42(?,?), ref: 100147DA
                                                            • RegOpenKeyExA.KERNELBASE(00000000,1011EF78,00000000,00020019,?), ref: 1001487A
                                                              • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                              • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                            • #825.MFC42(?), ref: 10014C2F
                                                            • #825.MFC42(?,?), ref: 10014C38
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823#825Close$AddressLibraryLoadOpenProc
                                                            • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                                                            • API String ID: 625772149-2764046103
                                                            • Opcode ID: 4133c4f4f15c64b6c9d972cecb1957ee3bcdb3e57f1d368b49fe8847f57cc593
                                                            • Instruction ID: 24a7339e9948cfc4d48edfd2d1620221f1ec2b9cdc344b943e2bdb8f2b2ec3b3
                                                            • Opcode Fuzzy Hash: 4133c4f4f15c64b6c9d972cecb1957ee3bcdb3e57f1d368b49fe8847f57cc593
                                                            • Instruction Fuzzy Hash: 6DE1B0B29005189BDB14CFA8CC84AEFB7B9FB88310F514359F61AA72D0DB759E45CB90
                                                            Function 10021520 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 126sleepprocessthreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • _access.MSVCRT ref: 1002152D
                                                              • Part of subcall function 10020AE0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020B20
                                                              • Part of subcall function 10020AE0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020B35
                                                              • Part of subcall function 10020AE0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020B40
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10021559
                                                            • ShellExecuteExA.SHELL32(?), ref: 100215A1
                                                            • GetLastError.KERNEL32 ref: 100215A7
                                                            • exit.MSVCRT ref: 100215B1
                                                            • _access.MSVCRT ref: 100215E0
                                                            • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100215FD
                                                            • _access.MSVCRT ref: 10021606
                                                            • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021617
                                                            • Sleep.KERNEL32(000003E8), ref: 1002161E
                                                            • _access.MSVCRT ref: 10021627
                                                            • Sleep.KERNELBASE(000001F4,?,?), ref: 10021636
                                                            • CreateThread.KERNELBASE(00000000,00000000,100210E0,00000000,00000000,00000000), ref: 10021652
                                                            • CloseHandle.KERNELBASE(00000000), ref: 1002165F
                                                            • CreateThread.KERNELBASE(00000000,00000000,100212D0,00000000,00000000,00000000), ref: 10021670
                                                            • CloseHandle.KERNEL32(00000000), ref: 10021677
                                                            • Shellex.V6BBCEDP5A ref: 1002168D
                                                              • Part of subcall function 1001F0E0: #823.MFC42(00000849), ref: 1001F0EF
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F116
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F124
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(Default,00000260), ref: 1001F132
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F140
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F14E
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F15C
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F16A
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F178
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F186
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F194
                                                              • Part of subcall function 1001F0E0: lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F1A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$_access$CloseCreateExecHandleSleepThread$#823AllocateCheckErrorExecuteFileFreeInitializeLastMembershipModuleNameShellShellexTokenexit
                                                            • String ID: 27.124.13.32$<$C:\Users\Public\Documents\MM$C:\Users\Public\Documents\MM\svchos1.exe$cmd /c md C:\Users\Public\Documents\MM$runas
                                                            • API String ID: 2771109159-2199693279
                                                            • Opcode ID: d571d876b650c3cb604162188e5b65d9a00b1d8a4173b81b52730122668667ad
                                                            • Instruction ID: dcf021e4510599ad8349171637a00e82fc76a9b8c040963ff91125e01494d7e7
                                                            • Opcode Fuzzy Hash: d571d876b650c3cb604162188e5b65d9a00b1d8a4173b81b52730122668667ad
                                                            • Instruction Fuzzy Hash: 40313B35644315A7F610DB74AC85FCE36D8EF907A0F540625F618EB1D0DBB4A88446AA
                                                            Function 1001AC30 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 92filestringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                              • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                              • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                              • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001ACDC
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AD1A
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AD2A
                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AD3A
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AD41
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AD48
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                            • String ID: C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                            • API String ID: 1069036285-2757848780
                                                            • Opcode ID: f2886bd663cfb32a64b8d077d3e314f1957a359bb1f216bc29f7e393bff47dce
                                                            • Instruction ID: caa7bc75aa0286857d8f55b8e12f87377281d3afcd22e6eb6a07e32e81a18761
                                                            • Opcode Fuzzy Hash: f2886bd663cfb32a64b8d077d3e314f1957a359bb1f216bc29f7e393bff47dce
                                                            • Instruction Fuzzy Hash: 1B31B831108790AFE311CB28CC54B9BBBD9EBC9704F040A1CFA99572D1D776AA04CB66
                                                            Function 100215C0 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 75sleepprocessthreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 10021520: _access.MSVCRT ref: 1002152D
                                                            • _access.MSVCRT ref: 100215E0
                                                            • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100215FD
                                                            • _access.MSVCRT ref: 10021606
                                                            • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021617
                                                            • Sleep.KERNEL32(000003E8), ref: 1002161E
                                                            • _access.MSVCRT ref: 10021627
                                                            • Sleep.KERNELBASE(000001F4,?,?), ref: 10021636
                                                            • CreateThread.KERNELBASE(00000000,00000000,100210E0,00000000,00000000,00000000), ref: 10021652
                                                            • CloseHandle.KERNELBASE(00000000), ref: 1002165F
                                                            • CreateThread.KERNELBASE(00000000,00000000,100212D0,00000000,00000000,00000000), ref: 10021670
                                                            • CloseHandle.KERNEL32(00000000), ref: 10021677
                                                            • Shellex.V6BBCEDP5A ref: 1002168D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _access$CloseCreateExecHandleSleepThread$Shellex
                                                            • String ID: 27.124.13.32$C:\Users\Public\Documents\MM$cmd /c md C:\Users\Public\Documents\MM
                                                            • API String ID: 4276510029-3007588180
                                                            • Opcode ID: 915d578814b6e1bd4b31ec5624d578f134cb8e3f2c07305419ffbecf95d4171d
                                                            • Instruction ID: 666a892aae84748c2737e958c10b529db38c094634e6a6d2600fa7cc03f8274c
                                                            • Opcode Fuzzy Hash: 915d578814b6e1bd4b31ec5624d578f134cb8e3f2c07305419ffbecf95d4171d
                                                            • Instruction Fuzzy Hash: 7D11CD39B4431572F520E7756C86FDE2544DBA0BA0F690621F718BF1C1D9B4B85046AD
                                                            Function 1002BEC0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 54libraryloaderthreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,1011EF78,756F0F00,0000005C,00000000,00000000,756F0F00,1001FFD4), ref: 1002BEEE
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002BEF7
                                                            • CreateThread.KERNELBASE(?,?,1002BDC0,?,?,?), ref: 1002BF25
                                                            • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?,?,?), ref: 1002BF37
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002BF3A
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1002BF4A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                                                            • String ID: CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                                                            • API String ID: 2992130774-1666596002
                                                            • Opcode ID: 5cc20ad358ec6c0b34c48e261fc29896b30d79e8eb601533f72bbf0fb946c2db
                                                            • Instruction ID: 2f7f1958cf45ecebbb1571eb9cfd608bd723ce6ea317f808f5dd92d527c82be1
                                                            • Opcode Fuzzy Hash: 5cc20ad358ec6c0b34c48e261fc29896b30d79e8eb601533f72bbf0fb946c2db
                                                            • Instruction Fuzzy Hash: 751125756083556FD640DF688C84F9BBBE8EBCC350F544A0DF698D3351C674E9058BA2
                                                            Function 10021080 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 28COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 10021040: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10021052
                                                            • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CCFA3D8,1011FA98,?,?,1002163D), ref: 1002109C
                                                            • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,1002163D), ref: 100210A3
                                                            • GetLastError.KERNEL32(?,?,1002163D), ref: 100210AF
                                                            • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CCFA3D8,1011FA80,00000000,?,?,1002163D), ref: 100210C2
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP60(?,?,?,?,1002163D), ref: 100210CD
                                                            • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,?,?,1002163D), ref: 100210D4
                                                            Strings
                                                            • C:\Users\Public\Documents\MM\svchos1.exe, xrefs: 10021080
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@?endl@std@@D@std@@@0@D@std@@@1@V10@V21@@$??6?$basic_ostream@D@std@@@std@@ErrorFileLastModuleNameV01@
                                                            • String ID: C:\Users\Public\Documents\MM\svchos1.exe
                                                            • API String ID: 481592904-2345221083
                                                            • Opcode ID: 803234aeedd0869d2a5824787570caa4ddb513799d10735a1832e5ef398044d0
                                                            • Instruction ID: 171150590332a1b39a14eecd42e10cfbe1af44de770b3671d20efd437686b589
                                                            • Opcode Fuzzy Hash: 803234aeedd0869d2a5824787570caa4ddb513799d10735a1832e5ef398044d0
                                                            • Instruction Fuzzy Hash: A4E030B9A003106BE74567F4AC8D9DA3698FE5450670C1A68FD0EE6161EA3992509711
                                                            Function 10021040 Relevance: 3.0, APIs: 2, Instructions: 18fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 184 10021040-1002105a GetModuleFileNameA 185 10021063-1002107e CopyFileA 184->185 186 1002105c-10021062 184->186
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10021052
                                                            • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10021072
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CopyModuleName
                                                            • String ID:
                                                            • API String ID: 4108865673-0
                                                            • Opcode ID: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                            • Instruction ID: 0dff065a44e2f82e2ec3e10545ee12bb9a49fe10faffa7e77db6faa8c149ff07
                                                            • Opcode Fuzzy Hash: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                            • Instruction Fuzzy Hash: 44E012F95042406BF314DB54DCC6FE632ACBB90B00F844918F79C851D0E6F59598C6A2
                                                            Function 10014C12 Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 187 10014c12-10014c27 RegCloseKey * 2
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                            • RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                            • Instruction ID: cb428774d1c23af65b3502e581b01568c295d1083760601ce9be51a3606d3d50
                                                            • Opcode Fuzzy Hash: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                            • Instruction Fuzzy Hash: 8BB09B759240389BDF54DB64DC449C937687B48200B050586B51CA3150C931AD808F90

                                                            Non-executed Functions

                                                            Function 10020040 Relevance: 228.0, APIs: 5, Strings: 125, Instructions: 460sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002065F
                                                            • _strnicmp.MSVCRT ref: 1002067D
                                                            • Sleep.KERNEL32(00000032), ref: 100206E0
                                                            • GetVersionExA.KERNEL32(00000094,00000000, -auto), ref: 1002074F
                                                            • GetLastError.KERNEL32 ref: 100207EB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Module$AddressErrorFileHandleLastLibraryLoadNameProcSleepVersion_strnicmp
                                                            • String ID: -auto$.$2$2$3$A$A$A$A$A$A$A$A$A$ADVAPI32.dll$C$C$C$C$Chang$Chang$Clos$CopyFil$D$D$H$K$L$LockS$M$N$O$O$R$S$S$S$S$S$S$Sitbs$StartS$UnlockS$a$a$a$a$a$a$a$a$a$a$b$b$b$c$c$c$c$c$c$c$c$d$d$f$f$g$g$g$i$i$i$i$i$i$i$i$i$i$i$l$l$l$l$n$n$n$n$n$n$o$o$p$p$r$r$r$r$r$r$r$r$r$r$r$s$s$s$t$t$t$t$t$t$u$v$v$v$v$v$v$v$v
                                                            • API String ID: 2115429517-1919108152
                                                            • Opcode ID: 6dcb0c057d12bbb20c514b08599f3e04ade625de24d30f09e7c13b1d0cb5aef2
                                                            • Instruction ID: 3d1a6d662eb67cdc753b5c1d54141c47e5896dacc9fbe37dd0967271eab0f525
                                                            • Opcode Fuzzy Hash: 6dcb0c057d12bbb20c514b08599f3e04ade625de24d30f09e7c13b1d0cb5aef2
                                                            • Instruction Fuzzy Hash: 7442CF61D0D3D8D9EB22C76888587DDBFB55B22704F4841C9D18C7B283C7BA1A98CB76
                                                            Function 1000A580 Relevance: 220.0, APIs: 110, Strings: 15, Instructions: 1298memorylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,00000400), ref: 1000A591
                                                            • LoadLibraryA.KERNEL32 ref: 1000A5A9
                                                            • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 1000A5C1
                                                            • GetProcAddress.KERNEL32(00000000,AllocateAndGetUdpExTableFromStack), ref: 1000A5CB
                                                            • GetProcAddress.KERNEL32(00000000,InternalGetTcpTable2), ref: 1000A5E7
                                                            • GetProcessHeap.KERNEL32(00000001), ref: 1000A602
                                                            • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000AD8C
                                                            • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000ADAD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHeapProcProcess$AllocLibraryLoadLocal
                                                            • String ID: %s:%u$*.*.*.*:*$AllocateAndGetTcpExTableFromStack$AllocateAndGetUdpExTableFromStack$CLOSE_WAIT$FIN_WAIT1$FIN_WAIT2$InternalGetTcpTable2$InternalGetUdpTableWithOwnerPid$LAST_ACK$TIME_WAIT$[TCP]$[UDP]$iphlpapi.dll$ou
                                                            • API String ID: 370057222-2158814116
                                                            • Opcode ID: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                            • Instruction ID: 6e119d95689cdedb8c029e20bccf6ffc7a8aa31c07b800779c780a86b0f0f42c
                                                            • Opcode Fuzzy Hash: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                            • Instruction Fuzzy Hash: 8CA2C1766083159FC324CF28CC449ABB7E5FBC9710F554A2DF94A93281DA74ED0ACB92
                                                            Function 1002A370 Relevance: 201.8, APIs: 29, Strings: 86, Instructions: 535registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32 ref: 1002A497
                                                            • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000000,?,?), ref: 1002A4C6
                                                            • RegCloseKey.ADVAPI32(?), ref: 1002A4D1
                                                            • GetSystemInfo.KERNEL32(?), ref: 1002A4DF
                                                            • wsprintfA.USER32 ref: 1002A508
                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000043,00000000,00000001,?), ref: 1002A661
                                                            • RegQueryValueExA.ADVAPI32(00000001,ProcessorNameString,00000000,?,?,00000043), ref: 1002A6AF
                                                            • RegCloseKey.ADVAPI32(?), ref: 1002A6FF
                                                            • GetComputerNameA.KERNEL32(?,secorPlartneC), ref: 1002A755
                                                              • Part of subcall function 1002A290: WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?,?,76078400,?), ref: 1002A2AF
                                                              • Part of subcall function 1002A290: WTSFreeMemory.WTSAPI32(?,00000000,000000FF,00000005,?,?,?,76078400,?), ref: 1002A2E0
                                                            • GetTickCount.KERNEL32 ref: 1002A76B
                                                            • wsprintfA.USER32 ref: 1002A7BB
                                                            • GetDC.USER32(00000000), ref: 1002A7C2
                                                            • GetDeviceCaps.GDI32(00000000,00000075), ref: 1002A7D3
                                                            • GetDeviceCaps.GDI32(00000000,00000076), ref: 1002A7D9
                                                            • wsprintfA.USER32 ref: 1002A7E9
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 1002A7F1
                                                            • wsprintfA.USER32 ref: 1002A815
                                                            • wsprintfA.USER32 ref: 1002A837
                                                            • wsprintfA.USER32 ref: 1002A850
                                                            • GetCommandLineA.KERNEL32 ref: 1002A855
                                                            • wsprintfA.USER32 ref: 1002A869
                                                            • GetUserNameA.ADVAPI32(?,?), ref: 1002A883
                                                            • wsprintfA.USER32 ref: 1002A917
                                                            • wsprintfA.USER32 ref: 1002A92F
                                                            • FindWindowA.USER32(?,00000000), ref: 1002A979
                                                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 1002A9DA
                                                            • GetWindow.USER32(00000000,00000002), ref: 1002AABA
                                                            • GetClassNameA.USER32(00000000,?,00000104), ref: 1002AACC
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002AAED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wsprintf$NameQueryWindow$CapsCloseDeviceMemoryOpenValue$ClassCommandComputerCountFindFreeGlobalInfoInformationLineReleaseSessionStatusSystemTextTickUser
                                                            • String ID: %d * %d$%d*%dMHz$%s%s%s$0$A$A$A$A$C$C$C$C$CTXOPConntion_Class$D$D$D$D$E$E$E$E$H$H$I$I$I$I$N$N$O$O$P$P$P$P$ProcessorNameString$R$R$R$R$R$R$S$S$S$S$T$T$W$W$a$a$c$c$e$e$e$e$e$e$l$l$m$m$n$n$o$o$o$r$r$r$r$r$s$s$s$s$secorPlartneC$t$t$t$t$y$y$~MHz
                                                            • API String ID: 2087514681-3067132264
                                                            • Opcode ID: bff6f9d02cd81257b5ac4433a5015eb97b127c33cd2ac78625b5a1a44ccb90e8
                                                            • Instruction ID: 7a23e768d45fe75c92c8d85dde7d5b354e6c024761c1829fde58d10b9c37f8f5
                                                            • Opcode Fuzzy Hash: bff6f9d02cd81257b5ac4433a5015eb97b127c33cd2ac78625b5a1a44ccb90e8
                                                            • Instruction Fuzzy Hash: ED22D03050C7C19EE325C638C844B9BBFD5ABD2304F484A5DF6D94B282DBBA9948C767
                                                            Function 10014060 Relevance: 149.4, APIs: 67, Strings: 18, Instructions: 633networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 1001410A
                                                            • InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 1001413A
                                                            • InternetCloseHandle.WININET(00000000), ref: 1001414B
                                                            Strings
                                                            • uin, xrefs: 10014658
                                                            • pt_local_token=, xrefs: 10014280
                                                            • GET, xrefs: 10014176, 10014416
                                                            • 0.9475416028552021, xrefs: 100143E7
                                                            • , xrefs: 10014100
                                                            • /pt_get_uins?callback=ptui_getuins_CB&r=%s&%s, xrefs: 100143F3
                                                            • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 10014082
                                                            • HTTP/1.1, xrefs: 10014170, 10014410
                                                            • groups, xrefs: 100146D3
                                                            • Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded, xrefs: 100140CB
                                                            • friends, xrefs: 100146B1
                                                            • Set-Cookie: , xrefs: 1001430E, 1001435F
                                                            • pt_local_tk=, xrefs: 100142B5
                                                            • localhost.ptlogin2.qq.com, xrefs: 100140E0
                                                            • Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10014456
                                                            • /cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23, xrefs: 100140B4
                                                            • xui.ptlogin2.qq.com, xrefs: 100140A2
                                                            • nickname, xrefs: 1001464D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID: $/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23$/pt_get_uins?callback=ptui_getuins_CB&r=%s&%s$0.9475416028552021$Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded$GET$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$Set-Cookie: $friends$groups$localhost.ptlogin2.qq.com$nickname$pt_local_tk=$pt_local_token=$uin$xui.ptlogin2.qq.com
                                                            • API String ID: 1463438336-3428588184
                                                            • Opcode ID: c5f6f7a3bde1657489dd3ba119a5e3f01b417ce6ff59bf41bf2e7ef542e1469b
                                                            • Instruction ID: 45324ece928709d606b10ec0d31b24424de3fba34316f27e870c3e0c39bcde43
                                                            • Opcode Fuzzy Hash: c5f6f7a3bde1657489dd3ba119a5e3f01b417ce6ff59bf41bf2e7ef542e1469b
                                                            • Instruction Fuzzy Hash: 4E0259766043143BE310EA68DC85FEF73D9EBC4720F450A29FA05D7290EF79E90586A6
                                                            Function 100288C0 Relevance: 147.6, APIs: 33, Strings: 51, Instructions: 604registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExA.KERNEL32(?), ref: 100288F3
                                                            • sprintf.MSVCRT ref: 100289AD
                                                            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,00000000), ref: 100289F2
                                                            • RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,?,?,?), ref: 10028A3E
                                                            • RegCloseKey.ADVAPI32(?), ref: 10028A81
                                                            • FindWindowA.USER32(?,00000000), ref: 10028AF6
                                                            • GetWindowTextA.USER32(00000000,?,00000104), ref: 10028B51
                                                            • GetWindow.USER32(00000000,00000002), ref: 10028C2A
                                                            • GetClassNameA.USER32(00000000,?,00000104), ref: 10028C40
                                                            • GetTickCount.KERNEL32 ref: 10028C4E
                                                            • sprintf.MSVCRT ref: 10028C9D
                                                            • atol.MSVCRT ref: 10028CBD
                                                            • #825.MFC42(00000000,?,00000000,00000000,?,?,?,00000000), ref: 10028CC6
                                                            • atol.MSVCRT ref: 10028CD3
                                                            • #825.MFC42(00000000,?,00000000,00000000,?,?,?,00000000), ref: 10028CDC
                                                            • GetDriveTypeA.KERNEL32 ref: 10028D0D
                                                            • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 10028D28
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?), ref: 10028D91
                                                            • wsprintfA.USER32 ref: 100290BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$#825Openatolsprintf$ClassCloseCountDiskDriveFindFreeManagerNameQuerySpaceTextTickTypeValueVersionwsprintf
                                                            • String ID: 2000$2003$2008$2008R2$2012$C$C$CTXOPConntion_Class$E$HARDWARE\DESCRIPTION\System\CentralProcessor\0$M$OpenSCManager Error!$OpenService Error!$P$ProcessorNameString$QueryServiceStatus Error!$RDP-Tcp$SYSTEM\CurrentControlSet\Control\Terminal Server$SeDebugPrivilege$ServiceDll$T$T$TermService$Vista$Win XP$Windows %s SP%d$Y$\$\$\$\$\$\termsrv_t.dll$c$c$fDenyTSConnections$i$i$l$m$m$n$n$o$o$s$s$termsrv_t$u$v$v
                                                            • API String ID: 3814848149-473206856
                                                            • Opcode ID: 4e5219facc70ffcfd69dbb24b9654b6021ef076914e6db4d0e611099ffbc90d2
                                                            • Instruction ID: d5affb2f378f7f48f32084ac2886711be22a318c8616ca35ee47803d47ffec2c
                                                            • Opcode Fuzzy Hash: 4e5219facc70ffcfd69dbb24b9654b6021ef076914e6db4d0e611099ffbc90d2
                                                            • Instruction Fuzzy Hash: 5F22163510D3C09FE321C7349C84BABBBD6EBD1354F890A6DF98997282D6B58948C763
                                                            Function 10010190 Relevance: 126.4, APIs: 37, Strings: 35, Instructions: 380servicefilesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AttachConsole.KERNEL32(?), ref: 100101B3
                                                            • Sleep.KERNEL32(0000000A), ref: 100101BB
                                                            • AttachConsole.KERNEL32(?), ref: 100101C5
                                                            • GetConsoleProcessList.KERNEL32(?,00000001), ref: 100101D8
                                                            • #823.MFC42(00000000), ref: 100101E9
                                                            • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 100101F9
                                                            • GetCurrentProcessId.KERNEL32 ref: 10010203
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10010217
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 10010226
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001022D
                                                            • #825.MFC42(00000000), ref: 1001023E
                                                            • FreeConsole.KERNEL32 ref: 1001024C
                                                            • Sleep.KERNEL32(0000000A), ref: 10010254
                                                            • FreeConsole.KERNEL32 ref: 1001025A
                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 10010266
                                                            • swprintf.MSVCRT(?,\Registry\Machine\System\CurrentControlSet\Services\%S,1011F4E0,NTDLL.DLL,ZwUnloadDriver,NTDLL.DLL,RtlInitUnicodeString,SeLoadDriverPrivilege,00000001), ref: 10010304
                                                            • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1001039A
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 100103A6
                                                            • OpenServiceA.ADVAPI32(00000000,1011EC82,00010000), ref: 100103BD
                                                            • DeleteService.ADVAPI32(00000000), ref: 100103D0
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 100103D7
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 100103DA
                                                            • GetSystemDirectoryA.KERNEL32 ref: 1001049F
                                                            • lstrcatA.KERNEL32(?,?), ref: 100104B4
                                                            • DeleteFileA.KERNEL32(?), ref: 100104C4
                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10010509
                                                            • lstrcatA.KERNEL32(?,?), ref: 10010518
                                                            • DeleteFileA.KERNEL32(?), ref: 10010522
                                                            • LocalFree.KERNEL32(?), ref: 1001052A
                                                            • free.MSVCRT ref: 1001053D
                                                            • free.MSVCRT ref: 10010546
                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1001055D
                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 10010568
                                                            • IsWow64Process.KERNEL32(00000000), ref: 1001056F
                                                            • DeleteFileA.KERNEL32(?), ref: 1001060E
                                                            • SetServiceStatus.ADVAPI32(?,1012BB90), ref: 1001062D
                                                            • ExitProcess.KERNEL32 ref: 1001063A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$Console$DeleteService$CloseDirectoryFileFreeHandleOpen$AttachCurrentListSleepSystemTerminatefreelstrcat$#823#825ExitLocalManagerStatusWindowsWow64swprintf
                                                            • String ID: .$.$.sys$Host$MarkTime$NTDLL.DLL$P$RtlInitUnicodeString$SYSTEM\CurrentControlSet\Services\$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\Select$SYSTEM\Setup$SeLoadDriverPrivilege$V$ZwUnloadDriver$\$\$\Registry\Machine\System\CurrentControlSet\Services\%S$\sysnative\drivers\$\system32\drivers\$a$b$d$d$d$e$g$g$m$n$o$o$s$t$u
                                                            • API String ID: 2905031204-766513331
                                                            • Opcode ID: 21b3ba8759b7e2711efdb82425f508f83cfdd9b2f334acf12d056091dbc3387b
                                                            • Instruction ID: 41eea96d368015e47528d99ae2b315a308153292a7c420bba54ca342134b389b
                                                            • Opcode Fuzzy Hash: 21b3ba8759b7e2711efdb82425f508f83cfdd9b2f334acf12d056091dbc3387b
                                                            • Instruction Fuzzy Hash: 5FD13435204354ABE310DB78CC84B9E7BD5EB84314F080A1DF689AB2D1DBB4ED44CBA6
                                                            Function 100298E0 Relevance: 89.8, APIs: 44, Strings: 7, Instructions: 530processmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002998E
                                                            • LocalAlloc.KERNEL32 ref: 100299BC
                                                            • Process32First.KERNEL32(00000000,?), ref: 100299D8
                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?), ref: 100299FB
                                                            • GetPriorityClass.KERNEL32(00000000,?,00000000,?), ref: 10029A15
                                                            • sprintf.MSVCRT ref: 10029AB0
                                                            • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 10029ACD
                                                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 10029B1C
                                                            • malloc.MSVCRT ref: 10029B23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$OpenToken$AllocClassCreateCurrentFirstInformationLocalPriorityProcess32SnapshotToolhelp32mallocsprintf
                                                            • String ID: %5u$%7u K$@$SeDebugPrivilege$\??\$\SystemRoot$\\?\
                                                            • API String ID: 629317925-4188095215
                                                            • Opcode ID: f7d28589d73e51d9039c59340857c8c43605b5a44f073b03500ab63adf55ddc4
                                                            • Instruction ID: b4ee66b884af877e7dd29cf5ab52b40ee9ef173f77909a2af70579b7cce8914c
                                                            • Opcode Fuzzy Hash: f7d28589d73e51d9039c59340857c8c43605b5a44f073b03500ab63adf55ddc4
                                                            • Instruction Fuzzy Hash: 2E0280712083459FD724CA64DC45BEBB7D6FBC4300F844E2DFA8A97281DBB4A909C792
                                                            Function 10019930 Relevance: 79.1, APIs: 44, Strings: 1, Instructions: 387stringmemoryserviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • LocalAlloc.KERNEL32(00000040,00000104), ref: 10019960
                                                            • OpenSCManagerA.ADVAPI32 ref: 10019977
                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199A3
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 100199AC
                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199CE
                                                            • OpenServiceA.ADVAPI32(00000000,?,00000001), ref: 100199F4
                                                            • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?), ref: 10019A1A
                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A27
                                                            • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 10019A3B
                                                            • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A55
                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A62
                                                            • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A7A
                                                            • lstrcatA.KERNEL32(?,100FBD1C), ref: 10019ADB
                                                            • lstrcatA.KERNEL32(?,100FBD14), ref: 10019B06
                                                            • lstrlenA.KERNEL32(00000040), ref: 10019B1C
                                                            • lstrlenA.KERNEL32(?), ref: 10019B24
                                                            • lstrlenA.KERNEL32 ref: 10019B2F
                                                            • lstrlenA.KERNEL32(?), ref: 10019B3B
                                                            • lstrlenA.KERNEL32(?), ref: 10019B44
                                                            • lstrlenA.KERNEL32(?), ref: 10019B4C
                                                            • LocalSize.KERNEL32(?), ref: 10019B5E
                                                            • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10019B70
                                                            • lstrlenA.KERNEL32(?), ref: 10019B7E
                                                            • lstrlenA.KERNEL32(?), ref: 10019B88
                                                            • lstrlenA.KERNEL32(?), ref: 10019BB1
                                                            • lstrlenA.KERNEL32(00000000), ref: 10019BC6
                                                            • lstrlenA.KERNEL32 ref: 10019BCF
                                                            • lstrlenA.KERNEL32(00000000), ref: 10019BFA
                                                            • lstrlenA.KERNEL32 ref: 10019C0B
                                                            • lstrlenA.KERNEL32(00000000), ref: 10019C14
                                                            • lstrlenA.KERNEL32(00000001), ref: 10019C3A
                                                            • lstrlenA.KERNEL32(?), ref: 10019C49
                                                            • lstrlenA.KERNEL32(?), ref: 10019C6B
                                                            • lstrlenA.KERNEL32(?), ref: 10019C81
                                                            • lstrlenA.KERNEL32(?), ref: 10019CA9
                                                            • lstrlenA.KERNEL32(?), ref: 10019CBB
                                                            • lstrlenA.KERNEL32(?), ref: 10019CC5
                                                            • lstrlenA.KERNEL32(?), ref: 10019CE9
                                                            • LocalFree.KERNEL32(?), ref: 10019CFE
                                                            • LocalFree.KERNEL32(00000000), ref: 10019D01
                                                            • CloseServiceHandle.ADVAPI32(?), ref: 10019D08
                                                            • LocalFree.KERNEL32(00000000), ref: 10019D3B
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10019D42
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10019D50
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Local$Service$Alloc$Query$FreeOpen$CloseConfigConfig2EnumHandleProcessServicesStatuslstrcat$CurrentManagerSizeToken
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 19575313-2896544425
                                                            • Opcode ID: 38242c7c13ff67c510263dba52068ece5ca708ba98b2be41b2aa98ad4322edf5
                                                            • Instruction ID: 1b6acf446b8a198ed503ab5db616dbff0a76fe5583a22bec3877ff274e4e0add
                                                            • Opcode Fuzzy Hash: 38242c7c13ff67c510263dba52068ece5ca708ba98b2be41b2aa98ad4322edf5
                                                            • Instruction Fuzzy Hash: 37D12C75204306AFD714DF64CC84AABB7E9FBC8700F54491DFA46A7250DB74E909CBA2
                                                            Function 10001140 Relevance: 68.4, APIs: 22, Strings: 17, Instructions: 161libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001168
                                                            • LoadLibraryA.KERNEL32 ref: 100011B4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001203
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001214
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001227
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                                                            • #825.MFC42(?), ref: 100012C4
                                                            • #825.MFC42(00000000,?), ref: 100012CC
                                                            • #825.MFC42(?,00000000,?), ref: 100012D5
                                                            • #825.MFC42(?,?,00000000,?), ref: 100012DE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$#825
                                                            • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                            • API String ID: 345516743-2415744366
                                                            • Opcode ID: d76d22c8a8760c6e9ee11a80c6e987438e46669924afae741dc88bf4cd5d23b9
                                                            • Instruction ID: 925cffe9b3a83680f8116912593197527df537376f4302f175ad90e7ec9549ea
                                                            • Opcode Fuzzy Hash: d76d22c8a8760c6e9ee11a80c6e987438e46669924afae741dc88bf4cd5d23b9
                                                            • Instruction Fuzzy Hash: 255184B5904384ABCB10EF74CC88E5B7FD8EFC9350F450949FA8457206DA3AD845CBA1
                                                            Function 1001D260 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 176stringwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strstr$Window$IconicTextVisible
                                                            • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                            • API String ID: 4234658395-3439171801
                                                            • Opcode ID: e623a672e69928f112b936f0dc565f73ad5264ec5079c914e85669c8bfa8b1e7
                                                            • Instruction ID: 539f7beab40fa47184e106acf44e39d51301954959b5286724bf3eda65b5e44c
                                                            • Opcode Fuzzy Hash: e623a672e69928f112b936f0dc565f73ad5264ec5079c914e85669c8bfa8b1e7
                                                            • Instruction Fuzzy Hash: B4518D75A0031667D614F6749DC0ACB36D8DF6458AF46483EF888D9040F739FA88DAE2
                                                            Function 1001B360 Relevance: 54.5, APIs: 18, Strings: 13, Instructions: 271stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExA.KERNEL32 ref: 1001B39C
                                                              • Part of subcall function 1001AD60: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B3BF,?,?,?), ref: 1001AD69
                                                              • Part of subcall function 1001AD60: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AD7B
                                                              • Part of subcall function 1001AD60: FreeLibrary.KERNEL32(00000000), ref: 1001ADA5
                                                              • Part of subcall function 1001AA00: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,756F23A0), ref: 1001AA9A
                                                              • Part of subcall function 1001AA00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAD4
                                                              • Part of subcall function 1001AA00: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAE4
                                                              • Part of subcall function 1001AA00: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAF4
                                                              • Part of subcall function 1001AA00: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAFB
                                                              • Part of subcall function 1001AA00: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,756F23A0), ref: 1001AB08
                                                              • Part of subcall function 1001AA00: gethostname.WS2_32(?,?), ref: 1001AB10
                                                              • Part of subcall function 1001AA00: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,756F23A0), ref: 1001AB17
                                                            • getsockname.WS2_32(?), ref: 1001B406
                                                            • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 1001B473
                                                            • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B494
                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B4DF
                                                            • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B4FA
                                                            • GetTickCount.KERNEL32 ref: 1001B5A6
                                                            • wsprintfA.USER32 ref: 1001B5C8
                                                            • wsprintfA.USER32 ref: 1001B5EF
                                                            • wsprintfA.USER32 ref: 1001B614
                                                            • wsprintfA.USER32 ref: 1001B63B
                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 1001B65C
                                                              • Part of subcall function 1001AB30: lstrlenA.KERNEL32(?,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001ABB6
                                                              • Part of subcall function 1001AB30: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001ABF3
                                                              • Part of subcall function 1001AB30: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC03
                                                              • Part of subcall function 1001AB30: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC13
                                                              • Part of subcall function 1001AB30: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC1A
                                                              • Part of subcall function 1001AB30: lstrlenA.KERNEL32(?,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC21
                                                            • lstrcpyA.KERNEL32(?,?,?,00000100), ref: 1001B6C9
                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 1001B6D9
                                                            • GetLastInputInfo.USER32(?), ref: 1001B6F3
                                                            • GetTickCount.KERNEL32 ref: 1001B6F9
                                                            • _access.MSVCRT ref: 1001B718
                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 1001B73B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$lstrlen$lstrcpywsprintf$CloseCountCreateFreeHandleInfoLibraryReadSizeTick$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersion_accessgethostnamegetsockname
                                                            • String ID: %$@$C:\ProgramData\jerrt.txt$D$Default$a$d$e$f$f$l$t$u
                                                            • API String ID: 429165215-739913618
                                                            • Opcode ID: d820c5c233de558a6bc542c796b179b98fbbd6f8fca1783c63ffe44303fce262
                                                            • Instruction ID: c19029de0e41b7c55456b872c9652fbadcc3c3e24a7d22fa168411d90e9be341
                                                            • Opcode Fuzzy Hash: d820c5c233de558a6bc542c796b179b98fbbd6f8fca1783c63ffe44303fce262
                                                            • Instruction Fuzzy Hash: 4AA1AE755083859FD724CB68CC84BDBBBE9EFC9304F048A1DF58987241EB75A648CB62
                                                            Function 1001D5B0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 290sleepsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000BB8,?,?,?,?,?,10098D12,000000FF), ref: 1001D5D8
                                                            • sprintf.MSVCRT ref: 1001D5F7
                                                              • Part of subcall function 1001D590: GetFileAttributesA.KERNEL32(?,1001DAD8,?), ref: 1001D595
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001D650
                                                            • GetFileAttributesA.KERNEL32(?), ref: 1001D6A5
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001D6BB
                                                            • wsprintfA.USER32 ref: 1001D6E2
                                                            • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001D6F7
                                                            • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001D703
                                                            • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D711
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D718
                                                              • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                              • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                              • Part of subcall function 1001D4C0: time.MSVCRT(00000000,1001DD2C), ref: 1001D4C2
                                                              • Part of subcall function 1001D4C0: srand.MSVCRT ref: 1001D4C9
                                                              • Part of subcall function 1001D4A0: EnumWindows.USER32(1001D260,?), ref: 1001D4B0
                                                            • Sleep.KERNEL32(000003E8), ref: 1001D75B
                                                            • Sleep.KERNEL32(000186A0), ref: 1001D775
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D78F
                                                            • GetTickCount.KERNEL32 ref: 1001D791
                                                            • GetTickCount.KERNEL32 ref: 1001D7BC
                                                            • GetTickCount.KERNEL32 ref: 1001D801
                                                            • GetTickCount.KERNEL32 ref: 1001D845
                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D868
                                                            • GetTickCount.KERNEL32 ref: 1001D88B
                                                            • Sleep.KERNEL32(00000096,?,00000001), ref: 1001D8AA
                                                            • GetTickCount.KERNEL32 ref: 1001D8C7
                                                            • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D8D5
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D8EA
                                                            • #825.MFC42(?), ref: 1001D976
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$CountTick$Create$AttributesFileMutex$#825CloseD@2@@std@@D@std@@DirectoryEnumErrorEventGrow@?$basic_string@HandleLastObjectReleaseSingleStartupU?$char_traits@V?$allocator@WaitWindowssprintfsrandtimewsprintf
                                                            • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive1$MyService1$e
                                                            • API String ID: 287845118-1910566113
                                                            • Opcode ID: 13f07fec1d63f70fb2da0d14dfba9215e21c80c3b416401ec079d2edcda30487
                                                            • Instruction ID: 6fd2ca9f0e27d66c80dcc8f4a4f3c9b6be94d6753c76d16fba420dcd74b55e5f
                                                            • Opcode Fuzzy Hash: 13f07fec1d63f70fb2da0d14dfba9215e21c80c3b416401ec079d2edcda30487
                                                            • Instruction Fuzzy Hash: DAA1B0351083818FE320FF749C85B9AB7E4EB85744F44092DF9899B281EB75E949CB62
                                                            Function 1001DB80 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 284sleepsynchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001D9A0: GetModuleFileNameA.KERNEL32 ref: 1001D9BD
                                                              • Part of subcall function 1001D9A0: strrchr.MSVCRT ref: 1001D9D3
                                                              • Part of subcall function 1001D9A0: strrchr.MSVCRT ref: 1001DA14
                                                              • Part of subcall function 1001D9A0: isdigit.MSVCRT ref: 1001DA4C
                                                              • Part of subcall function 1001D9A0: memmove.MSVCRT(?,?), ref: 1001DA6D
                                                            • CreateThread.KERNEL32(00000000,00000000,1001D5B0,00000000,00000000,00000000), ref: 1001DBB4
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,10098D42,000000FF), ref: 1001DBC4
                                                            • sprintf.MSVCRT ref: 1001DBE3
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001DC3C
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1001DC5F
                                                              • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                              • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                              • Part of subcall function 1001D4C0: time.MSVCRT(00000000,1001DD2C), ref: 1001D4C2
                                                              • Part of subcall function 1001D4C0: srand.MSVCRT ref: 1001D4C9
                                                            • GetFileAttributesA.KERNEL32(?), ref: 1001DC93
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001DCA9
                                                            • wsprintfA.USER32 ref: 1001DCD0
                                                            • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001DCE5
                                                            • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001DCF1
                                                            • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DCFF
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DD06
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD4A
                                                            • GetTickCount.KERNEL32 ref: 1001DD50
                                                            • GetTickCount.KERNEL32 ref: 1001DD77
                                                            • GetTickCount.KERNEL32 ref: 1001DDBC
                                                            • GetTickCount.KERNEL32 ref: 1001DE00
                                                            • GetTickCount.KERNEL32 ref: 1001DE1E
                                                            • Sleep.KERNEL32(00000064,?,00000001), ref: 1001DE3A
                                                            • GetTickCount.KERNEL32 ref: 1001DE56
                                                            • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DE64
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DE79
                                                            • #825.MFC42(?), ref: 1001DF22
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountTick$Create$Sleep$CloseD@2@@std@@D@std@@FileHandleMutexU?$char_traits@V?$allocator@strrchr$#825AttributesDirectoryEos@?$basic_string@ErrorEventGrow@?$basic_string@LastModuleNameObjectReleaseSingleStartupThreadWaitisdigitmemmovesprintfsrandtimewsprintf
                                                            • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive$MyService$e
                                                            • API String ID: 4188121392-1841343700
                                                            • Opcode ID: 5b0f903761623340b2cdd6728d64e06a7f44e81221fa29a0f1398f845a44a018
                                                            • Instruction ID: bf829028309d36bdcbb77c57cc4fdc1c7b8201568d8065e465cd0bbbb524c915
                                                            • Opcode Fuzzy Hash: 5b0f903761623340b2cdd6728d64e06a7f44e81221fa29a0f1398f845a44a018
                                                            • Instruction Fuzzy Hash: 79A1E6351083419BE320FF68CC85BABB7E4EB95784F04092DF9898B291DB75E988C752
                                                            Function 100029D0 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event
                                                            • String ID: /*/$C:\ProgramData\Microsoft Drive\De.ini$Loop stopped as 1.txt does not exist.$Received command to stop loop. De.ini deleted.$jieshuxunhuan
                                                            • API String ID: 4201588131-4242312597
                                                            • Opcode ID: b39927e0f103686fa32b726e2d095276d0a6dc0f3b7b3d5579b60f66e3e6b051
                                                            • Instruction ID: 368dbf102333d3f33aab7b414df493a5988d33fb55c3cd96ca69a7f772dd8b24
                                                            • Opcode Fuzzy Hash: b39927e0f103686fa32b726e2d095276d0a6dc0f3b7b3d5579b60f66e3e6b051
                                                            • Instruction Fuzzy Hash: 2771F7B5604209AFF340DF389C81D9F77DCEF95295F040629F98E93246EB21F94897A2
                                                            Function 1000BD50 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 207fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                            • ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                            • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                            • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                            • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                            • _strcmpi.MSVCRT ref: 1000BE80
                                                            • _strcmpi.MSVCRT ref: 1000BE97
                                                            • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BEB3
                                                            • #825.MFC42(?), ref: 1000BF08
                                                            • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BF2D
                                                            • DeleteFileA.KERNEL32(?), ref: 1000BF42
                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 1000BF7B
                                                            • FindClose.KERNEL32(00000000), ref: 1000BF8A
                                                            • RemoveDirectoryA.KERNEL32(?), ref: 1000BF98
                                                            • #825.MFC42(?), ref: 1000BFBA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$D@2@@0@FileFindHstd@@Tidy@?$basic_string@V10@V?$basic_string@$#825_strcmpi$?append@?$basic_string@CloseDeleteDirectoryEos@?$basic_string@FirstFreeze@?$basic_string@Grow@?$basic_string@NextRemoveV12@Xran@std@@
                                                            • String ID: *.*
                                                            • API String ID: 2724700886-438819550
                                                            • Opcode ID: 488c37abc63727a877c75cbf3f23e7f13571674d72ed4c4faf1941d52787e83c
                                                            • Instruction ID: 3b465caa294e62a31bbfa2f3a3f8136139aa411db5f53ac75e6bf2de9ee731bc
                                                            • Opcode Fuzzy Hash: 488c37abc63727a877c75cbf3f23e7f13571674d72ed4c4faf1941d52787e83c
                                                            • Instruction Fuzzy Hash: 7971F0754087859FE310DF24CC94AEABBE4FB84380F444A2DF985872A5DB31E909CF52
                                                            Function 10002340 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 194windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongA.USER32(?,000000EB), ref: 10002357
                                                            • PostQuitMessage.USER32(00000000), ref: 10002387
                                                            • SetWindowLongA.USER32(?,000000EB,?), ref: 100023A9
                                                            • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B3
                                                            • LoadIconA.USER32(00000000), ref: 100023BA
                                                            • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C4
                                                            • DestroyWindow.USER32(?), ref: 100023EA
                                                            Strings
                                                            • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 10002513
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                                                            • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                            • API String ID: 3894596752-2160474225
                                                            • Opcode ID: de3b8f291456a0b469831880bdfa9448e875709d2667a591d889c93201fa3430
                                                            • Instruction ID: 9b02aee96dfe64f34647ec3fbf13434fa37049088ce5b218e94cb993a3bfb2a2
                                                            • Opcode Fuzzy Hash: de3b8f291456a0b469831880bdfa9448e875709d2667a591d889c93201fa3430
                                                            • Instruction Fuzzy Hash: 595123765046166FF321CB28CCC5FEBB7ACFF48351F084735FA4AD21C2CA69A9098661
                                                            Function 1002AC20 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 205stringfilememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcatA.KERNEL32(00000000,?), ref: 1002AC76
                                                            • lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AC85
                                                            • FindFirstFileA.KERNEL32(00000000,?), ref: 1002ACA1
                                                            • strstr.MSVCRT ref: 1002AD73
                                                            • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,1012B074,?,00000104,?), ref: 1002ADC3
                                                            • lstrlenA.KERNEL32(00000000), ref: 1002ADCD
                                                            • lstrlenA.KERNEL32(?), ref: 1002ADD6
                                                            • LocalSize.KERNEL32(?), ref: 1002ADEC
                                                            • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 1002AE05
                                                            • lstrlenA.KERNEL32(?), ref: 1002AE15
                                                            • lstrlenA.KERNEL32(?), ref: 1002AE3F
                                                            • lstrlenA.KERNEL32(00000000), ref: 1002AE59
                                                            • lstrlenA.KERNEL32(00000000), ref: 1002AE89
                                                            • FindNextFileA.KERNEL32(?,?), ref: 1002AEA5
                                                            • FindClose.KERNEL32(?), ref: 1002AEB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                                                            • String ID: .$.url$InternetShortcut$URL$\*.*
                                                            • API String ID: 3365753205-65308377
                                                            • Opcode ID: 4be5f2e04c6bc4388c5f5dbd9faef97b9ea001632a10b5a25c0ad1d4716dc46d
                                                            • Instruction ID: a93e6d93cb68504c79c0d736243791c0dfdd4661c232d8f27908536be3868e13
                                                            • Opcode Fuzzy Hash: 4be5f2e04c6bc4388c5f5dbd9faef97b9ea001632a10b5a25c0ad1d4716dc46d
                                                            • Instruction Fuzzy Hash: 6B6105752047449BC729CB34CC84AEBB7E6FBC4315F544A2DFA4A93291DE74AA0AC741
                                                            Function 1001A4C0 Relevance: 30.1, APIs: 10, Strings: 7, Instructions: 376COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowA.USER32(?,00000000), ref: 1001A521
                                                            • GetWindowTextA.USER32(00000000,756F32F0,00000104), ref: 1001A57C
                                                            • GetWindow.USER32(00000000,00000002), ref: 1001A626
                                                            • GetClassNameA.USER32(00000000,756F32F0,00000104), ref: 1001A635
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001A644
                                                            • wsprintfA.USER32 ref: 1001A6B9
                                                            • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\stop.ini,?,00000001), ref: 1001A767
                                                            • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\Destop.ini,?,00000001), ref: 1001A7DB
                                                            • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\De.ini,?,00000001), ref: 1001A84F
                                                            • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\id.ini,?,00000001), ref: 1001A888
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile$Window$ClassCloseFindHandleNameTextwsprintf
                                                            • String ID: %s $C:\ProgramData\Microsoft Drive\De.ini$C:\ProgramData\Microsoft Drive\Destop.ini$C:\ProgramData\Microsoft Drive\id.ini$C:\ProgramData\Microsoft Drive\stop.ini$CTXOPConntion_Class$qq.exe
                                                            • API String ID: 2272559414-824698800
                                                            • Opcode ID: 20d99dda8106bef375ea63282205a45dc08b195ba48492c4a98b3194e3122d0e
                                                            • Instruction ID: 0c774e2a49921d8c77c05eb9ca87284a993a1d63213f73f8104b7f7f6de1acce
                                                            • Opcode Fuzzy Hash: 20d99dda8106bef375ea63282205a45dc08b195ba48492c4a98b3194e3122d0e
                                                            • Instruction Fuzzy Hash: 75B1F7366049080BC71CC47898566AB76C3EBD5370FA9473DFA6B9B6D1DEB8CD898140
                                                            Function 100092A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 119filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 100092C6
                                                            • wsprintfA.USER32 ref: 1000931C
                                                            • FindFirstFileA.KERNEL32(?,?,100FA614,?,00000000,00000065), ref: 1000932E
                                                            • wsprintfA.USER32 ref: 10009390
                                                            • wsprintfA.USER32 ref: 100093BC
                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 100093D6
                                                            • DeleteFileA.KERNEL32(?), ref: 100093E4
                                                            • FindNextFileA.KERNEL32(?,?), ref: 100093F4
                                                            • FindClose.KERNEL32(?), ref: 10009407
                                                            • RemoveDirectoryA.KERNEL32(?), ref: 1000940E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                                                            • String ID: %$%$%$%$%$.$.
                                                            • API String ID: 1639472542-2249276185
                                                            • Opcode ID: 9583cc8f492922c46a3fce45188c76e29ff1b1f16c3070b41c115d9241b7e7dd
                                                            • Instruction ID: 9b1cc3d7483b3e905a89100d3232beb0c31d61b5f2fd0be046ca02a1f11cbc6e
                                                            • Opcode Fuzzy Hash: 9583cc8f492922c46a3fce45188c76e29ff1b1f16c3070b41c115d9241b7e7dd
                                                            • Instruction Fuzzy Hash: 10417F7100D3C19AE711CB64DC48AEBBBE8ABD6344F084A5DF5C893291D6759608C76B
                                                            Function 10024070 Relevance: 28.8, APIs: 19, Instructions: 311networksleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _errno$Sleepclosesocketrecvsend$select
                                                            • String ID:
                                                            • API String ID: 1597795051-0
                                                            • Opcode ID: 4e7155bbe6ff128b4fc6ca381d0d3ebffd34115b319197f71fb66d194a9467c3
                                                            • Instruction ID: d5887e086b2599948b534768b189a3519c598de0959fb4af261d10bc162ec7bc
                                                            • Opcode Fuzzy Hash: 4e7155bbe6ff128b4fc6ca381d0d3ebffd34115b319197f71fb66d194a9467c3
                                                            • Instruction Fuzzy Hash: BAB1C4316147518BD724DF64D8946AB73FAFBC4300F82492DEA4697240DF75EE09CBA2
                                                            Function 10008E50 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 162stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDriveStringsA.KERNEL32 ref: 10008E7D
                                                            • GetUserNameA.ADVAPI32(?,?), ref: 10008EA9
                                                            • _strcmpi.MSVCRT ref: 10008EBC
                                                            • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 10008EE7
                                                            • CloseHandle.KERNEL32(00000000), ref: 10008EEE
                                                            • lstrlenA.KERNEL32(?), ref: 10008F02
                                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10008F3D
                                                            • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 10008F5B
                                                            • lstrlenA.KERNEL32(?), ref: 10008F69
                                                            • lstrlenA.KERNEL32(?), ref: 10008F77
                                                            • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008F96
                                                            • GetDriveTypeA.KERNEL32(?), ref: 10008FDD
                                                            • lstrlenA.KERNEL32(?), ref: 10009047
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_strcmpi
                                                            • String ID: SYSTEM$g
                                                            • API String ID: 545482129-3120117691
                                                            • Opcode ID: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                            • Instruction ID: ca414da13ac5931e33e665348761623e7890ebc010380a1e6fdbd97a8b35e4d6
                                                            • Opcode Fuzzy Hash: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                            • Instruction Fuzzy Hash: EB5180715083499FD710DF24C880AEBBBE9FBC8344F444A2DFA8997251D770AA49CB66
                                                            Function 100255D0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 193stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10025621
                                                            • wcstombs.MSVCRT ref: 10025662
                                                            • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002567E
                                                            • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002569A
                                                            • LocalAlloc.KERNEL32(00000040,00000400,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 100256BB
                                                            • lstrlenA.KERNEL32(1012C940), ref: 1002572B
                                                            • lstrlenA.KERNEL32(1012C940), ref: 1002574C
                                                            • lstrlenA.KERNEL32(?), ref: 1002575F
                                                            • lstrlenA.KERNEL32(?), ref: 10025781
                                                            • lstrlenA.KERNEL32(?), ref: 10025794
                                                            • lstrlenA.KERNEL32(?), ref: 100257B2
                                                            • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 100257E6
                                                              • Part of subcall function 1001B7A0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B7E2
                                                              • Part of subcall function 1001B7A0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B7FA
                                                              • Part of subcall function 1001B7A0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B800
                                                              • Part of subcall function 1001B7A0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B80F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$AllocBufferFreeLocalProcessToken$AdjustCloseCurrentEnumErrorHandleLastLookupOpenPrivilegePrivilegesUserValuewcstombs
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2919970077-2896544425
                                                            • Opcode ID: 4e7a21df44b1149a3d0809d503b0705941017666a682a17b06ea3e76e48e1d88
                                                            • Instruction ID: 4c9ca46c696752e2a0209ffc9afe41ffb6792d97879c155ff8de5bdbd2c72bde
                                                            • Opcode Fuzzy Hash: 4e7a21df44b1149a3d0809d503b0705941017666a682a17b06ea3e76e48e1d88
                                                            • Instruction Fuzzy Hash: 1051E0716047069BC314CF28DC81AAFB3E5FBC8704F840A1DF986A7241DB75E94ACB96
                                                            Function 1000B840 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156keyboardsleepstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(0000000A), ref: 1000B8A6
                                                            • lstrlenA.KERNEL32(?), ref: 1000B8B1
                                                            • GetKeyState.USER32(00000010), ref: 1000B8FB
                                                            • GetAsyncKeyState.USER32(0000000D), ref: 1000B907
                                                            • GetKeyState.USER32(00000014), ref: 1000B914
                                                            • GetKeyState.USER32(00000014), ref: 1000B93C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: State$AsyncSleeplstrlen
                                                            • String ID: <BackSpace>$<Enter>
                                                            • API String ID: 43598291-3792472884
                                                            • Opcode ID: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                            • Instruction ID: 254073e1c1d6b0a9fa3052202c61483a4731d11cdb8d0cac1f822bb488184c88
                                                            • Opcode Fuzzy Hash: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                            • Instruction Fuzzy Hash: C3510471508B86ABF710DF64CC847AF73E9EB82384F010E2DEA5192194DB35D949C753
                                                            Function 1000E670 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82filesleepshutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32 ref: 1000E6D2
                                                            • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E705
                                                            • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000E719
                                                            • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E734
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000E737
                                                            • Sleep.KERNEL32(000007D0), ref: 1000E742
                                                            • GetVersion.KERNEL32 ref: 1000E748
                                                            • ExitWindowsEx.USER32(00000006,00000000), ref: 1000E768
                                                            • ExitProcess.KERNEL32 ref: 1000E770
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                                                            • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                                                            • API String ID: 554375110-3993181469
                                                            • Opcode ID: fb975d3e7b9a1f54bde4cd7946da1fd2f0c2c53d4641d5bfd04ade5cf457feba
                                                            • Instruction ID: c28329faf3f90123d14e25da95549f1c5abae00c64d83b4d455333d5fe3119f1
                                                            • Opcode Fuzzy Hash: fb975d3e7b9a1f54bde4cd7946da1fd2f0c2c53d4641d5bfd04ade5cf457feba
                                                            • Instruction Fuzzy Hash: 63210735284751BBF230EB64DC4AFDF3B94BB84B10F240614FB697E1D0DAA465048B6A
                                                            Function 10009080 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175filememorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(?,?,?,00000065), ref: 100090AA
                                                            • wsprintfA.USER32 ref: 100090FA
                                                            • FindFirstFileA.KERNEL32(?,?,?,100FA614,?,00000065), ref: 10009110
                                                            • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10009146
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10009174
                                                            • lstrlenA.KERNEL32(?,?,00000065), ref: 10009203
                                                            • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 10009256
                                                            • LocalFree.KERNEL32(00000000,?,00000065), ref: 10009272
                                                            • FindClose.KERNEL32(?,?,00000065), ref: 1000927D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                                                            • String ID: .$h
                                                            • API String ID: 4283800025-2131999284
                                                            • Opcode ID: 087c031b952b896fb17e8864b4c11cc1e28913ded17b6900597469201d8abb5b
                                                            • Instruction ID: f80dc6c365f501ab76c5a644a1782f46e0470f8aaf277f5cf5bd79276b190c7f
                                                            • Opcode Fuzzy Hash: 087c031b952b896fb17e8864b4c11cc1e28913ded17b6900597469201d8abb5b
                                                            • Instruction Fuzzy Hash: FC51287560C3829BE710CF289C84ADBBBE5EF99384F144A58F8D897381D279990DC762
                                                            Function 10025BB0 Relevance: 18.1, APIs: 12, Instructions: 126stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00000000), ref: 10025BD9
                                                            • lstrlenA.KERNEL32(00000000), ref: 10025BE9
                                                            • lstrlenA.KERNEL32(00000000), ref: 10025BF2
                                                              • Part of subcall function 10024700: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024724
                                                              • Part of subcall function 10024700: #823.MFC42(00000002,?,00000000,00000000), ref: 10024731
                                                              • Part of subcall function 10024700: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002474D
                                                            • NetUserAdd.NETAPI32 ref: 10025C48
                                                            • #825.MFC42(?), ref: 10025C56
                                                            • #825.MFC42(?,?), ref: 10025C60
                                                            • wcscpy.MSVCRT ref: 10025CA4
                                                            • #825.MFC42(?), ref: 10025CAF
                                                            • #825.MFC42(?,?), ref: 10025CB9
                                                            • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025CDC
                                                            • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025CE4
                                                            • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 10025D15
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                                                            • String ID:
                                                            • API String ID: 3899135135-0
                                                            • Opcode ID: cc942730b2037d2fc1144a4bd96ef6187920c3922a1b9bf97ef6bd93ec9ea640
                                                            • Instruction ID: 8855c8af059af47777cf7af60bcf374747b7c8850806837418ae1bf7d8dd337f
                                                            • Opcode Fuzzy Hash: cc942730b2037d2fc1144a4bd96ef6187920c3922a1b9bf97ef6bd93ec9ea640
                                                            • Instruction Fuzzy Hash: 1541D2B56083006BD310DB64DC81EAFB7E9EBC4704F84092DF58497242EAB9E9498B62
                                                            Function 1000ED10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1002C7B0: LoadLibraryA.KERNEL32 ref: 1002C7C7
                                                              • Part of subcall function 1002C7B0: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C7D7
                                                              • Part of subcall function 1002C7B0: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C7E1
                                                              • Part of subcall function 1002C7B0: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C7ED
                                                              • Part of subcall function 1002C7B0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C7F8
                                                              • Part of subcall function 1002C7B0: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C804
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000ED2D
                                                            • Process32First.KERNEL32(00000000,00000128), ref: 1000ED4F
                                                            • _strcmpi.MSVCRT ref: 1000ED70
                                                            • OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 1000ED81
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000ED8A
                                                            • Process32Next.KERNEL32(00000000,?), ref: 1000ED92
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 1000ED9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32_strcmpi
                                                            • String ID: SeDebugPrivilege$explorer.exe
                                                            • API String ID: 3814622859-2721386251
                                                            • Opcode ID: a6a92af55a5225f4c481ed074628428579c993826f0a0aec83d4cc2c41c4a7ef
                                                            • Instruction ID: 75ac5820b7940cf9cf08fc1506e17e3d52f2928a9b94b3cc0b3c021735fdbbf8
                                                            • Opcode Fuzzy Hash: a6a92af55a5225f4c481ed074628428579c993826f0a0aec83d4cc2c41c4a7ef
                                                            • Instruction Fuzzy Hash: A711C4B66403497BF350E7A0AD42FA7779CFB84381F440926BE05A2181EB65FD1886B2
                                                            Function 10023B20 Relevance: 15.1, APIs: 10, Instructions: 81networksleepthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WS2_32(00000202,?), ref: 10023B31
                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 10023B45
                                                            • htons.WS2_32 ref: 10023B78
                                                            • bind.WS2_32 ref: 10023B93
                                                            • listen.WS2_32(00000000,00000032), ref: 10023BA4
                                                            • accept.WS2_32(00000000,00000000,00000000), ref: 10023BCD
                                                            • malloc.MSVCRT ref: 10023BD3
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00023820,00000000,00000000,?), ref: 10023BEF
                                                            • Sleep.KERNEL32(000003E8), ref: 10023BFE
                                                            • CloseHandle.KERNEL32(00000000), ref: 10023C07
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                                                            • String ID:
                                                            • API String ID: 1905318980-0
                                                            • Opcode ID: 21dc11249ae30223fb28ca8131238aff560dae4c455fcb7b931cfabea1f40171
                                                            • Instruction ID: 0c306a6fd00256525775f33ba33762c421de27db6ac4d937b83a8337c13bf7e5
                                                            • Opcode Fuzzy Hash: 21dc11249ae30223fb28ca8131238aff560dae4c455fcb7b931cfabea1f40171
                                                            • Instruction Fuzzy Hash: CB21D334648310ABF310DF64EC8ABAF7BA8FF84B50F504619FA58D62E0E77089048726
                                                            Function 100026B0 Relevance: 15.1, APIs: 10, Instructions: 71clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(00000000), ref: 100026B3
                                                            • GetClipboardData.USER32(00000001), ref: 100026C7
                                                            • GlobalLock.KERNEL32(00000000), ref: 100026D8
                                                            • EmptyClipboard.USER32 ref: 100026F2
                                                            • GlobalAlloc.KERNEL32(00000002), ref: 1000270A
                                                            • GlobalLock.KERNEL32(00000000), ref: 10002717
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 1000273B
                                                            • SetClipboardData.USER32(00000001,00000000), ref: 10002744
                                                            • GlobalUnlock.KERNEL32(?), ref: 1000274F
                                                            • CloseClipboard.USER32 ref: 10002755
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyOpen
                                                            • String ID:
                                                            • API String ID: 3065066218-0
                                                            • Opcode ID: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                            • Instruction ID: eef061908f3c3295b15891c3fed615895cfe21d81dbfaa5e572b4fb253c06cc9
                                                            • Opcode Fuzzy Hash: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                            • Instruction Fuzzy Hash: 1F1194392406255FF3189B758C9DA6B7BD8FB846A2F19032DF61AC32E0DFA0DC008660
                                                            Function 10026A90 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10026AAD
                                                            • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 10026AC0
                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10026ACE
                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,10024828), ref: 10026AE3
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024828), ref: 10026AF0
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024828), ref: 10026AF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                                                            • String ID: SeDebugPrivilege$sharedaccess
                                                            • API String ID: 3393504433-1846105483
                                                            • Opcode ID: 9f7661eab9864cca61c946dac9ef02525c43cdd4c80a6eab616c9b293606fcab
                                                            • Instruction ID: a41d5e595696c1f13578c8602c683f655134a4c4e2cb6d36cd8884f2e1c1d510
                                                            • Opcode Fuzzy Hash: 9f7661eab9864cca61c946dac9ef02525c43cdd4c80a6eab616c9b293606fcab
                                                            • Instruction Fuzzy Hash: F7F0FC39950124B7E211B7548C4AFFF3E64FF85791F480115F608A61D1D77058448AB3
                                                            Function 10016530 Relevance: 13.6, APIs: 9, Instructions: 77synchronizationkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 1001656D
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10016578
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098B66,000000FF,1000CC5B), ref: 10016589
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098B66,000000FF,1000CC5B), ref: 10016594
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098B66,000000FF,1000CC5B), ref: 100165A3
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098B66,000000FF,1000CC5B), ref: 100165AC
                                                            • ReleaseDC.USER32(00000000,?), ref: 100165B7
                                                              • Part of subcall function 100167E0: sprintf.MSVCRT ref: 1001682F
                                                              • Part of subcall function 100167E0: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 1001686F
                                                              • Part of subcall function 100167E0: RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 1001688E
                                                              • Part of subcall function 100167E0: RegCloseKey.ADVAPI32(?), ref: 1001689D
                                                            • BlockInput.USER32(00000000,?,?,?,?,?,?,00000000,10098B66,000000FF,1000CC5B), ref: 100165CD
                                                            • DestroyCursor.USER32(00000000), ref: 1001660A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$ExchangeHandleInterlockedObjectSingleWait$BlockCursorDestroyInputOpenReleaseValuesprintf
                                                            • String ID:
                                                            • API String ID: 1142494416-0
                                                            • Opcode ID: 7fc0cdf10efa4276d2f8a9978c6e743dc74b5592e1ddb76ba8749fec6f14ae31
                                                            • Instruction ID: 36cbf14b9a4f43972e99d5cb65ec23559a596eda08619899703a9b92fe32edd1
                                                            • Opcode Fuzzy Hash: 7fc0cdf10efa4276d2f8a9978c6e743dc74b5592e1ddb76ba8749fec6f14ae31
                                                            • Instruction Fuzzy Hash: E5212A75240B059BD224EB68CC81BD6B3E9FF88720F144A1DF26A972D0CBB5B901CB91
                                                            Function 100025B0 Relevance: 10.6, APIs: 7, Instructions: 60clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(00000000), ref: 100025B8
                                                            • GetClipboardData.USER32(00000001), ref: 100025C6
                                                            • GlobalLock.KERNEL32(00000000), ref: 100025CF
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 10002609
                                                            • CloseClipboard.USER32 ref: 1000260F
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 10002632
                                                            • CloseClipboard.USER32 ref: 10002638
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$Global$CloseUnlock$DataLockOpen
                                                            • String ID:
                                                            • API String ID: 2537359085-0
                                                            • Opcode ID: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                            • Instruction ID: fa833299b88c5f4a584283747ecb7ea9d0db2f1ad11210ff9961461b47ce4595
                                                            • Opcode Fuzzy Hash: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                            • Instruction Fuzzy Hash: 0001B5792106145BF3089B358C8DAAB3B98FBC0321F18072AF91B961E1EFE5ED048664
                                                            Function 1001A2D0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: malloc$Tablefree
                                                            • String ID:
                                                            • API String ID: 2903114640-0
                                                            • Opcode ID: 584ebc2d1ca3f34032d496b821f00b75008cf7c937c2d0e88bcebcbaa7abde9b
                                                            • Instruction ID: 461e0b43699d32c6a3a1c100eb0808daba67451a4a1471cb86b1f35504ec8c6c
                                                            • Opcode Fuzzy Hash: 584ebc2d1ca3f34032d496b821f00b75008cf7c937c2d0e88bcebcbaa7abde9b
                                                            • Instruction Fuzzy Hash: 3C1121736022246BD215DA1EBC81BDFB3D8FBC1661F14052AF919CB240DA25EE8586A2
                                                            Function 10027050 Relevance: 9.1, APIs: 6, Instructions: 53stringprocessCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,?,00000074), ref: 10027077
                                                            • Module32First.KERNEL32(00000000,00000000), ref: 1002708C
                                                            • lstrcmpiA.KERNEL32(?,?), ref: 100270AB
                                                            • Module32Next.KERNEL32(00000000,00000000), ref: 100270B7
                                                            • lstrcmpiA.KERNEL32(?,?), ref: 100270C9
                                                            • CloseHandle.KERNEL32(00000000), ref: 100270D4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Module32lstrcmpi$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 3447504839-0
                                                            • Opcode ID: 65d106d9dc1e2e251b34757b0522791fb257b2712f17d48a3046fc9d031d0998
                                                            • Instruction ID: f646a44485959ccfca753456237f2b98a5348523ef8d2a0cab1f56d0d0828313
                                                            • Opcode Fuzzy Hash: 65d106d9dc1e2e251b34757b0522791fb257b2712f17d48a3046fc9d031d0998
                                                            • Instruction Fuzzy Hash: 71015675105345ABD360EBA5EC84DABB7DDFF85350F40492DF94882240EB75EA0C87B2
                                                            Function 100291D0 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 100291E0
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 100291E7
                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10029215
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1002922D
                                                            • GetLastError.KERNEL32 ref: 10029233
                                                            • CloseHandle.KERNEL32(?), ref: 10029244
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID:
                                                            • API String ID: 3398352648-0
                                                            • Opcode ID: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                            • Instruction ID: 43742cd4e67d0a5c06759c6e3c76b01404d602c5d82af1ea2e56166a97de78d4
                                                            • Opcode Fuzzy Hash: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                            • Instruction Fuzzy Hash: 10018479614310ABE304EB78CC89FDB77A8FB84B40F448A1DFA8D96290D675D8048BA1
                                                            Function 1001A100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 1001A107
                                                            • CoCreateInstance.OLE32(100EACE0,00000000,00000001,100EACC0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A11F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateInitializeInstance
                                                            • String ID: FriendlyName
                                                            • API String ID: 3519745914-3623505368
                                                            • Opcode ID: 61e8a9f583257a81a27f2bd397121991c8e277aade336a3bff62ca7ac66e2cb8
                                                            • Instruction ID: cecdfafdaea8945f0d6e05b015b6355bace826cc94fa0b1d175a53f4daf6acc8
                                                            • Opcode Fuzzy Hash: 61e8a9f583257a81a27f2bd397121991c8e277aade336a3bff62ca7ac66e2cb8
                                                            • Instruction Fuzzy Hash: F7310574244202AFD604CF65CC88F5BB7E9FF89614F148958F549DB250DB74E88A8B62
                                                            Function 10009C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 10009C85
                                                            • FindClose.KERNEL32(00000000), ref: 10009D07
                                                            • CloseHandle.KERNEL32(?), ref: 10009D19
                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009D31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseFileFind$CreateFirstHandle
                                                            • String ID: p
                                                            • API String ID: 3283578348-2181537457
                                                            • Opcode ID: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                            • Instruction ID: 2b1597b52ddb8eafb0e91e12b29208ebd2643c3ea00a9cd01ad1c39fb074611e
                                                            • Opcode Fuzzy Hash: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                            • Instruction Fuzzy Hash: 7631BC719087019BF324DF28CC45B8FB6D6EBC53A0F25461EF1AA873D4D634D4458B41
                                                            Function 1007FBC0 Relevance: 8.6, Strings: 6, Instructions: 1084COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1008058E
                                                            • *** END, xrefs: 1008090B
                                                            • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100807B0
                                                            • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100804D2
                                                            • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1008039C
                                                            • IVOP, xrefs: 100803C0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$IVOP
                                                            • API String ID: 0-2073594325
                                                            • Opcode ID: 0f30e0d89e62e0642ddb12d132012f48230cdaf164e18b30dae6b64e7f295fd1
                                                            • Instruction ID: 2dabe9f39b06d607efdba2590a3075907cad2e7af6fa91bb4b5afb4b2becaede
                                                            • Opcode Fuzzy Hash: 0f30e0d89e62e0642ddb12d132012f48230cdaf164e18b30dae6b64e7f295fd1
                                                            • Instruction Fuzzy Hash: BCA216B5A042489FDB68CF18C881BEA77E5FF89344F10861EFD898B351D770AA45CB91
                                                            Function 10079090 Relevance: 5.6, Strings: 4, Instructions: 629COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gfff$gfff$gfff$gfff
                                                            • API String ID: 0-2178600047
                                                            • Opcode ID: c13b4115b2999c062cee2ded587e89cccd0d08fcb6ccc67634f8f34b9ea2112b
                                                            • Instruction ID: 085b7cc83e01a10df573dc6a62b6a5a31b412c2d8219ea57f8ce560061db3417
                                                            • Opcode Fuzzy Hash: c13b4115b2999c062cee2ded587e89cccd0d08fcb6ccc67634f8f34b9ea2112b
                                                            • Instruction Fuzzy Hash: 4232AE75A083528BC318DF28C88455EB7E2FBC8744F558A3DE885DB364E734E905CB86
                                                            Function 1002E150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: exitfprintf
                                                            • String ID: %s
                                                            • API String ID: 4243785698-620797490
                                                            • Opcode ID: fd77dd0d61dcb626f8440662dc572310c311700c92d1a3a7c2491e5d7cd766f3
                                                            • Instruction ID: 9890aca869c07abf05744f406de6a22d9fa3739310af1440984844a79e4682c7
                                                            • Opcode Fuzzy Hash: fd77dd0d61dcb626f8440662dc572310c311700c92d1a3a7c2491e5d7cd766f3
                                                            • Instruction Fuzzy Hash: 7EE06D3E804211AFD200EBA4EC45EEAB7E8EF85345F448869F548A7212D735A90987A6
                                                            Function 10009B60 Relevance: 4.6, APIs: 3, Instructions: 76fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 100089F0: lstrlenA.KERNEL32(?), ref: 10008A21
                                                              • Part of subcall function 100089F0: malloc.MSVCRT ref: 10008A29
                                                              • Part of subcall function 100089F0: lstrcpyA.KERNEL32(00000000,?), ref: 10008A41
                                                              • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A6D
                                                              • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A8B
                                                              • Part of subcall function 100089F0: GetFileAttributesA.KERNEL32(00000000), ref: 10008ACF
                                                              • Part of subcall function 100089F0: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10008ADC
                                                              • Part of subcall function 100089F0: GetLastError.KERNEL32 ref: 10008AE6
                                                              • Part of subcall function 100089F0: free.MSVCRT ref: 10008B44
                                                            • FindFirstFileA.KERNEL32(?,?,00000041,00000000,00000000,00000001,?,?,00000000,00000065), ref: 10009BDA
                                                            • FindClose.KERNEL32(00000000,0000006D,?,00000000,00000065), ref: 10009C06
                                                            • FindClose.KERNEL32(00000000,?,00000000,00000065), ref: 10009C21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CharCloseFileNext$AttributesCreateDirectoryErrorFirstLastfreelstrcpylstrlenmalloc
                                                            • String ID:
                                                            • API String ID: 887710168-0
                                                            • Opcode ID: 96facc4552618e4d07987d2afeeb8f5d63ea00d18b32d31a22300bdd6325aca6
                                                            • Instruction ID: 1111b63fd12be74d5e180b1b3ce59c9b2d36627955f8375ec6a37c0e3d02304c
                                                            • Opcode Fuzzy Hash: 96facc4552618e4d07987d2afeeb8f5d63ea00d18b32d31a22300bdd6325aca6
                                                            • Instruction Fuzzy Hash: EE11F3367001104BE714DA24DC91BFAB3D5EB89360F04063AFA1ACB2D6CA766D48C2A4
                                                            Function 10020AE0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020B20
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020B35
                                                            • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020B40
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                            • Instruction ID: a1da788e044cf653d4dcf0983f9a2d0563658fee4032d73213adc26f4466a8e4
                                                            • Opcode Fuzzy Hash: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                            • Instruction Fuzzy Hash: 6AF01D7515C380BFE341DB2889D4AABBBE8EBA4644FC45D4EF58943252D234D808CB27
                                                            Function 1000E540 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenEventLogA.ADVAPI32(00000000), ref: 1000E57C
                                                            • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000E587
                                                            • CloseEventLog.ADVAPI32(00000000), ref: 1000E58A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event$ClearCloseOpen
                                                            • String ID:
                                                            • API String ID: 1391105993-0
                                                            • Opcode ID: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                            • Instruction ID: e2617011e296939ca9cc499396a789e41a2db0335649869ff5bc3c2fc59dee1f
                                                            • Opcode Fuzzy Hash: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                            • Instruction Fuzzy Hash: B8F0C271504755DBD300DF09CC80B4BBBE8FB88340F800D09F954A7201E775AE088BA6
                                                            Function 10010640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 10010656
                                                              • Part of subcall function 1001B7A0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B7E2
                                                              • Part of subcall function 1001B7A0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B7FA
                                                              • Part of subcall function 1001B7A0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B800
                                                              • Part of subcall function 1001B7A0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B80F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 3672536310-3733053543
                                                            • Opcode ID: 7da311b1bfd0f1f289a5eb43b07976653ac166a7ddaaad49b80fb8f3d04e69d6
                                                            • Instruction ID: f9bb667e643176ab7a0f5f716037d533b7fffc3102dc2482a9ca8de1f9161814
                                                            • Opcode Fuzzy Hash: 7da311b1bfd0f1f289a5eb43b07976653ac166a7ddaaad49b80fb8f3d04e69d6
                                                            • Instruction Fuzzy Hash: 30C01279944B0C27E490D7609C87F4E31049B94702F984810F7145A1C1EAB5B454497E
                                                            Function 10094700 Relevance: 3.3, Strings: 2, Instructions: 786COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 2$?
                                                            • API String ID: 0-2669683831
                                                            • Opcode ID: 5afc49edbeed22d9322d8a8f9e3a3b45c9e5eb08a5f630880135f77ca053dc00
                                                            • Instruction ID: d2c32b6cb29023d5d51abe96cf318795f0583b004992312e34f10b8afd7a02b3
                                                            • Opcode Fuzzy Hash: 5afc49edbeed22d9322d8a8f9e3a3b45c9e5eb08a5f630880135f77ca053dc00
                                                            • Instruction Fuzzy Hash: D672D5B4604B429FD368CF29C890B9AF7E5FB88304F118A2DE59D87351EB30A955CF91
                                                            Function 1007EA30 Relevance: 2.3, Strings: 1, Instructions: 1060COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: U|E
                                                            • API String ID: 0-1252972675
                                                            • Opcode ID: 651d90eeda649614a8c5e1f53113b5349eec4a2edcdc775186372bdf384d5129
                                                            • Instruction ID: 178a43c85ea4f5bfc4c370f448536f0f340647076d632d33edcda1f31afdc15d
                                                            • Opcode Fuzzy Hash: 651d90eeda649614a8c5e1f53113b5349eec4a2edcdc775186372bdf384d5129
                                                            • Instruction Fuzzy Hash: F59258B5A002899FDB24CF18C881BEA77E5FB88344F51852EED49CB352D734EA45CB94
                                                            Function 10083ED0 Relevance: 2.3, APIs: 1, Instructions: 1021COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: sprintf
                                                            • String ID:
                                                            • API String ID: 590974362-0
                                                            • Opcode ID: 5dbdad616009c3527a54d0aa486717dc9cb2c79932f4814da39f3d83ed16c41b
                                                            • Instruction ID: 0a7082218f7d204165e5cc4d417af11c803c4f7f9371f2223171596a73e69c5d
                                                            • Opcode Fuzzy Hash: 5dbdad616009c3527a54d0aa486717dc9cb2c79932f4814da39f3d83ed16c41b
                                                            • Instruction Fuzzy Hash: D672E479E007115BE324DE15DC81B9FB3E6FFC4250F11881EE9AA87B92EA70F9418791
                                                            Function 100966A0 Relevance: 2.2, Strings: 1, Instructions: 914COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `
                                                            • API String ID: 0-2679148245
                                                            • Opcode ID: cd3cb8963a05c94bd125b1bfd9efa2009beecb3266d4c2a08c4bb8ad205e6211
                                                            • Instruction ID: 02e6f3b807fcbc15a21e3dfb4a287be9e0aa3394b9a40f8fea1b57ff1cc8d4f0
                                                            • Opcode Fuzzy Hash: cd3cb8963a05c94bd125b1bfd9efa2009beecb3266d4c2a08c4bb8ad205e6211
                                                            • Instruction Fuzzy Hash: 277223B56087009FD358CF28CC85A6BB7EAFBC8304F54892DF99A83355E674E901DB52
                                                            Function 10081C10 Relevance: 2.2, Strings: 1, Instructions: 902COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: 8040f908c0d70b1bdc3a3f04082da3707e0064a5818f089fc96e60e8e4bc4895
                                                            • Instruction ID: e18d1a7713a19185c5c3a518fb8a013ab43e4dd081f9c14d9d72fd8c263fc19c
                                                            • Opcode Fuzzy Hash: 8040f908c0d70b1bdc3a3f04082da3707e0064a5818f089fc96e60e8e4bc4895
                                                            • Instruction Fuzzy Hash: E18259B5A042458FCB58CF18C890A9ABBE5FF88344F14866EED49CB356D770E981CF91
                                                            Function 10095B30 Relevance: 2.1, Strings: 1, Instructions: 899COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: p
                                                            • API String ID: 0-2181537457
                                                            • Opcode ID: 67d29c689465aaf62f4cf58f571b84b2b2aefe36945c401e933ba7323f53f4bd
                                                            • Instruction ID: 85a1d42c609e4d368fd600a0959e25157a898d0f802264f4f0a909a903b63a62
                                                            • Opcode Fuzzy Hash: 67d29c689465aaf62f4cf58f571b84b2b2aefe36945c401e933ba7323f53f4bd
                                                            • Instruction Fuzzy Hash: 117232B16087009FD358CF68CC85A6BB7E5FB88304F44892EF99A83355EB75E904DB52
                                                            Function 10091C50 Relevance: 2.0, Strings: 1, Instructions: 782COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: P
                                                            • API String ID: 0-3110715001
                                                            • Opcode ID: 0140a263c6d2d9d5b99abf8c66a0b39f741dd42d827dba4616e78b10990d64e0
                                                            • Instruction ID: 29d84e6886a5f950b371df3bcdef7746ef6abcb856a9cefba8cc2ecc4c4e0da2
                                                            • Opcode Fuzzy Hash: 0140a263c6d2d9d5b99abf8c66a0b39f741dd42d827dba4616e78b10990d64e0
                                                            • Instruction Fuzzy Hash: EC5238B16047019FD358CF68C885A6BB7EAFBC8340F15892EE99AC3351EB74E905CB51
                                                            Function 100809E0 Relevance: 2.0, APIs: 1, Instructions: 486COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _ftol
                                                            • String ID:
                                                            • API String ID: 2545261903-0
                                                            • Opcode ID: 0c700700460dc6fb609c14f8c58326d609762c714160b162dcabdcaa5207e5ac
                                                            • Instruction ID: 51449f8d3c0175d07d5398c1783e26b08a5c652843ffdb10b364e2fe72abf51f
                                                            • Opcode Fuzzy Hash: 0c700700460dc6fb609c14f8c58326d609762c714160b162dcabdcaa5207e5ac
                                                            • Instruction Fuzzy Hash: FA220774A043868FD768CF18C980B9AB7E2FFC8304F11896EE9998B355D731E951CB91
                                                            Function 100972B0 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: p
                                                            • API String ID: 0-2181537457
                                                            • Opcode ID: 03fd0c4c254b390c3632430ff914404c158cc6d7da1f7bd3b7eedceee4c59099
                                                            • Instruction ID: fbd7baa2427b60d72e29835b1a116b72f50efb9b0052fb12787f9d55e3add9d5
                                                            • Opcode Fuzzy Hash: 03fd0c4c254b390c3632430ff914404c158cc6d7da1f7bd3b7eedceee4c59099
                                                            • Instruction Fuzzy Hash: 6C2213726047059FD358CF68C885AABB7E9FBC8304F45892DF99AC3351DB74A904CB62
                                                            Function 10081160 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: f6bf66261e8cd285e4c05d325fd0e72958e5c2352d81d05ec9fd9b739342ef11
                                                            • Instruction ID: fb77bcc05e89a22641ec06e3d3ef1103484e7908b0af3bc73132c943cd9443bc
                                                            • Opcode Fuzzy Hash: f6bf66261e8cd285e4c05d325fd0e72958e5c2352d81d05ec9fd9b739342ef11
                                                            • Instruction Fuzzy Hash: 7822EFB5A142059FCB48CF18C490A9ABBE5FF88310F598A6EFC59CB346D770E941CB91
                                                            Function 10094060 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 434623093efd5cca7965287edf3cc25c53cac4dc61b09c1846cb5742a22573ed
                                                            • Instruction ID: 8b724418b107338d6602daea7dd59de3c54c584600d1093de004fdcd8655a14e
                                                            • Opcode Fuzzy Hash: 434623093efd5cca7965287edf3cc25c53cac4dc61b09c1846cb5742a22573ed
                                                            • Instruction Fuzzy Hash: 74E157B46087049FD358CF68C885A6BB7E9FBC9304F05892DF99A83350EB75E905CB52
                                                            Function 10058180 Relevance: .8, Instructions: 850COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                            • Instruction ID: fbcbaacc3d9f186613c4a71d0bd528a2af217ef295cde4e3ec60000bd4ebfe67
                                                            • Opcode Fuzzy Hash: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                            • Instruction Fuzzy Hash: 57624B74600B428FD728CF29D990A26B7E1FF85710B158A2DE88797B51D730F94ACBA1
                                                            Function 100041D0 Relevance: .6, Instructions: 551COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                            • Instruction ID: 666f91e0f4e9b9f2dd51f1c7e6263b133853ce75cc250038ad35c0a21c5c6ed6
                                                            • Opcode Fuzzy Hash: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                            • Instruction Fuzzy Hash: 6B02F0B56087458BE704CF28D88071BB7E6EFC5294F46852CF88A87345EB35EE05C7A6
                                                            Function 10082E90 Relevance: .5, Instructions: 533COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b644a3d561cb8fe8be87e19f935c6ea0e8f41d4aa6c937c9fef3fe6d274805c4
                                                            • Instruction ID: c89ed8a295f7dc903ed501673aa55a7d525b351c797df2ab9ac9b2602030ebcf
                                                            • Opcode Fuzzy Hash: b644a3d561cb8fe8be87e19f935c6ea0e8f41d4aa6c937c9fef3fe6d274805c4
                                                            • Instruction Fuzzy Hash: 3D32F3B5A042059FCB68CF18C880B9AB7E5FF88304F15866EED499B356D730EA41CF95
                                                            Function 10093700 Relevance: .5, Instructions: 517COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75e2c9bd9ee5fd53da6c7d3eba5e030f13def887a2352162021a66d8c5d1442b
                                                            • Instruction ID: 68142e77deff0ba95a2affa83f034b555ace2ff534610061d2b174bec00923c2
                                                            • Opcode Fuzzy Hash: 75e2c9bd9ee5fd53da6c7d3eba5e030f13def887a2352162021a66d8c5d1442b
                                                            • Instruction Fuzzy Hash: 06122AB56087419FD354CF18C884AABB7EAFBC8304F15892DF99A87354EA70E905CB52
                                                            Function 1003E428 Relevance: .5, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f340d131a156f1c0f106b318a17971a893a7eec0ffb9ea1af6892fea104fd259
                                                            • Instruction ID: 41c10ed6f3ea35da5de8269d331892672791aba46f975aec3aac0af76d39aeef
                                                            • Opcode Fuzzy Hash: f340d131a156f1c0f106b318a17971a893a7eec0ffb9ea1af6892fea104fd259
                                                            • Instruction Fuzzy Hash: 3712E6A5E35FA741E783AAB855424A5F3607FEB140B06AB57FC9070C42FB3AD38E4254
                                                            Function 10037500 Relevance: .5, Instructions: 457COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                            • Instruction ID: 6554bff9ad066062e06441f2f922fb2849148928053caa435697f4d281cab73b
                                                            • Opcode Fuzzy Hash: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                            • Instruction Fuzzy Hash: 080259B4604B468FC325CF18C590A6BB7E5FF89305F144A6DE98A8B712D731F90ACB91
                                                            Function 1003BCA0 Relevance: .4, Instructions: 446COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd91916824ffe59d8a2f20c3fe7ecb7f544f565391cf4528caeb039401d341fa
                                                            • Instruction ID: c074228f2098d718e52938f1800476ca38900e8a40e41c2c0f9691ae808cfd53
                                                            • Opcode Fuzzy Hash: fd91916824ffe59d8a2f20c3fe7ecb7f544f565391cf4528caeb039401d341fa
                                                            • Instruction Fuzzy Hash: 96123A74A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                                                            Function 1003C536 Relevance: .4, Instructions: 428COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e31fd5ad3bce96c621a4a94272d42213b50ab7ab279c091ba6f11be98c2ec83b
                                                            • Instruction ID: 148d52568421cbb96c8fa7c30030c4cadff40aba2da1da02eb34fc5269d5643a
                                                            • Opcode Fuzzy Hash: e31fd5ad3bce96c621a4a94272d42213b50ab7ab279c091ba6f11be98c2ec83b
                                                            • Instruction Fuzzy Hash: FBF15D756087468FC309CF1AC490A5AFBE2FFC8319F29896DD9899B315DB31E906CB41
                                                            Function 10084EF0 Relevance: .4, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 932d48c39502fb9f5bb96aa54d2d2c9dc5f8d5f09cb2418de52b43448607d777
                                                            • Instruction ID: f997ffcfcdede99217a3e5c4f6bdf2abdeb2b6439b3985bee462d20f15692718
                                                            • Opcode Fuzzy Hash: 932d48c39502fb9f5bb96aa54d2d2c9dc5f8d5f09cb2418de52b43448607d777
                                                            • Instruction Fuzzy Hash: 36D1E379F007114BE714CE25CC81BAFB3D6EFC4351F04892EEA5A87B95E671F9418690
                                                            Function 1007AEF0 Relevance: .4, Instructions: 385COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 63dea0d0660180ce5a3919b1f08d0ec2c3c96ca3a10a4f26215558cfb6708d77
                                                            • Instruction ID: 8d450164e5c5e15b77f4279c5a03d622570e855a46562d4d9db0585749276eb8
                                                            • Opcode Fuzzy Hash: 63dea0d0660180ce5a3919b1f08d0ec2c3c96ca3a10a4f26215558cfb6708d77
                                                            • Instruction Fuzzy Hash: 0AE1C372A083954FD318CF2CC89025ABBE2FBC4344F26866DE8D6DB351D674D949CB85
                                                            Function 100309E0 Relevance: .4, Instructions: 361COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                            • Instruction ID: d6aced37906bf19e3b11a9a92f565bdf72d34a197ad0696d49df5be3d91f6987
                                                            • Opcode Fuzzy Hash: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                            • Instruction Fuzzy Hash: 12D155B5A047468FC314CF09C890A9AF7E1FFC8355F158A2EE8999B301D731E946CB92
                                                            Function 1003E5A0 Relevance: .3, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca87fa5213db1668c13b20ee25e38e868c0852f420055e01353ce5b27d1445d0
                                                            • Instruction ID: 65469869509cfd61cd58f0f348e370f27ed627e21a15ad85d4aa9a9ece5d4955
                                                            • Opcode Fuzzy Hash: ca87fa5213db1668c13b20ee25e38e868c0852f420055e01353ce5b27d1445d0
                                                            • Instruction Fuzzy Hash: E1D1B064926B018AD716CF38D092436B7A1FFF27147A4C75ED886B715AFB30E891C381
                                                            Function 1007E650 Relevance: .3, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 270c071cb8fde0cadef09b391b519f3865d44cea4603e8b22bf723eb0285886a
                                                            • Instruction ID: 2e5abd72eab36b8d5b7e5b0f4b0dc09656a8dd938c3427b230fa970d2a6481c3
                                                            • Opcode Fuzzy Hash: 270c071cb8fde0cadef09b391b519f3865d44cea4603e8b22bf723eb0285886a
                                                            • Instruction Fuzzy Hash: 93C135716087468FD31CDF19C89156AFBE2FFC8304F048A2DE59A87354EB34A915CB89
                                                            Function 1005B540 Relevance: .3, Instructions: 297COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                            • Instruction ID: c3f1b3ed220233ed737408a232c1220158c6e058cc217ce0ff2f7c47cd4bfe6a
                                                            • Opcode Fuzzy Hash: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                            • Instruction Fuzzy Hash: 9CD18A756092518FC319CF28E8D88E67BE5FF98710B1E42F8C9898B323D731A985CB55
                                                            Function 1003B320 Relevance: .3, Instructions: 292COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                            • Instruction ID: 7803e7437e1b646c362a78e72367317f159f3163df66fa40c608de700601e534
                                                            • Opcode Fuzzy Hash: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                            • Instruction Fuzzy Hash: 33C12D3560D3828FC308CF69C49055AFBE2BFCA208F49D97DE9C987312D671A919CB45
                                                            Function 1003E580 Relevance: .3, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37c0a634b22e2e521ef4a3485cde0871122408e01ae1637ce9fb90ac4a73126a
                                                            • Instruction ID: eec4159a1171e8199c630e88e650f8019e223546203c8665c25ca24e13308cf1
                                                            • Opcode Fuzzy Hash: 37c0a634b22e2e521ef4a3485cde0871122408e01ae1637ce9fb90ac4a73126a
                                                            • Instruction Fuzzy Hash: DFC18CA4A2AF0196D7168F38D482536F3A1FFF17147A4C75AD8C6B715EFB20E4A1D280
                                                            Function 10059A20 Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                            • Instruction ID: f1de1ebb58cc82ba1b875bfc47ae88c793419856246002296b4e3d9e7ba06d65
                                                            • Opcode Fuzzy Hash: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                            • Instruction Fuzzy Hash: F2916E32604B428FC729CF29C8904ABB7E2EF86344B69892DD5D787711E731B849CB51
                                                            Function 10059ED0 Relevance: .3, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                            • Instruction ID: 7f75a3304065bd6fa537bdab1d14332d542616cddc89e496eeb72017ba94ae1c
                                                            • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                            • Instruction Fuzzy Hash: 33717533755A8207E71DCE3E8C602BAABD38FC621472ED87E94DAC7746EC79D41A5204
                                                            Function 100933D0 Relevance: .3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5e63e9667fd217d6eacac432ed90c05c7fd9e0bacaf405f98dbee9d07dab7bc
                                                            • Instruction ID: fa65caea894796e517e4b3568bf745aa9b816b4ef54e514e17ce1584e320e313
                                                            • Opcode Fuzzy Hash: f5e63e9667fd217d6eacac432ed90c05c7fd9e0bacaf405f98dbee9d07dab7bc
                                                            • Instruction Fuzzy Hash: 17914B756047059FD358CF68C881AABB7EAEBC8300F15992DF99A87340DA30F909CF51
                                                            Function 1007E3A0 Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7f29291163757aea393b74584065538a0757f8d5db3c073261e60ebc5562a8c
                                                            • Instruction ID: 54882bad89d80032504cfa17cd755ed8c155608eae888ae5f462ea9457d6aa3b
                                                            • Opcode Fuzzy Hash: c7f29291163757aea393b74584065538a0757f8d5db3c073261e60ebc5562a8c
                                                            • Instruction Fuzzy Hash: A0912A716093818FC318CF6DC89055AFBE2FFCE304F19867EE589C7365DA7598068A46
                                                            Function 1005BBD0 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                            • Instruction ID: 90d5bf04f4aba64717b41dc3a8267fbce1c385d454846d00d166aedaf8f10125
                                                            • Opcode Fuzzy Hash: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                            • Instruction Fuzzy Hash: BF81AD327195A64BE708CF29DCE053BB7A3EB8D340F19883DC686D7356C931A91A8760
                                                            Function 100A8230 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                            • Instruction ID: 4e5fd15620c05232e311bf08b0a4888acbdfcfc8b05760d64ecdd7d941a19f93
                                                            • Opcode Fuzzy Hash: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                            • Instruction Fuzzy Hash: 67219373BF4E1B0EE344A9FCDC4A7A135C1D3A4715F198E38A119C72C0F5ACCA885250
                                                            Function 1001B830 Relevance: 301.4, APIs: 11, Strings: 161, Instructions: 425librarysleeploaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • LoadLibraryA.KERNEL32 ref: 1001BBA9
                                                            • GetProcAddress.KERNEL32 ref: 1001BC75
                                                            • GetProcAddress.KERNEL32 ref: 1001BEEC
                                                            • GetCurrentProcess.KERNEL32 ref: 1001BF83
                                                            • Sleep.KERNEL32(00000014), ref: 1001BFD5
                                                            • Sleep.KERNEL32(000003E8), ref: 1001C05C
                                                            • CloseHandle.KERNEL32(?), ref: 1001C0AF
                                                            • CloseHandle.KERNEL32(?), ref: 1001C0CC
                                                            • CloseHandle.KERNEL32(?), ref: 1001C0D7
                                                            • CloseHandle.KERNEL32(?), ref: 1001C0E5
                                                            • FreeLibrary.KERNEL32(00000000), ref: 1001C0EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                                                            • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y$ou
                                                            • API String ID: 2138834447-2474151436
                                                            • Opcode ID: bf98fdd747ac80dbcb6825b69a16fbfb30e3230a2f20571204a2c7be5d3527a1
                                                            • Instruction ID: c2f504325f9f0b2df527b29f4b920b06eabda0e79ce24e95d7f610f9e4eacb52
                                                            • Opcode Fuzzy Hash: bf98fdd747ac80dbcb6825b69a16fbfb30e3230a2f20571204a2c7be5d3527a1
                                                            • Instruction Fuzzy Hash: 6732A06050C7C4C9E332C7688848BDBBFD66BA6748F08499DE2CC5B282C7BA5558C777
                                                            Function 10005D20 Relevance: 206.9, APIs: 24, Strings: 94, Instructions: 416libraryloaderstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005D3C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005D45
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005D55
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005D58
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 10005D6B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005D6E
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 10005D81
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005D84
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 10005D94
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005D97
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 10005DA7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005DAA
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 10005DBD
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005DC0
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 10005DD3
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005DD6
                                                            • strchr.MSVCRT ref: 100060F0
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006131
                                                            • wsprintfA.USER32 ref: 10006151
                                                            • #823.MFC42(00001000), ref: 100061B3
                                                            • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 1000638B
                                                            • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006391
                                                            • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006397
                                                            • #825.MFC42(00000000), ref: 100063DD
                                                              • Part of subcall function 10005A50: LoadLibraryA.KERNEL32 ref: 10005AA7
                                                              • Part of subcall function 10005A50: GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                              • Part of subcall function 10005A50: wsprintfA.USER32 ref: 10005B17
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                                                            • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                            • API String ID: 2391671045-4160613188
                                                            • Opcode ID: 3d175123dd248640a9990d56e36f350115e314841feb1ed36e8fcc4f67e00e21
                                                            • Instruction ID: 51b2eb75582aebe5733b105b685b12bb9b24db0e023bcc28f197e5974805e4f8
                                                            • Opcode Fuzzy Hash: 3d175123dd248640a9990d56e36f350115e314841feb1ed36e8fcc4f67e00e21
                                                            • Instruction Fuzzy Hash: E8120A6150D3C4DEE322CB788848B9BBFD5AFE6748F08494DE1C847292C6BA9548C777
                                                            Function 1001C100 Relevance: 182.4, APIs: 34, Strings: 70, Instructions: 373servicesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • GetVersionExA.KERNEL32 ref: 1001C34A
                                                              • Part of subcall function 1001AD60: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B3BF,?,?,?), ref: 1001AD69
                                                              • Part of subcall function 1001AD60: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AD7B
                                                              • Part of subcall function 1001AD60: FreeLibrary.KERNEL32(00000000), ref: 1001ADA5
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001C37E
                                                            • sprintf.MSVCRT ref: 1001C399
                                                            • Sleep.KERNEL32(?), ref: 1001C3B1
                                                            • GetCurrentProcessId.KERNEL32(?), ref: 1001C3BF
                                                            • WTSQuerySessionInformationA.WTSAPI32 ref: 1001C417
                                                            • WTSFreeMemory.WTSAPI32(?), ref: 1001C43E
                                                            • AttachConsole.KERNEL32(?), ref: 1001C478
                                                            • Sleep.KERNEL32(0000000A), ref: 1001C480
                                                            • AttachConsole.KERNEL32(?), ref: 1001C48A
                                                            • GetConsoleProcessList.KERNEL32(1011F75C,00000001), ref: 1001C4A0
                                                            • #823.MFC42(00000000), ref: 1001C4B1
                                                            • GetConsoleProcessList.KERNEL32(00000000,00000000,?), ref: 1001C4C4
                                                            • GetCurrentProcessId.KERNEL32 ref: 1001C4CE
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1001C4E2
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 1001C4F1
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001C4F8
                                                            • #825.MFC42(00000000), ref: 1001C50C
                                                            • FreeConsole.KERNEL32 ref: 1001C51C
                                                            • Sleep.KERNEL32(0000000A), ref: 1001C524
                                                            • FreeConsole.KERNEL32 ref: 1001C52A
                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 1001C535
                                                            • CloseHandle.KERNEL32(?), ref: 1001C58C
                                                            • CloseHandle.KERNEL32(?), ref: 1001C594
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001C5CB
                                                            • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 1001C5E3
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C5F0
                                                            • StartServiceA.ADVAPI32(00000000,00000001,?), ref: 1001C609
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C61A
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C61D
                                                            • CloseHandle.KERNEL32(00000000,?,?), ref: 1001C636
                                                            • CloseHandle.KERNEL32(00000000,?,?), ref: 1001C66E
                                                            • ExitProcess.KERNEL32 ref: 1001C671
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Handle$CloseProcess$Console$Service$Free$LibraryOpenSleep$AddressAttachCurrentListLoadModuleProcTerminate$#823#825ExitFileInformationManagerMemoryNameQuerySessionStartVersionsprintf
                                                            • String ID: %s -acsi$-rsvc$.$.$2$2$3$3$A$A$A$C$D$G$I$I$I$K$L$N$P$P$R$S$S$S$S$S$T$V$W$a$c$c$d$d$d$d$i$i$i$i$l$l$l$l$l$n$n$n$o$o$o$o$r$s$s$s$s$s$s$s$t$t$t$t$t$u$v$v
                                                            • API String ID: 2001453909-3801729388
                                                            • Opcode ID: aed4694ebf135afc8aba046561d12808d7f141306baffd61cc5554d8110ddfb8
                                                            • Instruction ID: 663d38145428b8f950ba5587534a8282e94f71e8f6a2304e669b1f74cf27e64b
                                                            • Opcode Fuzzy Hash: aed4694ebf135afc8aba046561d12808d7f141306baffd61cc5554d8110ddfb8
                                                            • Instruction Fuzzy Hash: 36F1607050C3C5DEE321C7688888B5BBFE5AB96344F08495DF1C84B292D7BAD548CB67
                                                            Function 10005440 Relevance: 180.5, APIs: 15, Strings: 88, Instructions: 262libraryloaderstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005461
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000546A
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005478
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000547B
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 1000548E
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005491
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054A1
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054B7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100054BA
                                                            • strchr.MSVCRT ref: 100057B9
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 100057F6
                                                            • wsprintfA.USER32 ref: 10005816
                                                            • #823.MFC42(00001000), ref: 1000583D
                                                            • #825.MFC42(00000000), ref: 1000589B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$#823#825FolderPathSpecialstrchrwsprintf
                                                            • String ID: $ $ $%s\%s$.$.$C$C$D$D$GetPrivateProfileSectionNamesA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                            • API String ID: 1413152188-1163569440
                                                            • Opcode ID: 05144717aad16131a25e8fd5c5d0e452a7624757d049951bb890d71f901de53d
                                                            • Instruction ID: 097df1186fd5e2763f188ac9baa9f2a21b84c5dc3fdeedc9593f7676838b550c
                                                            • Opcode Fuzzy Hash: 05144717aad16131a25e8fd5c5d0e452a7624757d049951bb890d71f901de53d
                                                            • Instruction Fuzzy Hash: 5DD1B26140D7C0DDE322C778849878BBFD66FA2748F48498DE1C84B293C6BA9658C777
                                                            Function 1001ADB0 Relevance: 164.8, APIs: 7, Strings: 87, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                            • String ID: .$.$.$.$:$A$AOr$C$E$F$H$I$I$I$I$I$I$I$O$O$R$T$U$W$a$a$a$a$at.$b$c$d$d$d$g$i$i$i$l$l$l$l$l$l$l$l$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$p$p$p$p$p$p$p$r$r$r$r$r$t$t$t$t$t$t$t$t$t$t$t$t$t$t
                                                            • API String ID: 310444273-3809768815
                                                            • Opcode ID: 58e7c8387de40ad5ec6d13027523f9311a4bc92cc521051a6f61062b3377a0ca
                                                            • Instruction ID: cd3c435a88fe39e2fc76616441f73dbd3bc7a1de89d523102e560f7ceaf9a857
                                                            • Opcode Fuzzy Hash: 58e7c8387de40ad5ec6d13027523f9311a4bc92cc521051a6f61062b3377a0ca
                                                            • Instruction Fuzzy Hash: 29E1D42150D3C0DDE332C228844879FBFD65BA3648F48499DE5C88B292C7BA9558D77B
                                                            Function 1001E130 Relevance: 135.0, APIs: 11, Strings: 66, Instructions: 273sleepsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • GetVersionExA.KERNEL32(?), ref: 1001E374
                                                              • Part of subcall function 1001AD60: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B3BF,?,?,?), ref: 1001AD69
                                                              • Part of subcall function 1001AD60: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AD7B
                                                              • Part of subcall function 1001AD60: FreeLibrary.KERNEL32(00000000), ref: 1001ADA5
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001E3A2
                                                            • sprintf.MSVCRT ref: 1001E3BD
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001E42B
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001E45D
                                                            • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E487
                                                            • FindWindowA.USER32(#32770,1011F934), ref: 1001E4A1
                                                            • Sleep.KERNEL32(0000012C), ref: 1001E4B1
                                                            • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E4BD
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001E524
                                                            • ExitProcess.KERNEL32 ref: 1001E543
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindHandleLibraryWindow$AddressCloseLoadModuleProc$ExitFileFreeNameObjectProcessSingleSleepVersionWaitsprintf
                                                            • String ID: #32770$%s -acsi$-rsvc$-wait$.$.$2$2$3$3$A$A$A$A$C$C$D$E$E$E$GINA Logon$H$I$K$L$P$S$S$V$a$a$a$c$c$d$d$d$i$i$l$l$l$l$l$l$n$n$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$v$v$v$x
                                                            • API String ID: 2386940797-994141675
                                                            • Opcode ID: 2374a952dd6da0a5643ba83b2a824f2baabb1b1f9860c3fdedd9b57e1858c4fa
                                                            • Instruction ID: b1a754d1e48c22453a743013b2d7ba5a756a9753b49df77d6dd722b682b585db
                                                            • Opcode Fuzzy Hash: 2374a952dd6da0a5643ba83b2a824f2baabb1b1f9860c3fdedd9b57e1858c4fa
                                                            • Instruction Fuzzy Hash: 08C12C6040C7C5DAE312C7788888B4FBFD5ABA6348F58495CF5C84B292D3BAD948C767
                                                            Function 1001EB70 Relevance: 126.3, APIs: 6, Strings: 66, Instructions: 323threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001EE8E
                                                            • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001EECD
                                                            • GetCurrentProcess.KERNEL32 ref: 1001EFFB
                                                            • GetCurrentThread.KERNEL32 ref: 1001F002
                                                            • GetCurrentProcess.KERNEL32(00000020), ref: 1001F077
                                                            • GetCurrentThread.KERNEL32 ref: 1001F07E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Current$ModuleProcessThread$AddressEnvironmentFileHandleLibraryLoadNameProcVariable
                                                            • String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                                                            • API String ID: 2038349478-1119942076
                                                            • Opcode ID: 3085b684f60edff1ea06a2a9d1fb25d13c91472429b48e5bbd86dcae94c628da
                                                            • Instruction ID: 71b8cd9bc844cc77e9017699aebdfd02c943e1ee0e775d65e1301a321979a734
                                                            • Opcode Fuzzy Hash: 3085b684f60edff1ea06a2a9d1fb25d13c91472429b48e5bbd86dcae94c628da
                                                            • Instruction Fuzzy Hash: 7BE1172150C7C0C9E326C6788449B9FBFD56BE2748F084A5DE2D84B2D2CAFA9548C777
                                                            Function 10024CF0 Relevance: 114.1, APIs: 19, Strings: 46, Instructions: 328stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • LocalAlloc.KERNEL32(00000040,00000400), ref: 10024D16
                                                            • WTSEnumerateSessionsA.WTSAPI32 ref: 10024D4B
                                                            • GetVersionExA.KERNEL32(?), ref: 10024D63
                                                              • Part of subcall function 10024BA0: WTSQuerySessionInformationW.WTSAPI32 ref: 10024BC4
                                                              • Part of subcall function 10024B60: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10024FE1,?,?,?), ref: 10024B7F
                                                              • Part of subcall function 10024C50: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024C70
                                                              • Part of subcall function 10024C50: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024C90
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025013
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025035
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025041
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002504A
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025056
                                                            • LocalSize.KERNEL32(00000000), ref: 10025064
                                                            • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10025072
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025083
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100250A1
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100250B7
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100250DF
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100250F5
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025116
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002512C
                                                            • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002514D
                                                            • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 100251B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                                                            • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                                                            • API String ID: 3275454331-1820797497
                                                            • Opcode ID: 512c8c09abb20914a974feb7a69f25f4194ff3bed21d13211c357668d1175b34
                                                            • Instruction ID: ced0a7cd8939291dfede370197de797b1ec87b689ee5f2ff5d8d7ce58aa27297
                                                            • Opcode Fuzzy Hash: 512c8c09abb20914a974feb7a69f25f4194ff3bed21d13211c357668d1175b34
                                                            • Instruction Fuzzy Hash: D4E1053450C3C1CED321CB28C484B9FBBE1ABD6708F48495DE5C997292C7BA9909CB67
                                                            Function 10026B40 Relevance: 96.4, APIs: 1, Strings: 54, Instructions: 109processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exec
                                                            • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                                                            • API String ID: 459137531-3041118241
                                                            • Opcode ID: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                            • Instruction ID: 7bc06bb267aba25a745494efeaf4f4d644bd4b710169c1d4aeb2a62eee067a6f
                                                            • Opcode Fuzzy Hash: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                            • Instruction Fuzzy Hash: 08510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA825CC777
                                                            Function 1000FBF0 Relevance: 93.0, APIs: 13, Strings: 40, Instructions: 217libraryloaderfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 1000FC8C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000FC95
                                                            • LoadLibraryA.KERNEL32(?,.23L), ref: 1000FCDE
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000FCE1
                                                            • GetTickCount.KERNEL32 ref: 1000FD3E
                                                            • sprintf.MSVCRT ref: 1000FD4F
                                                            • GetTickCount.KERNEL32 ref: 1000FD8C
                                                            • sprintf.MSVCRT ref: 1000FD9D
                                                            • lstrcatA.KERNEL32(?,?), ref: 1000FDB3
                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000FE19
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000FE20
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                                                            • String ID: .$.23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$d$e$e$e$e$e$e$g$h$i$igu$m$n$o$p$p$r$s$t$t$t$u
                                                            • API String ID: 3729143920-1829843242
                                                            • Opcode ID: 9402d29da50352524f6b763b0796289ffa3b5b25d5d6425ff2022fa4742de74a
                                                            • Instruction ID: 55282dc3cc9c6f3091bb9dee585ade8c0c9599151ab4e95e52818a483b737261
                                                            • Opcode Fuzzy Hash: 9402d29da50352524f6b763b0796289ffa3b5b25d5d6425ff2022fa4742de74a
                                                            • Instruction Fuzzy Hash: 2A916C3110C3C09AE312CB68D848B9BBFD5ABA6718F084A5DF6D4462D2D7BA950CC773
                                                            Function 10013B40 Relevance: 91.5, APIs: 38, Strings: 14, Instructions: 472networkstringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strstr.MSVCRT ref: 10013BB7
                                                            • strstr.MSVCRT ref: 10013BCA
                                                            • strstr.MSVCRT ref: 10013BDF
                                                            • strncpy.MSVCRT ref: 10013C2B
                                                            • _itoa.MSVCRT ref: 10013C71
                                                            • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10013C8A
                                                            • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10013CB0
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013CBD
                                                            • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013CED
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013D00
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013D03
                                                            • sprintf.MSVCRT ref: 10013D2E
                                                            • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10013D66
                                                            • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10013D82
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013D93
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013D96
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013D99
                                                            • atol.MSVCRT ref: 10013DB2
                                                            • #823.MFC42(00000001,?,?), ref: 10013DC0
                                                            • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013DE8
                                                            • #825.MFC42(00000000), ref: 10013DF3
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013E02
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013E05
                                                            • InternetCloseHandle.WININET(?), ref: 10013E0C
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013E24
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013E27
                                                            • InternetCloseHandle.WININET(?), ref: 10013E2E
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E3E
                                                            • #823.MFC42(00000002), ref: 10013E4B
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E75
                                                            • #825.MFC42(00000000), ref: 10013E7C
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013E93
                                                            • #823.MFC42(00000001), ref: 10013E9F
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013ECA
                                                            • #825.MFC42(00000000), ref: 10013ED1
                                                            • #825.MFC42(00000000,00000000,00000000), ref: 10013EDF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                            • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                                                            • API String ID: 3684279964-3639289013
                                                            • Opcode ID: 43b28f445d12de6b51dca3b026b12fb88dd6911a0c5731b6068e7ceca8b0f273
                                                            • Instruction ID: eff3dda05ddc28161dea3254d15334048d7b53d27b74e66e9aa82dce39b07fe7
                                                            • Opcode Fuzzy Hash: 43b28f445d12de6b51dca3b026b12fb88dd6911a0c5731b6068e7ceca8b0f273
                                                            • Instruction Fuzzy Hash: B5D14876A043142BE310DA689C81FAB77D9EB84760F05463DFB09A72C1EB75ED0587A2
                                                            Function 10007A80 Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 423windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #356.MFC42 ref: 10007AA2
                                                            • #540.MFC42 ref: 10007AB6
                                                            • #540.MFC42 ref: 10007AC7
                                                            • #540.MFC42 ref: 10007AD8
                                                            • #540.MFC42 ref: 10007AE9
                                                              • Part of subcall function 10008080: #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                              • Part of subcall function 10008080: #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                              • Part of subcall function 10008080: #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                              • Part of subcall function 10008080: #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                              • Part of subcall function 10008080: #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                              • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                              • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                              • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                              • Part of subcall function 10011E20: #537.MFC42(?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                              • Part of subcall function 10011E20: #940.MFC42(?,?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                              • Part of subcall function 10011E20: #535.MFC42(?,?,?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                              • Part of subcall function 10011E20: #800.MFC42(?,?,?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                            • #858.MFC42 ref: 10007B2F
                                                            • #800.MFC42 ref: 10007B40
                                                            • #537.MFC42(*.*), ref: 10007B59
                                                            • #922.MFC42(?,?,00000000,*.*), ref: 10007B6E
                                                            • #858.MFC42(00000000,?,?,00000000,*.*), ref: 10007B80
                                                            • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007B90
                                                            • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007BA1
                                                            • #2770.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BB1
                                                            • #2781.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BCF
                                                            • #4058.MFC42 ref: 10007BEF
                                                            • #858.MFC42(?), ref: 10007C01
                                                            • #858.MFC42(?,?), ref: 10007C0E
                                                            • #858.MFC42(?,?,?), ref: 10007C1B
                                                            • #3178.MFC42(?,?,?,?), ref: 10007C8A
                                                            • #922.MFC42(?,?,00000000,?,?,?,?), ref: 10007C9D
                                                            • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CAF
                                                            • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CBF
                                                            • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CD0
                                                            • #1980.MFC42 ref: 10007CED
                                                            • #858.MFC42(?), ref: 10007CF6
                                                            • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007D1E
                                                            • #922.MFC42(?,?,?), ref: 10007D2E
                                                            • #858.MFC42(00000000,?,?,?), ref: 10007D40
                                                            • #800.MFC42(00000000,?,?,?), ref: 10007D51
                                                            • #2770.MFC42(?,00000000,00000000,?,?,?), ref: 10007D61
                                                            • #2781.MFC42(?,00000000,00000000,?,?,?), ref: 10007D7F
                                                            • #4058.MFC42(?,00000000,00000000,?,?,?), ref: 10007D8C
                                                            • #4215.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007DAD
                                                            • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DC6
                                                            • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DE7
                                                            • #3310.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E22
                                                            • #3010.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E7F
                                                            • #3304.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007ED4
                                                            • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F33
                                                            • #800.MFC42(?,?,?,?,00000000,00000000,?,?,?), ref: 10007F58
                                                            • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F6A
                                                            • #941.MFC42(100FA614), ref: 10007F91
                                                            • #6883.MFC42(?,?), ref: 10007FA2
                                                            • #800.MFC42(?,?), ref: 10007FB3
                                                            • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007FE1
                                                            • #800.MFC42 ref: 10008015
                                                            • #800.MFC42 ref: 10008026
                                                            • #800.MFC42 ref: 10008037
                                                            • #800.MFC42 ref: 10008048
                                                            • #668.MFC42 ref: 1000805C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #800$#858$#3811$#540$#922$#2770#2781#3181#3324#4058#537Message$#1980#2614#3010#3178#3304#3310#356#4215#535#668#6883#860#940#941
                                                            • String ID: *.*$warning
                                                            • API String ID: 3130606840-3923866357
                                                            • Opcode ID: 4f67acd76e2cebd82d93b1b3dec2d55975eb3ce579b3b16a1e02d436e54f8952
                                                            • Instruction ID: 304227dce7dff40f71b552976d61285535047f6d1c22fa6e3a1e75c49f6bbd65
                                                            • Opcode Fuzzy Hash: 4f67acd76e2cebd82d93b1b3dec2d55975eb3ce579b3b16a1e02d436e54f8952
                                                            • Instruction Fuzzy Hash: 78026F745083818BE314DF24D891BABBBE4FF98784F44491DF98E43292DB74E949CB62
                                                            Function 1000E300 Relevance: 85.9, APIs: 9, Strings: 40, Instructions: 163libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$Eventfreemalloc
                                                            • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                                                            • API String ID: 4197004350-898277365
                                                            • Opcode ID: af84ebd2c84b67f2ad82d54c3dc5a8b5385d5a932885875513f8fc42dbb41d54
                                                            • Instruction ID: f50e1750530bd7c38a21cbd26136175774bc19f97d07c8ceb5943aba2f3331b5
                                                            • Opcode Fuzzy Hash: af84ebd2c84b67f2ad82d54c3dc5a8b5385d5a932885875513f8fc42dbb41d54
                                                            • Instruction Fuzzy Hash: 5D61496110C3C0DDE312D7A89848B8BBFD59BE6308F08499DF5C85B292D6BA961CC777
                                                            Function 10021C40 Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 279libraryloadersleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32 ref: 10021C7B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10021C88
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 10021C9C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10021C9F
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 10021CEB
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10021CEE
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 10021D62
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10021D65
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 10021D75
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10021D78
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 10021D88
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10021D8B
                                                            • Sleep.KERNEL32(0000000A), ref: 10021DA2
                                                            • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10021DC2
                                                            • #823.MFC42 ref: 10021DD3
                                                            • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 10021DE3
                                                            • GetCurrentProcessId.KERNEL32 ref: 10021DF7
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10021E0E
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 10021E19
                                                            • CloseHandle.KERNEL32(00000000), ref: 10021E20
                                                            • #825.MFC42(00000000), ref: 10021E39
                                                            • FreeConsole.KERNEL32 ref: 10021E4B
                                                            • Sleep.KERNEL32(0000000A), ref: 10021E53
                                                            • FreeConsole.KERNEL32 ref: 10021E59
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                                                            • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                                                            • API String ID: 708691324-3966567685
                                                            • Opcode ID: 878c91d306d1d07f24af75e29f236feefdf36ffd89e7a14a512e11a22062ca6b
                                                            • Instruction ID: 0cba9a2fbee8219307cb2e54d0fd0b04a3cc954f3b70fe33f27552540b6111c1
                                                            • Opcode Fuzzy Hash: 878c91d306d1d07f24af75e29f236feefdf36ffd89e7a14a512e11a22062ca6b
                                                            • Instruction Fuzzy Hash: 29B1C2745083849BD720DF68CC84BDFBBE9AF99740F45491DF9849B281C7B5D900CBA2
                                                            Function 100134A0 Relevance: 80.8, APIs: 36, Strings: 10, Instructions: 348networkstringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strstr.MSVCRT ref: 10013514
                                                            • strstr.MSVCRT ref: 10013527
                                                            • strstr.MSVCRT ref: 1001353C
                                                            • strncpy.MSVCRT ref: 10013588
                                                            • _itoa.MSVCRT ref: 100135CE
                                                            • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 100135E7
                                                            • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001360D
                                                            • InternetCloseHandle.WININET(00000000), ref: 1001361A
                                                            • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 1001364A
                                                            • InternetCloseHandle.WININET(00000000), ref: 1001365D
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013660
                                                            • sprintf.MSVCRT ref: 1001368B
                                                            • HttpSendRequestA.WININET(00000000,?,?,?), ref: 100136C3
                                                            • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 100136DF
                                                            • InternetCloseHandle.WININET(00000000), ref: 100136F0
                                                            • InternetCloseHandle.WININET(00000000), ref: 100136F3
                                                            • InternetCloseHandle.WININET(00000000), ref: 100136F6
                                                            • atol.MSVCRT ref: 1001370F
                                                            • #823.MFC42(00000001,?,?), ref: 1001371D
                                                            • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013745
                                                            • #825.MFC42(00000000), ref: 10013750
                                                            • InternetCloseHandle.WININET(00000000), ref: 1001375F
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013762
                                                            • InternetCloseHandle.WININET(?), ref: 10013769
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013781
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013784
                                                            • InternetCloseHandle.WININET(?), ref: 1001378B
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001379B
                                                            • #823.MFC42(00000002), ref: 100137A8
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 100137D2
                                                            • #825.MFC42(00000000), ref: 100137D9
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 100137F0
                                                            • #823.MFC42(00000001), ref: 100137FC
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013827
                                                            • #825.MFC42(00000000), ref: 1001382E
                                                            • #825.MFC42(00000000,00000000,00000000), ref: 1001383C
                                                            Strings
                                                            • , xrefs: 10013503
                                                            • skey=, xrefs: 10013521
                                                            • qun.qq.com, xrefs: 100134BB
                                                            • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10013685
                                                            • p_skey, xrefs: 100134FD
                                                            • /cgi-bin/qun_mgr/get_friend_list, xrefs: 100134DB
                                                            • POST, xrefs: 10013644
                                                            • bkn=, xrefs: 1001354D
                                                            • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 100134AF
                                                            • HTTP/1.1, xrefs: 1001363E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                            • String ID: $/cgi-bin/qun_mgr/get_friend_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$p_skey$qun.qq.com$skey=
                                                            • API String ID: 3684279964-1003693118
                                                            • Opcode ID: 2fd75f7e1eac02ba5af79400a96c6a11af4f05bec23a8af2ee5e05fb2b04e6db
                                                            • Instruction ID: 1726e9f919d6e256d1a225630deb725c415909d895fb3ed4c6a6d5d6a11c0643
                                                            • Opcode Fuzzy Hash: 2fd75f7e1eac02ba5af79400a96c6a11af4f05bec23a8af2ee5e05fb2b04e6db
                                                            • Instruction Fuzzy Hash: 66A137726003147BE314DA388C41FAB7BDDFBC4320F04462AFA5AA72D0DEB4A9058B91
                                                            Function 10008600 Relevance: 79.0, APIs: 2, Strings: 43, Instructions: 223fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • DeleteFileA.KERNEL32(00000001,?,00000001,00000001,?,00000001,00000001,00000001), ref: 1000874C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressDeleteFileHandleLibraryLoadModuleProc
                                                            • String ID: .$2$3$4$4$6$6$E$E$F$K$L$N$R$R$R$R$W$W$a$c$d$d$i$i$i$l$l$n$n$o$o$o$open$r$r$r$s$t$t$v$w$w
                                                            • API String ID: 357481036-173339048
                                                            • Opcode ID: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                            • Instruction ID: 62c6768fbad568ce5c10012b5c7038ace00f099829c69d7c79d8b9aa64298da2
                                                            • Opcode Fuzzy Hash: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                            • Instruction Fuzzy Hash: 5591291410C3C0DDF356C668848871FBED6ABA668CF48598DB1C85B287C6BB961CC77B
                                                            Function 10022180 Relevance: 70.3, APIs: 34, Strings: 6, Instructions: 329librarysleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(KERNEL32.dll,AttachConsole), ref: 10022196
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100221A3
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 100221B1
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100221B8
                                                            • Sleep.KERNEL32(0000000A), ref: 10022207
                                                            • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10022227
                                                            • #823.MFC42 ref: 1002223C
                                                            • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1002224C
                                                            • GetCurrentProcessId.KERNEL32 ref: 1002226C
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10022283
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 10022292
                                                            • CloseHandle.KERNEL32(00000000), ref: 10022295
                                                            • #825.MFC42(00000000), ref: 100222C0
                                                            • FreeConsole.KERNEL32 ref: 100222CE
                                                            • Sleep.KERNEL32(0000000A), ref: 100222D6
                                                            • FreeConsole.KERNEL32 ref: 100222DC
                                                              • Part of subcall function 10010BA0: SetEvent.KERNEL32(?,100175B7), ref: 10010BA4
                                                            • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1002244F
                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10022493
                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100224B7
                                                            • CloseHandle.KERNEL32(00000000), ref: 100224C2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$Console$Handle$AddressCloseFileFreeListProcSleep$#823#825CreateCurrentDirectoryEventLibraryLoadModuleOpenSystemTerminateWrite
                                                            • String ID: AttachConsole$Control-C^C$GetMP privilege::debug sekurlsa::logonpasswords exit$KERNEL32.dll$WriteFile$\GetMP.exe
                                                            • API String ID: 1461520672-3309419308
                                                            • Opcode ID: c57156cb95e1203a547479b3cde4d1d9c3c47fc1a88ba0ebb560782877134e6d
                                                            • Instruction ID: bfdec5e75494a08574483b28da0705cba7a20fe460fcae2c5ed76bdf1d5bb007
                                                            • Opcode Fuzzy Hash: c57156cb95e1203a547479b3cde4d1d9c3c47fc1a88ba0ebb560782877134e6d
                                                            • Instruction Fuzzy Hash: E4A12575600315ABE310EB64EC81FEB77D4FB84350F45062AFE45AB290DA35ED49CBA2
                                                            Function 10013860 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 271networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenA.WININET ref: 100138CF
                                                            • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100138F5
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013902
                                                            • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013932
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013945
                                                            • InternetCloseHandle.WININET(00000000), ref: 10013948
                                                            Strings
                                                            • qun.qq.com, xrefs: 10013878
                                                            • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001396D
                                                            • POST, xrefs: 1001392C
                                                            • /cgi-bin/qun_mgr/search_group_members, xrefs: 10013898
                                                            • , xrefs: 100138BC
                                                            • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001386F
                                                            • HTTP/1.1, xrefs: 10013926
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                                                            • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                                                            • API String ID: 3078302290-2376693140
                                                            • Opcode ID: 9dfb9fb1577a7cd6fe9e51823056cf945307475554e534517a8662ee3a9a0c54
                                                            • Instruction ID: 8f3cd531dc9e69a9ece614732de75352f0d3b7349c0a3009cb3be7765bcf2402
                                                            • Opcode Fuzzy Hash: 9dfb9fb1577a7cd6fe9e51823056cf945307475554e534517a8662ee3a9a0c54
                                                            • Instruction Fuzzy Hash: AF712B366443147BF310EB649C81FAB77DDFB84720F14462AF749A72D0DAB5AD0487A1
                                                            Function 1002C260 Relevance: 64.9, APIs: 12, Strings: 25, Instructions: 154libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 1002C2FF
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C308
                                                            • LoadLibraryA.KERNEL32(wininet.dll,InternetCloseHandle), ref: 1002C336
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C339
                                                            • LoadLibraryA.KERNEL32(wininet.dll,InternetOpenUrlA), ref: 1002C349
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C34C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: $($)$.$/$0$4$CreateFileA$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$KERNEL32.dll$M$WININET.dll$b$c$e$m$o$o$p$t$wininet.dll$z
                                                            • API String ID: 2574300362-3884860928
                                                            • Opcode ID: b4e03a2ef27085c4738474f54f627a63b347ddc6cb1258fad3e90b85cd48a67c
                                                            • Instruction ID: a5e24fee5181a110915c7054cf4814103008e522770561c974f272b67ace6fc0
                                                            • Opcode Fuzzy Hash: b4e03a2ef27085c4738474f54f627a63b347ddc6cb1258fad3e90b85cd48a67c
                                                            • Instruction Fuzzy Hash: A351817110C3C4AEE311DB789C84B9FBFD99BD5248F844A1DF28897282C679DA088767
                                                            Function 1000FED0 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 251servicesleepprocessCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AttachConsole.KERNEL32(?), ref: 1000FEF3
                                                            • Sleep.KERNEL32(0000000A), ref: 1000FEFB
                                                            • AttachConsole.KERNEL32(?), ref: 1000FF05
                                                            • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000FF18
                                                            • #823.MFC42(00000000), ref: 1000FF29
                                                            • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000FF39
                                                            • GetCurrentProcessId.KERNEL32 ref: 1000FF43
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000FF57
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000FF66
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000FF6D
                                                            • #825.MFC42(00000000), ref: 1000FF7E
                                                            • FreeConsole.KERNEL32 ref: 1000FF8C
                                                            • Sleep.KERNEL32(0000000A), ref: 1000FF94
                                                            • FreeConsole.KERNEL32 ref: 1000FF9A
                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 1000FFA6
                                                            • CloseHandle.KERNEL32(?), ref: 10010006
                                                            • CloseHandle.KERNEL32(?), ref: 1001000E
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001002F
                                                            • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 10010043
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10010050
                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010066
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10010077
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001007A
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10010087
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001008A
                                                            • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 100100C8
                                                            • CreateProcessA.KERNEL32(00000000,00000000), ref: 100100D1
                                                            • CloseHandle.KERNEL32(?), ref: 100100E4
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 100100FB
                                                            • CreateProcessA.KERNEL32 ref: 1001016C
                                                            • CloseHandle.KERNEL32(?), ref: 1001017F
                                                            • CloseHandle.KERNEL32(?), ref: 10010186
                                                            • ExitProcess.KERNEL32 ref: 1001018A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$Process$Service$Console$Open$AttachCreateFreeListSleepTerminate$#823#825CommandCurrentExitFileLineManagerModuleNameStart
                                                            • String ID: -inst$D$D
                                                            • API String ID: 2444995177-2453324352
                                                            • Opcode ID: b58b5ad2e4ba29a21afd164e912040691691b55c89c9781d0988a1b617f5dc1a
                                                            • Instruction ID: 2145560a9cd9b1a699febcb17bb47b4c1cc90ef60800b8c145967f045c9f6227
                                                            • Opcode Fuzzy Hash: b58b5ad2e4ba29a21afd164e912040691691b55c89c9781d0988a1b617f5dc1a
                                                            • Instruction Fuzzy Hash: 3781C271600316ABE310DB64CC84B7A77E5FF88790F054A2EFA49D7694DB74EC018BA5
                                                            Function 10011AF0 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #535.MFC42(00000030,00000002,00000000,?,00000000), ref: 10011B2F
                                                            • #540.MFC42 ref: 10011B40
                                                            • #540.MFC42 ref: 10011B4E
                                                            • #6282.MFC42 ref: 10011B69
                                                            • #6283.MFC42 ref: 10011B72
                                                            • #941.MFC42(100FA644), ref: 10011B80
                                                            • #2784.MFC42(100FB4F0,100FA644), ref: 10011B8E
                                                            • #6662.MFC42(00000022,00000001,100FB4F0,100FA644), ref: 10011BB7
                                                            • #4278.MFC42(00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BD6
                                                            • #858.MFC42(00000000,00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BE5
                                                            • #4129.MFC42(?,00000000,100FB4F0,100FA644), ref: 10011C8B
                                                            • #858.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011C98
                                                            • #800.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011CA6
                                                            • #535.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CC2
                                                            • #858.MFC42(00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CFA
                                                            • #858.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D07
                                                            • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D10
                                                            • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D19
                                                            • #5710.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D32
                                                            • #858.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D41
                                                            • #800.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D4F
                                                            • #6282.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D58
                                                            • #2784.MFC42(100FB4F0,00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D66
                                                            • #535.MFC42(?,?,100FB4F0,100FA644), ref: 10011D8D
                                                            • #858.MFC42(00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DC5
                                                            • #858.MFC42(00000022,00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DD2
                                                            • #800.MFC42(100FB4F0,100FA644), ref: 10011DE8
                                                            • #800.MFC42(100FB4F0,100FA644), ref: 10011DF6
                                                            • #800.MFC42(100FB4F0,100FA644), ref: 10011E07
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #858$#800$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                                                            • String ID: /
                                                            • API String ID: 2746067309-2043925204
                                                            • Opcode ID: 4d02ad2dda31395fe344d36b8a07876bfc3ebcbc3dbbd7a04eb98e052e7c3377
                                                            • Instruction ID: 647f48d1e0641d8c9fe4ee8137aadab8b8d3a159c4f7fc18a10d90f83d3cba4c
                                                            • Opcode Fuzzy Hash: 4d02ad2dda31395fe344d36b8a07876bfc3ebcbc3dbbd7a04eb98e052e7c3377
                                                            • Instruction Fuzzy Hash: A991B175108381ABC344EF24D891AAFB7E5EF98614F804A4DF4A657292DB30FE49CB52
                                                            Function 10001700 Relevance: 59.6, APIs: 12, Strings: 22, Instructions: 127libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001720
                                                            • LoadLibraryA.KERNEL32 ref: 10001792
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001795
                                                            • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                                                            • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                                                            • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                                                            • API String ID: 2574300362-3155383694
                                                            • Opcode ID: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                            • Instruction ID: ccfd42d412a131656b4a3d3b70f2aa919a29a5acdd925cac9141545cb71d5cde
                                                            • Opcode Fuzzy Hash: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                            • Instruction Fuzzy Hash: 4341C06050C384AAE310DBB98C48B8BBFD8AFD6758F040A1DF5C497281C679D648CB77
                                                            Function 1001E910 Relevance: 55.7, APIs: 1, Strings: 36, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B770: GetModuleHandleA.KERNEL32(?,756E83C0,1001F2E6), ref: 1001B776
                                                              • Part of subcall function 1001B770: LoadLibraryA.KERNEL32(?), ref: 1001B781
                                                              • Part of subcall function 1001B770: GetProcAddress.KERNEL32(00000000,?), ref: 1001B791
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001EB5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Handle$AddressCloseLibraryLoadModuleProc
                                                            • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                                                            • API String ID: 1380958172-3142711299
                                                            • Opcode ID: fcc9044b13eed674203501b7bd0f7cbe3581eae877d740a2f75d5a09b2cf438f
                                                            • Instruction ID: a6549c33c9e6bc6c5cecfacfaeea39159a2750a35719cbcd41e84f017a23f134
                                                            • Opcode Fuzzy Hash: fcc9044b13eed674203501b7bd0f7cbe3581eae877d740a2f75d5a09b2cf438f
                                                            • Instruction Fuzzy Hash: 6771282014C3C0DDE352C6A88888B5FFFD55BA6748F48499DF2C81B292C2FA9548C77B
                                                            Function 10020D30 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 257filesleepmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF,?,10021241), ref: 10020D5A
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF,?,10021241), ref: 10020D6D
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF,?,10021241), ref: 10020D8A
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020DB0
                                                            • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(1011FA64,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020DED
                                                            • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\4.txt,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000001,?,00000000), ref: 10020E16
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020E2A
                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 10020E45
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000), ref: 10020E61
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020E79
                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62), ref: 10020E91
                                                            • Sleep.KERNEL32(000007D0,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020E9E
                                                            • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020EC0
                                                            • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020EF3
                                                            • MessageBoxA.USER32(00000000,1011FA28,1011FA38,00000000), ref: 10020F15
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020F24
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098D62,000000FF), ref: 10020F36
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$File$#825Virtual$?find@?$basic_string@AllocCloseCreateEos@?$basic_string@FreeGrow@?$basic_string@HandleMessageReadSizeSleep
                                                            • String ID: C:\Users\Public\Documents\MM\4.txt$schtasks /Query /TN MM
                                                            • API String ID: 954268177-2491561334
                                                            • Opcode ID: f2c6a7d4d83006e196abfd0874bf1d15a567db5e017f2dcf4dd599ed08b6404e
                                                            • Instruction ID: 238521246eb2069c44085843fb136032ec86eadfc5f656279619795ee96e9c21
                                                            • Opcode Fuzzy Hash: f2c6a7d4d83006e196abfd0874bf1d15a567db5e017f2dcf4dd599ed08b6404e
                                                            • Instruction Fuzzy Hash: AC912235941354ABEB14CBA4EC88BEDBBB5FF19711F580259F80A772C1CBB50A81CB61
                                                            Function 100210E0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285sleepwindowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _access.MSVCRT ref: 10021107
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10021145
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1002116D
                                                            • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt,?,?,00000001), ref: 100211A7
                                                            • #825.MFC42(?,?,00000001), ref: 100211E4
                                                            • #825.MFC42(?), ref: 10021220
                                                            • Sleep.KERNEL32(000000C8), ref: 1002122D
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10021269
                                                            • ShellExecuteExA.SHELL32 ref: 100212B0
                                                            • GetLastError.KERNEL32 ref: 100212B6
                                                            • exit.MSVCRT ref: 100212BF
                                                            • _access.MSVCRT ref: 100212F6
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1002132E
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 10021354
                                                            • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt,?,?,00000001), ref: 10021386
                                                            • Sleep.KERNEL32(000000C8), ref: 100213F6
                                                            • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\7.txt,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10021411
                                                            • MessageBoxA.USER32(00000000,1011FA28,1011FA38,00000000), ref: 1002142C
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 10021438
                                                            • MessageBoxA.USER32(00000000,1011FA14,1011FA38,00000000), ref: 10021453
                                                            • CloseHandle.KERNEL32(00000000), ref: 100214FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$File$#825?assign@?$basic_string@Eos@?$basic_string@Grow@?$basic_string@MessageSleepV12@_access$CloseCreateErrorExecuteHandleLastModuleNameShellSizeexit
                                                            • String ID: <$C:\Users\Public\Documents\MM\4.txt$C:\Users\Public\Documents\MM\7.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt$runas
                                                            • API String ID: 183133943-109662193
                                                            • Opcode ID: 39a72407e559918f87e3841f29f92c66cbec9c3c3bd1a5eb4ceef9050ec44bb2
                                                            • Instruction ID: bc38ef4fa157f196bbb469f13d0e7c9f2d749cb485af78ea9e36dcfc105ccbc4
                                                            • Opcode Fuzzy Hash: 39a72407e559918f87e3841f29f92c66cbec9c3c3bd1a5eb4ceef9050ec44bb2
                                                            • Instruction Fuzzy Hash: 05A13478908344AFD710CF68EC84BEEBBE5FB58710F84062DF459A7291CB348A09CB65
                                                            Function 10023820 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 250networksynchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(1012C618), ref: 1002382C
                                                            • LeaveCriticalSection.KERNEL32(1012C618), ref: 10023844
                                                            • malloc.MSVCRT ref: 1002385D
                                                            • malloc.MSVCRT ref: 10023866
                                                            • malloc.MSVCRT ref: 1002386F
                                                            • recv.WS2_32 ref: 100238D6
                                                            • send.WS2_32 ref: 10023956
                                                            • getpeername.WS2_32(?,?,?), ref: 1002398B
                                                            • inet_addr.WS2_32(00000000), ref: 10023998
                                                            • inet_addr.WS2_32(00000000), ref: 100239B2
                                                            • htons.WS2_32(?), ref: 100239BD
                                                            • send.WS2_32 ref: 100239FF
                                                            • CreateThread.KERNEL32(00000000,00000000,10023E10,?,00000000,?), ref: 10023A3E
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10023A4F
                                                              • Part of subcall function 100235E0: htons.WS2_32 ref: 10023603
                                                              • Part of subcall function 100235E0: inet_addr.WS2_32(?), ref: 10023619
                                                              • Part of subcall function 100235E0: inet_addr.WS2_32(?), ref: 10023637
                                                              • Part of subcall function 100235E0: socket.WS2_32(00000002,00000001,00000006), ref: 10023643
                                                              • Part of subcall function 100235E0: setsockopt.WS2_32 ref: 1002366E
                                                              • Part of subcall function 100235E0: connect.WS2_32(?,?,00000010), ref: 1002367E
                                                              • Part of subcall function 100235E0: closesocket.WS2_32 ref: 1002368C
                                                            • send.WS2_32(?,?,00000008,00000000), ref: 10023AA0
                                                            • CreateThread.KERNEL32(00000000,00000000,10024070,?,00000000,?), ref: 10023ACD
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 10023ADA
                                                              • Part of subcall function 100233D0: gethostbyname.WS2_32(?), ref: 100233D5
                                                            • closesocket.WS2_32(00000000), ref: 10023AE9
                                                            • closesocket.WS2_32(?), ref: 10023AEF
                                                            • free.MSVCRT ref: 10023AF8
                                                            • free.MSVCRT ref: 10023AFB
                                                            • free.MSVCRT ref: 10023B02
                                                            • free.MSVCRT ref: 10023B05
                                                              • Part of subcall function 10022F50: EnterCriticalSection.KERNEL32(1012C618), ref: 10022F7A
                                                              • Part of subcall function 10022F50: LeaveCriticalSection.KERNEL32(1012C618), ref: 10022F92
                                                              • Part of subcall function 10022F50: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 1002302E
                                                              • Part of subcall function 10022F50: CreateThread.KERNEL32(00000000,00000000,10024070,?,00000000,?), ref: 100230CC
                                                              • Part of subcall function 10022F50: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 100230D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                                                            • String ID: [
                                                            • API String ID: 3942976521-784033777
                                                            • Opcode ID: 2427c5f0da47fbecbf070876617898e8600c96f0692c4232763311befc37dfae
                                                            • Instruction ID: 07a00f0ea427c4c544767b011a022438ace30577b50b5d9723d7c152a930896a
                                                            • Opcode Fuzzy Hash: 2427c5f0da47fbecbf070876617898e8600c96f0692c4232763311befc37dfae
                                                            • Instruction Fuzzy Hash: 7881D470508340AFE310CB65DC85B5BBBE8EFC8754F544A2EF99993290E775E844CB62
                                                            Function 10020920 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 150networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenA.WININET(DownloadApp,00000001,00000000,00000000,00000000), ref: 1002093B
                                                            • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CCFA3D8,1011F9D0,?,?,1002139D,?,00000001,?,?,00000001), ref: 10020956
                                                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,80000000,00000000), ref: 10020981
                                                            • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CCFA3D8,1011F9C0,?,?,?,1002139D,?,00000001,?,?,00000001), ref: 1002099A
                                                            • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(00000000,?,00000001), ref: 100209A4
                                                            • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 100209AA
                                                            • InternetCloseHandle.WININET(00000000), ref: 100209B4
                                                            • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 10020AC0
                                                            Strings
                                                            • DownloadApp, xrefs: 10020936
                                                            • https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt, xrefs: 1002092D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@D@std@@@0@InternetV10@$?endl@std@@D@std@@@1@OpenV21@@$CloseD@2@@0@@D@std@@HandleV?$allocator@V?$basic_string@
                                                            • String ID: DownloadApp$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt
                                                            • API String ID: 2470020359-683255975
                                                            • Opcode ID: 9f47b7f33a6b26c7171fb3550f45e193d16c768e7dbac83145312b92eb1a2f70
                                                            • Instruction ID: 772115394fb24ad481563c78ceab3989218d8d669b442eaadccbeb1eb6aa8a1f
                                                            • Opcode Fuzzy Hash: 9f47b7f33a6b26c7171fb3550f45e193d16c768e7dbac83145312b92eb1a2f70
                                                            • Instruction Fuzzy Hash: 5B41E239600315BBF220EBB4DC89FEB37ECFB44B55F480629FE08A6191D674B9048B65
                                                            Function 100015A0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 132libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,756EF550), ref: 100015B9
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,756EF550), ref: 100015D2
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,756EF550), ref: 100015E5
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,756EF550), ref: 100015F8
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,756EF550), ref: 10001609
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,756EF550), ref: 1000161C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,756EF550), ref: 1000162F
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                            • API String ID: 2574300362-1356117283
                                                            • Opcode ID: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                            • Instruction ID: 9f0f930b95cd2c35929b0060be92cf7d2e31dda6e2d7e4543e4cf746f9a0d286
                                                            • Opcode Fuzzy Hash: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                            • Instruction Fuzzy Hash: 97414CB5900308ABDB10EFA5DC88E9BBBA8EF89350F15095AFA4497201D739E545CBA1
                                                            Function 10002060 Relevance: 39.2, APIs: 26, Instructions: 212memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                                                            • GlobalLock.KERNEL32(00000000), ref: 1000208C
                                                            • GlobalFree.KERNEL32(00000000), ref: 10002099
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Global$AllocFreeLock
                                                            • String ID:
                                                            • API String ID: 1811133220-0
                                                            • Opcode ID: 5e54843c9817928c5e705316c6c390411e2af32c76db5adf9f94e81ad4a0cb59
                                                            • Instruction ID: d94549fb20f52d3ef201752acad279a48340a4a35218a83979323bbbd391c09a
                                                            • Opcode Fuzzy Hash: 5e54843c9817928c5e705316c6c390411e2af32c76db5adf9f94e81ad4a0cb59
                                                            • Instruction Fuzzy Hash: 4171C1B6610301ABD314CF54CC89F9AB3B4FF54714F569608E608AF2B1E3B4E549C7AA
                                                            Function 100212D0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 200windowfilesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _access.MSVCRT ref: 100212F6
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1002132E
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 10021354
                                                            • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt,?,?,00000001), ref: 10021386
                                                            • #825.MFC42(?,?,00000001), ref: 100213BC
                                                            • #825.MFC42(?,?,00000001), ref: 100213E9
                                                            • Sleep.KERNEL32(000000C8), ref: 100213F6
                                                            • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\7.txt,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10021411
                                                            • MessageBoxA.USER32(00000000,1011FA28,1011FA38,00000000), ref: 1002142C
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 10021438
                                                            • MessageBoxA.USER32(00000000,1011FA14,1011FA38,00000000), ref: 10021453
                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 10021468
                                                            • MessageBoxA.USER32(00000000,1011FA04,1011FA38,00000000), ref: 10021485
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10021494
                                                            • CloseHandle.KERNEL32(00000000), ref: 100214A4
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 100214BC
                                                            • CloseHandle.KERNEL32(00000000), ref: 100214FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@2@@std@@D@std@@FileMessageU?$char_traits@V?$allocator@$#825CloseHandleVirtual$?assign@?$basic_string@AllocCreateEos@?$basic_string@FreeGrow@?$basic_string@ReadSizeSleepV12@_access
                                                            • String ID: C:\Users\Public\Documents\MM\7.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1730714903137/7.txt$runas
                                                            • API String ID: 1859234541-1525914491
                                                            • Opcode ID: acd2ca1350b032822eaf0751f6ceebcb2c0726178aa9629ce790e1d1e696e350
                                                            • Instruction ID: 602b6ab2c74dcc299a00c9cfdc96bae2169386d58755e01b72a549dcedfa5556
                                                            • Opcode Fuzzy Hash: acd2ca1350b032822eaf0751f6ceebcb2c0726178aa9629ce790e1d1e696e350
                                                            • Instruction Fuzzy Hash: 8F614779A05654ABE714CBA8EC89FDDBBB4FF28721F500229F909B72C0CB740A41C764
                                                            Function 10025840 Relevance: 38.6, APIs: 5, Strings: 17, Instructions: 92registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseDeleteOpenstrncmpwsprintf
                                                            • String ID: 00000$00000%s$D$S$S$U$a$e$i$m$n$n$o$o$r$t$u
                                                            • API String ID: 3243141281-189977666
                                                            • Opcode ID: 59f4722b54c83d2fe459e2bd7200169768e4c382ee7c615d3bd72ce5bcaf225b
                                                            • Instruction ID: 90596805fe39596e3a2cf3135c9e9605e9dae767a48cf678667b98a5b42f4500
                                                            • Opcode Fuzzy Hash: 59f4722b54c83d2fe459e2bd7200169768e4c382ee7c615d3bd72ce5bcaf225b
                                                            • Instruction Fuzzy Hash: F1318F2500D3C0AEE302C7388888A9FBFD15FB6648F480A5DF4D867292D2A6C64CC777
                                                            Function 10005310 Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 110libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                            • LoadLibraryA.KERNEL32 ref: 10005386
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                            • LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: .23$2$3$ConvertSidToStringSidA$D$FreeLibrary$I$IsValidSid$L$_RasDefaultCredentials#0$LookupAccountNameA$P$V$kernel32.dll
                                                            • API String ID: 2574300362-2447002180
                                                            • Opcode ID: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                            • Instruction ID: 223027d79037198c63e6ca2b5f055af27ccc184e3b8335a544396f1f5ed8738e
                                                            • Opcode Fuzzy Hash: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                            • Instruction Fuzzy Hash: D631A472108385AED300DB68DC44AEFBFD8EFD5255F440A5EF58482241D7A9D60C8BB3
                                                            Function 100270F0 Relevance: 35.1, APIs: 8, Strings: 12, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(0000002A,00000000,?,00000000,00000000,?,?,?,?,10027250,?,00000000,?), ref: 1002710E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: OpenProcess
                                                            • String ID: .$2$3$F$L$a$b$d$i$k$n$y
                                                            • API String ID: 3743895883-2751716537
                                                            • Opcode ID: 553d65fc137b751cb6cb6b8dc665134b43379b41e3ffb632e619e221a7e1c3ba
                                                            • Instruction ID: 6de002183d80816ce803221f1ee2d96760055986d888ef01207debe37e1c619d
                                                            • Opcode Fuzzy Hash: 553d65fc137b751cb6cb6b8dc665134b43379b41e3ffb632e619e221a7e1c3ba
                                                            • Instruction Fuzzy Hash: 56313A2500D3D19AE312DB2C9848BCFBFD46FA2654F48498DF5C857392C2A9864DC7B7
                                                            Function 10008110 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10008140
                                                            • #5186.MFC42 ref: 1000815A
                                                            • #665.MFC42 ref: 1000816F
                                                            • #540.MFC42(?), ref: 1000818F
                                                            • #537.MFC42(?,?), ref: 1000819E
                                                            • #4204.MFC42(?,?), ref: 100081DA
                                                            • #2915.MFC42(00000080,?,?), ref: 100081EA
                                                            • #5442.MFC42(00000000,?,00000080,?,?), ref: 10008231
                                                            • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10008240
                                                            • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000824B
                                                            • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10008254
                                                            • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10008262
                                                            • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 100082AA
                                                            • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100082C2
                                                            • #800.MFC42 ref: 100082D0
                                                            • #800.MFC42 ref: 100082DE
                                                            • #665.MFC42 ref: 100082EF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                                                            • String ID: $warning
                                                            • API String ID: 2155908909-2294955047
                                                            • Opcode ID: bc36ce501918015492f4d8f1cec40db50ce3a2175822b01bcad499b011199ee3
                                                            • Instruction ID: 573f96e075a40df3cd0b7109c62d0763f4c54ed71cd520394fb4cf0384accd91
                                                            • Opcode Fuzzy Hash: bc36ce501918015492f4d8f1cec40db50ce3a2175822b01bcad499b011199ee3
                                                            • Instruction Fuzzy Hash: 1A51EE351083419BD318EF28D891B9BB3E1FFD4750F800A1EF99693291DB31AE09CB52
                                                            Function 1001E550 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 143filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E594
                                                            • GetLocalTime.KERNEL32(?), ref: 1001E5DE
                                                            • sprintf.MSVCRT ref: 1001E6A9
                                                            • WriteFile.KERNEL32 ref: 1001E6FE
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001E705
                                                              • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                              • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                              • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                              • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressFileLibraryLoadProc$CloseCreateHandleLocalTimeWritesprintf
                                                            • String ID: $-$4$:$C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                            • API String ID: 694383593-1605913938
                                                            • Opcode ID: e94273db48bcc63dfd0305491c12f24f9e76bc467e22666e40ccf8b87783fad1
                                                            • Instruction ID: 1cb23e82a4cf19cd3d7ec87f0f4dfbe2f84414d537df6f42aae5f219f0da0f74
                                                            • Opcode Fuzzy Hash: e94273db48bcc63dfd0305491c12f24f9e76bc467e22666e40ccf8b87783fad1
                                                            • Instruction Fuzzy Hash: 52516E7110D3C09EE311CB28C844B9BBFD5ABEA308F484A5DF5D967292C6B59608CB67
                                                            Function 10009F00 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10007940: #541.MFC42(?,?,?,10097E4B,000000FF), ref: 10007960
                                                              • Part of subcall function 10007940: #540.MFC42(?,?,?,10097E4B,000000FF), ref: 10007970
                                                            • #540.MFC42(?,?,00000000,00000065), ref: 10009F4E
                                                            • #540.MFC42 ref: 10009F5F
                                                            • #540.MFC42 ref: 10009F70
                                                            • #2614.MFC42 ref: 10009F81
                                                            • #860.MFC42(*.*), ref: 10009F8F
                                                            • #3811.MFC42(?,*.*), ref: 10009FB5
                                                            • #3811.MFC42(?,?,*.*), ref: 10009FC5
                                                            • #3811.MFC42(?,?,?,*.*), ref: 10009FD5
                                                            • #3811.MFC42(?,?,?,?,*.*), ref: 10009FE5
                                                            • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009FF5
                                                            • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 1000A005
                                                            • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 1000A033
                                                            • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 1000A04A
                                                            • #860.MFC42(?,?,00000000,00000065), ref: 1000A097
                                                            • #800.MFC42 ref: 1000A0D2
                                                            • #800.MFC42 ref: 1000A0E3
                                                            • #800.MFC42 ref: 1000A0F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #3811$#540$#800#860$#2614#2818#541
                                                            • String ID: *%s*$*.*
                                                            • API String ID: 185796673-1558234275
                                                            • Opcode ID: f892f6581a5d618ac3fc4adc2263c9f386f8b43d0954c79cc1685d3a2c1e4657
                                                            • Instruction ID: 1d36ae10ac9226dbcb551fd66cc226da634c3b70f1a5a9bdcddfb0912b060527
                                                            • Opcode Fuzzy Hash: f892f6581a5d618ac3fc4adc2263c9f386f8b43d0954c79cc1685d3a2c1e4657
                                                            • Instruction Fuzzy Hash: 175136754083818FD724DF64D495AABF7E4FFD9700F804A1EB599432A1DB74A909CB23
                                                            Function 10001310 Relevance: 33.3, APIs: 4, Strings: 15, Instructions: 85libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001332
                                                            • LoadLibraryA.KERNEL32 ref: 100013A4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,756EF550), ref: 100015B9
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,756EF550), ref: 100015D2
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,756EF550), ref: 100015E5
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,756EF550), ref: 100015F8
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,756EF550), ref: 10001609
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,756EF550), ref: 1000161C
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                              • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,756EF550), ref: 1000162F
                                                              • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                                                            • API String ID: 2574300362-1789360232
                                                            • Opcode ID: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                            • Instruction ID: 6d0500b828a3b4bacedf277e9e204f21e6ad90e68e93e0fee001a8a00f1ea147
                                                            • Opcode Fuzzy Hash: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                            • Instruction Fuzzy Hash: 7531C26110C3C08ED301DA6D9840B9BFFD59FA6658F090A9EE5C857343C6AAD61CC7BB
                                                            Function 10007230 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 211stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,00000001,00000001), ref: 1000724A
                                                            • LocalAlloc.KERNEL32(00000040,00000400), ref: 100072B9
                                                            • GetFileAttributesA.KERNEL32(?), ref: 100072C9
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100072F2
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 10007301
                                                            • malloc.MSVCRT ref: 1000730E
                                                            • ReadFile.KERNEL32(?,00000000,?,0000023D,00000000), ref: 10007335
                                                            • CloseHandle.KERNEL32(?), ref: 10007342
                                                            • free.MSVCRT ref: 10007378
                                                            • lstrlenA.KERNEL32(?), ref: 100073F9
                                                            • lstrlenA.KERNEL32(?), ref: 10007418
                                                            • lstrlenA.KERNEL32(?), ref: 10007427
                                                            • lstrlenA.KERNEL32(?), ref: 10007449
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10007457
                                                            • lstrlenA.KERNEL32(?), ref: 10007476
                                                            • lstrlenA.KERNEL32(?), ref: 10007493
                                                            • LocalReAlloc.KERNEL32(00000000,-00000002,00000042), ref: 100074A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$File$AllocLocal$AttributesCloseCreateFolderHandlePathReadSizeSpecialfreemalloc
                                                            • String ID: Version
                                                            • API String ID: 2101459175-1889659487
                                                            • Opcode ID: 0280d1f75b3d294606686582b3f93d279ce1841275f3ddc2eb50ba5b840fe164
                                                            • Instruction ID: d1f3f0dc8fc9b9b53c20101b37f9b223ccb059b074b6f153d398129dd00f1bbe
                                                            • Opcode Fuzzy Hash: 0280d1f75b3d294606686582b3f93d279ce1841275f3ddc2eb50ba5b840fe164
                                                            • Instruction Fuzzy Hash: 1C61F5756002045BE728DB38CC89BEB3795FB88310F584B2DFE1ADB2D1DB74AA04C660
                                                            Function 100110D0 Relevance: 31.7, APIs: 21, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #2614.MFC42(00000000,?), ref: 100110F5
                                                            • #2614.MFC42(00000000,?), ref: 100110FD
                                                            • #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                            • #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                              • Part of subcall function 10012190: #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                            • #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                            • PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                            • #860.MFC42(00000000), ref: 1001117C
                                                            • PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                            • PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                            • _splitpath.MSVCRT ref: 100111C5
                                                            • #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                            • #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                            • #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                            • #858.MFC42 ref: 10011237
                                                            • #800.MFC42 ref: 1001124A
                                                            • #941.MFC42(?), ref: 10011259
                                                            • #858.MFC42 ref: 1001127E
                                                            • #800.MFC42 ref: 1001128E
                                                            • #860.MFC42(?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112A0
                                                            • #860.MFC42(?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112BE
                                                            • #6874.MFC42(0000002E,?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112C7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #860$#2614Path$#800#858Args$#6143#6874#6876#825#941RemoveSpacesUnquote_splitpath
                                                            • String ID:
                                                            • API String ID: 2691293456-0
                                                            • Opcode ID: ad4ba05cb4cf273c54000dec94025902908c101b9e94463766894f687b4f5cd8
                                                            • Instruction ID: 09918bf75e6a7370958a89e2eda3bfd81bbd99dd26f795f1d9b1f813c9c8949d
                                                            • Opcode Fuzzy Hash: ad4ba05cb4cf273c54000dec94025902908c101b9e94463766894f687b4f5cd8
                                                            • Instruction Fuzzy Hash: 1651D1792042419BC728EF64D895FEEB7E9EF88700F40461DF956872D1DF70AA09CB92
                                                            Function 100058B0 Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 105libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 1000590A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                            • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                            • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                            • free.MSVCRT ref: 10005993
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$free
                                                            • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                                                            • API String ID: 1540231353-1695543321
                                                            • Opcode ID: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                            • Instruction ID: b87623f99a44c4d79927182bb7b3290fde75b39c0de0aa94dcbdadddc74f4482
                                                            • Opcode Fuzzy Hash: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                            • Instruction Fuzzy Hash: 1A3192B610C3859ED300DB68DC84AABBBD8EBD4254F44491EF988D7241E675DA0DCBA3
                                                            Function 10025A60 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 99registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseDeleteFreeLocalOpenwsprintf
                                                            • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                                                            • API String ID: 321629408-3882932831
                                                            • Opcode ID: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                            • Instruction ID: 6d1efd391891d3798b43efb069c21cc7218b8283c464a39c4d1117949bbd3459
                                                            • Opcode Fuzzy Hash: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                            • Instruction Fuzzy Hash: FF41256610E3C1DED302CB689484A8BBFD56BB6608F48499DF4C857342C6A9C61CC7BB
                                                            Function 10014CA0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 181registrylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                            • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                            • RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Value$AddressDeleteLibraryLoadProc
                                                            • String ID: A$ADVAPI32.dll$E$ExA$K$RegCrkat$RegOpenKeyExA$x$y
                                                            • API String ID: 839562100-350676929
                                                            • Opcode ID: ab4f4a54aadc2c430e47b77878863863c665799b8408574491d77027523b0f05
                                                            • Instruction ID: 4341b5ee002a6a24908d89542c1025d1bd80afbc0185b48ea21ead10c1148229
                                                            • Opcode Fuzzy Hash: ab4f4a54aadc2c430e47b77878863863c665799b8408574491d77027523b0f05
                                                            • Instruction Fuzzy Hash: 8B516F75A04289AFDB00DBA8CC84FEF7BB8EB99754F054109F604AB291DB74E944CB71
                                                            Function 1000A130 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 116stringsleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #540.MFC42 ref: 1000A14F
                                                            • #540.MFC42 ref: 1000A163
                                                            • #860.MFC42(00000000), ref: 1000A1B1
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 10011005
                                                              • Part of subcall function 10010FD0: #825.MFC42(?), ref: 10011044
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 1001105A
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 10011067
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 10011074
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 10011081
                                                              • Part of subcall function 10010FD0: #801.MFC42 ref: 1001108E
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 1001109B
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 100110A8
                                                              • Part of subcall function 10010FD0: #800.MFC42 ref: 100110B8
                                                            • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000A1DA
                                                            • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000A1ED
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 1000A1FD
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000A20B
                                                            • PathFindFileNameA.SHLWAPI(?), ref: 1000A216
                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 1000A225
                                                            • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 1000A233
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 1000A243
                                                            • wsprintfA.USER32 ref: 1000A276
                                                            • #823.MFC42(0000022E), ref: 1000A281
                                                            • Sleep.KERNEL32(0000000A), ref: 1000A2B1
                                                            • #800.MFC42 ref: 1000A2C5
                                                            • #800.MFC42 ref: 1000A2D9
                                                              • Part of subcall function 10011EC0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098958,000000FF,1000A1AC), ref: 10011EF8
                                                              • Part of subcall function 10011EC0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098958,000000FF,1000A1AC), ref: 10011F09
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                                                            • String ID: %d-%d-%d
                                                            • API String ID: 4162832437-1067691376
                                                            • Opcode ID: 4ffe6e54c1e45dd739d084b2a28ffdbc5de0c0adf473babbb2bded17353994ad
                                                            • Instruction ID: 2d63a91f0c4d87232d8e368a62f7324a79e5cc68b51da8822abb0e9c5e44a735
                                                            • Opcode Fuzzy Hash: 4ffe6e54c1e45dd739d084b2a28ffdbc5de0c0adf473babbb2bded17353994ad
                                                            • Instruction Fuzzy Hash: E941B679148342ABE324DB64CC49FAFB7A8FF85700F044A2DF599572D0CBB4A545CB52
                                                            Function 1001A220 Relevance: 28.0, APIs: 2, Strings: 14, Instructions: 49libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32 ref: 1001A292
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1001A299
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                                                            • API String ID: 1646373207-3978980583
                                                            • Opcode ID: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                            • Instruction ID: bfef907bca7166945bb8c4c048d14843ea41578d74aef9e94cfa9c66aad3b8c8
                                                            • Opcode Fuzzy Hash: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                            • Instruction Fuzzy Hash: 18111C1050C3C28EE302DB6C844838FBFD55BA2644F48888DF4D84A293D2BAC69CC7B7
                                                            Function 10018A50 Relevance: 27.2, APIs: 18, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                              • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                              • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                              • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                            • GetDesktopWindow.USER32 ref: 10018B62
                                                            • GetDC.USER32(00000000), ref: 10018B6F
                                                            • GetTickCount.KERNEL32 ref: 10018B83
                                                            • GetSystemMetrics.USER32(00000000), ref: 10018BAD
                                                            • GetSystemMetrics.USER32(00000001), ref: 10018BB4
                                                            • CreateCompatibleDC.GDI32(?), ref: 10018BD2
                                                            • CreateCompatibleDC.GDI32(?), ref: 10018BDB
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 10018BE4
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 10018BEA
                                                            • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10018C49
                                                            • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 10018C5A
                                                            • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 10018C6E
                                                            • SelectObject.GDI32(?,?), ref: 10018C84
                                                            • SelectObject.GDI32(?,?), ref: 10018C8E
                                                            • SelectObject.GDI32(?,?), ref: 10018C9E
                                                            • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 10018CAE
                                                            • #823.MFC42(00000002), ref: 10018CBD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$#823CountCursorLoadRectReleaseTick
                                                            • String ID:
                                                            • API String ID: 704209761-0
                                                            • Opcode ID: 854a7eac9b07f2ed798a7506d46fce09f028ce3c03a67ca1a3cf15a427cf06c8
                                                            • Instruction ID: 6ec4a2be2aea93d2ed0a035d66cedd2aaec3a10df7d8a457f91b5f0354a3147d
                                                            • Opcode Fuzzy Hash: 854a7eac9b07f2ed798a7506d46fce09f028ce3c03a67ca1a3cf15a427cf06c8
                                                            • Instruction Fuzzy Hash: DD81F3B4904B459FD320DF69C884A67FBE9FB88704F004A1DE59A87750DBB9F805CBA1
                                                            Function 1000BBB0 Relevance: 27.1, APIs: 18, Instructions: 110processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • #4202.MFC42(00000000), ref: 1000BC03
                                                            • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • #4202.MFC42 ref: 1000BC35
                                                            • #5572.MFC42(000000FF), ref: 1000BC78
                                                            • #800.MFC42(000000FF), ref: 1000BC88
                                                            • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • #800.MFC42 ref: 1000BCC0
                                                            • OpenProcess.KERNEL32(00000001,00000000,00000128), ref: 1000BCE7
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000BCF1
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000BCF8
                                                            • #5572.MFC42(000000FF), ref: 1000BD04
                                                            • #5572.MFC42(000000FF,000000FF), ref: 1000BD12
                                                            • #800.MFC42(000000FF,000000FF), ref: 1000BD22
                                                            • #800.MFC42(000000FF,000000FF), ref: 1000BD39
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #5572#800$Process32$#4202NextProcess$#537CloseCreateFirstHandleOpenSnapshotTerminateToolhelp32
                                                            • String ID:
                                                            • API String ID: 1944864456-0
                                                            • Opcode ID: 58a8c701401a0ebe59f7e9c0c0aeb9731f38e471a561daa3b9db9e55c4983228
                                                            • Instruction ID: a71f15f66d24170a8ae816a1be606f6b14a0a4d5784a5b8e3ba413686da25609
                                                            • Opcode Fuzzy Hash: 58a8c701401a0ebe59f7e9c0c0aeb9731f38e471a561daa3b9db9e55c4983228
                                                            • Instruction Fuzzy Hash: 02418E350082819BE360EF248891FEEB7D4EB95360F544A1DF5A9431E1DB74A909C652
                                                            Function 1001D9A0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 155stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32 ref: 1001D9BD
                                                            • strrchr.MSVCRT ref: 1001D9D3
                                                            • strrchr.MSVCRT ref: 1001DA14
                                                            • isdigit.MSVCRT ref: 1001DA4C
                                                            • memmove.MSVCRT(?,?), ref: 1001DA6D
                                                            • atoi.MSVCRT(?), ref: 1001DAA5
                                                            • sprintf.MSVCRT ref: 1001DAC9
                                                              • Part of subcall function 1001D590: GetFileAttributesA.KERNEL32(?,1001DAD8,?), ref: 1001D595
                                                            • sprintf.MSVCRT ref: 1001DAF3
                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 1001DB23
                                                            • CloseHandle.KERNEL32(00000000), ref: 1001DB33
                                                            • printf.MSVCRT ref: 1001DB46
                                                            • printf.MSVCRT ref: 1001DB60
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$printfsprintfstrrchr$AttributesCloseCreateHandleModuleNameatoiisdigitmemmove
                                                            • String ID: At least one INI file in range 1 to 30 already exists.$C:\ProgramData\%d.ini$INI file path: %s
                                                            • API String ID: 584443958-3437802155
                                                            • Opcode ID: 22d86504b4a42b771204476c1d46dadd20afe575c92426712dfbf12762b6d878
                                                            • Instruction ID: c41af4925fa720694f9b13fee1b4910b4dbd4703d0f1eafa1d1e852749128f17
                                                            • Opcode Fuzzy Hash: 22d86504b4a42b771204476c1d46dadd20afe575c92426712dfbf12762b6d878
                                                            • Instruction Fuzzy Hash: DE4145761043141BE324E7389C85BDB37D8FB84321F440E29FA5AD70D1EBB5E68882A6
                                                            Function 10029650 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 105filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 10029684
                                                            • GetCurrentProcess.KERNEL32(?), ref: 1002968F
                                                            • IsWow64Process.KERNEL32(00000000), ref: 10029696
                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 100296E1
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000000,00000000), ref: 100296FB
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 1002970B
                                                            • LocalAlloc.KERNEL32(00000040,00000002), ref: 10029719
                                                            • ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 1002972E
                                                            • LocalFree.KERNEL32(00000000), ref: 10029739
                                                            • CloseHandle.KERNEL32(00000000), ref: 10029740
                                                            • CloseHandle.KERNEL32(00000000), ref: 10029751
                                                            • LocalSize.KERNEL32(00000000), ref: 1002975B
                                                            • LocalFree.KERNEL32(00000000), ref: 1002976D
                                                            Strings
                                                            • \system32\drivers\etc\hosts, xrefs: 100296AD
                                                            • \sysnative\drivers\etc\hosts, xrefs: 100296A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLocal$CloseFreeHandleProcessSize$AllocAttributesCreateCurrentDirectoryReadWindowsWow64
                                                            • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                            • API String ID: 2528494210-1011561390
                                                            • Opcode ID: 194237634a0797fa8b2a53bb9ec8395ea3908fb63e6595033f5a6c6e2728025e
                                                            • Instruction ID: c70c7175c5034d58a9bea82fbbf15c4c5073213587ef2284f533c3eddb7395db
                                                            • Opcode Fuzzy Hash: 194237634a0797fa8b2a53bb9ec8395ea3908fb63e6595033f5a6c6e2728025e
                                                            • Instruction Fuzzy Hash: 4331E6351002106BE3149F78DC89FEB77A8FB88321F044B29F75A962D0DBB495058761
                                                            Function 10020B50 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160processpipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreatePipe.KERNEL32 ref: 10020B82
                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 10020BFD
                                                            • CloseHandle.KERNEL32(?), ref: 10020C0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$CloseHandlePipeProcess
                                                            • String ID: D$schtasks /Query /TN MM
                                                            • API String ID: 1262542551-2635328053
                                                            • Opcode ID: b5a89ca4bfc6f5d51deaeab266823e865db3361f2897898df2e6768b4b262c86
                                                            • Instruction ID: d5a387f826d0a1cb60221ed31df167b559f9e4ef071797d454a46453442726d2
                                                            • Opcode Fuzzy Hash: b5a89ca4bfc6f5d51deaeab266823e865db3361f2897898df2e6768b4b262c86
                                                            • Instruction Fuzzy Hash: 6051DF75204351AFE710CF28D884AEFBBE6FF88740F944A1EF98987281D77199448B92
                                                            Function 10012630 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 114libraryloadersleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012641
                                                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012651
                                                            • wsprintfA.USER32 ref: 10012683
                                                            • CloseHandle.KERNEL32(00000000), ref: 100126D7
                                                            • Sleep.KERNEL32(00000002), ref: 100126F1
                                                            • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012730
                                                            • GetProcAddress.KERNEL32(00000000,send), ref: 1001273C
                                                            • FreeLibrary.KERNEL32(?), ref: 10012794
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                                                            • String ID: ID= %d $closesocket$send$ws2_32.dll$ou
                                                            • API String ID: 1680113600-3502267164
                                                            • Opcode ID: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                            • Instruction ID: 7c67b287e16190e49fb15b82c1621effa97cd5ddd0eba97c16256e4bf4fc380b
                                                            • Opcode Fuzzy Hash: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                            • Instruction Fuzzy Hash: 8F41B3B9608355AFD714DF78CC88B9BB7E4FB88344F040A19FA85DB281D774E9608B61
                                                            Function 1003DDB0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: getenv
                                                            • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                                                            • API String ID: 498649692-40509672
                                                            • Opcode ID: 73dfa8020c57b5ab2b95759ea11293900521d36d213c0505f0858fc0f78fce67
                                                            • Instruction ID: d69ea8ecdff70f8aa079981a9a47f2fe449714dfe17c652162d4097177f93861
                                                            • Opcode Fuzzy Hash: 73dfa8020c57b5ab2b95759ea11293900521d36d213c0505f0858fc0f78fce67
                                                            • Instruction Fuzzy Hash: 2E21F9EBA111483BEB41F2316D2576639C9D3B2397F968131E804DF296FB18EC869351
                                                            Function 10005A50 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 93libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 10005AA7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                              • Part of subcall function 10005310: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                              • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                              • Part of subcall function 10005310: LoadLibraryA.KERNEL32 ref: 10005386
                                                              • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                              • Part of subcall function 10005310: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                              • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                            • wsprintfA.USER32 ref: 10005B17
                                                              • Part of subcall function 100058B0: LoadLibraryA.KERNEL32 ref: 1000590A
                                                              • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                              • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                              • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                              • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                              • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                              • Part of subcall function 10005B80: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                              • Part of subcall function 10005B80: GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$wsprintf
                                                            • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                                                            • API String ID: 2290142023-608447665
                                                            • Opcode ID: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                            • Instruction ID: 4c1d29f0bd828654cd513fdf21a7457cee7c04ca4083380b940b1afa8f540c18
                                                            • Opcode Fuzzy Hash: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                            • Instruction Fuzzy Hash: 123105751083809FE301CF68C894A6BBBE9AF99B04F44495CF5C987342D775E90CCBA6
                                                            Function 10001000 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 91libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 1000105A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001061
                                                            • #823.MFC42(000003E8), ref: 1000109D
                                                            • #823.MFC42(00000020,000003E8), ref: 100010A7
                                                            • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                                                            • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823$AddressLibraryLoadProc
                                                            • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                                                            • API String ID: 4155842574-2549505875
                                                            • Opcode ID: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                            • Instruction ID: 31041f62746d12b518512821577f118573f67afbf5ee5be8c2abb55ff276c86d
                                                            • Opcode Fuzzy Hash: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                            • Instruction Fuzzy Hash: 00317EB04087809ED310DF69D884647FBE8FF55308F54495EE1C987712D3BAE948CB6A
                                                            Function 10027290 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 65sleepstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100272A0
                                                            • lstrcatA.KERNEL32(?,\termsrv.dll), ref: 100272B0
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                              • Part of subcall function 10027200: CreateToolhelp32Snapshot.KERNEL32 ref: 10027215
                                                              • Part of subcall function 10027200: Process32First.KERNEL32(00000000,?), ref: 10027222
                                                              • Part of subcall function 10027200: Process32Next.KERNEL32(00000000,?), ref: 10027260
                                                              • Part of subcall function 10027200: CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002726B
                                                              • Part of subcall function 1001B7A0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B7E2
                                                              • Part of subcall function 1001B7A0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B7FA
                                                              • Part of subcall function 1001B7A0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B800
                                                              • Part of subcall function 1001B7A0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B80F
                                                              • Part of subcall function 1001B7A0: CloseHandle.KERNEL32(?,?,00000000,?,00000010,00000000,00000000), ref: 1001B820
                                                            • GetProcessId.KERNEL32(csrss.exe,?,?,?,00000065,?,?,\termsrv.dll), ref: 100272F9
                                                            • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10027309
                                                            • GetProcessId.KERNEL32(drwtsn32.exe,?,756F0F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10027322
                                                            • EnumWindows.USER32(10027000,00000000), ref: 10027332
                                                            • EnumWindows.USER32(10027000,00000000), ref: 1002733A
                                                            • Sleep.KERNEL32(0000000A,?,756F0F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 1002733E
                                                            • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10027342
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseHandleSystem$AbortEnumProcess32ShutdownTokenWindows$AdjustCreateCurrentDirectoryErrorFirstLastLookupNextOpenPrivilegePrivilegesSleepSnapshotToolhelp32Valuelstrcat
                                                            • String ID: SeDebugPrivilege$SeShutdownPrivilege$\termsrv.dll$csrss.exe$drwtsn32.exe
                                                            • API String ID: 1044539573-3630850118
                                                            • Opcode ID: 48b2e93e383905c3c8926ed14a5b10c744598c5d9bb9687c4ba3d391802cbbf0
                                                            • Instruction ID: 91aeb3354f8c0a98b76d212428928c7a3045b71d4bc5141e7e137cefdcacaed0
                                                            • Opcode Fuzzy Hash: 48b2e93e383905c3c8926ed14a5b10c744598c5d9bb9687c4ba3d391802cbbf0
                                                            • Instruction Fuzzy Hash: 4B110279600309B7F210E7B4ACC6FDA3758FB84790F880814FB0C9A0C1EB75E8448676
                                                            Function 100064C0 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #823.MFC42(0000001C,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006540
                                                            • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006583
                                                            • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006597
                                                            • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065DD
                                                            • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065F1
                                                            • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006637
                                                            • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 1000664B
                                                            • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006691
                                                            • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066A5
                                                            • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066EB
                                                            • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066FF
                                                            • #825.MFC42(?,?,?), ref: 10006758
                                                            • #823.MFC42(?,?,?), ref: 1000676C
                                                            • #825.MFC42(00000000,?,?), ref: 100067B1
                                                            • #823.MFC42(?,?,?), ref: 100067C5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823$#825
                                                            • String ID:
                                                            • API String ID: 2704444950-0
                                                            • Opcode ID: f1227a87f464c98f5f0953957aed0c5e43dc010ebf0ae60c39ea5306837bc4a7
                                                            • Instruction ID: 0de087db3478094c81a4a8001b7f02526105f4a99f174f36dbbcc8d857557e49
                                                            • Opcode Fuzzy Hash: f1227a87f464c98f5f0953957aed0c5e43dc010ebf0ae60c39ea5306837bc4a7
                                                            • Instruction Fuzzy Hash: BFC1CFB57046054BE718CE38D892A2B77D2EF882A0B65863DFD1A8B3C5DF71ED058790
                                                            Function 10006400 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 74libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,00000000,?,0000005C,?,1000620E,00000000), ref: 10006416
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1000641F
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,0000005C,?,1000620E,00000000), ref: 1000642F
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10006432
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,0000005C,?,1000620E,00000000), ref: 10006442
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10006445
                                                            • #823.MFC42(00000002,?,0000005C,?,1000620E,00000000), ref: 10006461
                                                            • #823.MFC42(00000002,00000002,?,0000005C,?,1000620E,00000000), ref: 10006469
                                                            • #825.MFC42(00000000,?,0000005C,?,1000620E,00000000), ref: 10006495
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$#823$#825
                                                            • String ID: KERNEL32.dll$MultiByteToWideChar$WideCharToMultiByte$lstrlenA
                                                            • API String ID: 1309867234-4059950253
                                                            • Opcode ID: 855e76f34d1c5c9d2bc8535d3caea3b76420ab489d82cb9a134402131aa3a7c4
                                                            • Instruction ID: 0e428841896732e6d8a09429d01e3c00d8eb547c39d3f0f681800e50c198ed25
                                                            • Opcode Fuzzy Hash: 855e76f34d1c5c9d2bc8535d3caea3b76420ab489d82cb9a134402131aa3a7c4
                                                            • Instruction Fuzzy Hash: 261159B690032837DA20B7B56C49F8B3E8CCFC67B1F150527FB00A7180D924A805C6F2
                                                            Function 1002BDC0 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 74libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 1002BE5B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002BE62
                                                              • Part of subcall function 1002C0B0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BE79,00000000), ref: 1002C0CB
                                                              • Part of subcall function 1002C0B0: GetProcAddress.KERNEL32(00000000), ref: 1002C0D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: .$2$3$K$L$N$R$S$d$n$v
                                                            • API String ID: 2574300362-924470386
                                                            • Opcode ID: ca9c6f55820dc386137499539fd566ee3a929da3ec5c473a18edeacc98f24aa6
                                                            • Instruction ID: ba2f119c839e45d5e55959ba2f54e91245b476b1e1a99335281e3fce33b04824
                                                            • Opcode Fuzzy Hash: ca9c6f55820dc386137499539fd566ee3a929da3ec5c473a18edeacc98f24aa6
                                                            • Instruction Fuzzy Hash: A3318075D092CCDEDB01CBE8D884ADEFFB8AF2A244F084159E54477342C6794608CBB6
                                                            Function 1002C000 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 64libraryloaderthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,756F0BD0,00000000,?,756EF550), ref: 1002C01A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C023
                                                            • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,756EF550), ref: 1002C031
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C034
                                                            • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1002C058
                                                            • SetThreadDesktop.USER32(?,?,756EF550), ref: 1002C06E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                                                            • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                                                            • API String ID: 2607951617-608436089
                                                            • Opcode ID: de147d1baea9abe1ccfa2ac1da5a98b106c740747ad577fa949a59dd6ed2bf49
                                                            • Instruction ID: 9d45e20d373b2441c463df176288f84138cb99c67254eaeb56a2ce2ed772ae25
                                                            • Opcode Fuzzy Hash: de147d1baea9abe1ccfa2ac1da5a98b106c740747ad577fa949a59dd6ed2bf49
                                                            • Instruction Fuzzy Hash: 2101D8B670035C2BE610B7B9BC88EDB778CEBC0761F954536FB04D2141EA6DA84486B4
                                                            Function 10017D20 Relevance: 21.2, APIs: 14, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                              • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                              • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                            • GetDC.USER32(00000000), ref: 10017E52
                                                            • QueryPerformanceFrequency.KERNEL32(00000030), ref: 10017E5F
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017E81
                                                            • GetDeviceCaps.GDI32(?,00000076), ref: 10017E9E
                                                            • GetDeviceCaps.GDI32(?,00000075), ref: 10017EA9
                                                            • CreateCompatibleDC.GDI32(?), ref: 10017EC7
                                                            • CreateCompatibleDC.GDI32(?), ref: 10017ED0
                                                            • CreateCompatibleDC.GDI32(?), ref: 10017ED9
                                                            • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 10017F26
                                                            • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10017F37
                                                            • SelectObject.GDI32(?,?), ref: 10017F4A
                                                            • SelectObject.GDI32(?,?), ref: 10017F54
                                                            • #823.MFC42(?,?,?,?,00000000), ref: 10017F5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Compatible$CapsDeviceObjectSectionSelect$#823CursorFrequencyLoadPerformanceQueryReleaseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 1396098503-0
                                                            • Opcode ID: 3e41ddc0bd6826d8b496d8575ed1cda71c88c4043996623284ab3a083a028a44
                                                            • Instruction ID: 44c096f880fcb36b571a4452547a335e0e0b4bfe87042c820b87a21c0d65f60c
                                                            • Opcode Fuzzy Hash: 3e41ddc0bd6826d8b496d8575ed1cda71c88c4043996623284ab3a083a028a44
                                                            • Instruction Fuzzy Hash: 2581F2B5504B059FD320DF29C884A67FBF9FB88704F108A1DE58A87750DBB9F8058B91
                                                            Function 10017A30 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1002C6E0: GetCurrentThreadId.KERNEL32 ref: 1002C6F2
                                                              • Part of subcall function 1002C6E0: GetThreadDesktop.USER32(00000000), ref: 1002C6F9
                                                              • Part of subcall function 1002C6E0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C72C
                                                              • Part of subcall function 1002C6E0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C737
                                                              • Part of subcall function 1002C6E0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C75E
                                                              • Part of subcall function 1002C6E0: lstrcmpiA.KERNEL32(?,?), ref: 1002C76D
                                                              • Part of subcall function 1002C6E0: SetThreadDesktop.USER32(00000000), ref: 1002C778
                                                              • Part of subcall function 1002C6E0: CloseDesktop.USER32(00000000), ref: 1002C790
                                                              • Part of subcall function 1002C6E0: CloseDesktop.USER32(00000000), ref: 1002C793
                                                            • SetCursorPos.USER32(?,?,?,?,?,?,1001758F,?,?,00000000), ref: 10017A98
                                                            • WindowFromPoint.USER32(?,?,?,?,?,?,1001758F,?,?,00000000), ref: 10017AA0
                                                            • SetCapture.USER32(00000000,?,?,?,?,1001758F,?,?,00000000), ref: 10017AA7
                                                            • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001758F,?,?,00000000), ref: 10017ABD
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10017AC0
                                                            • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001758F,?,?,00000000), ref: 10017ACE
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10017AD1
                                                            • MapVirtualKeyA.USER32(?,00000000), ref: 10017B0A
                                                            • MapVirtualKeyA.USER32(?,00000000), ref: 10017B24
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                            • String ID: USER32.dll$keybd_event$mouse_event
                                                            • API String ID: 1441364844-718119381
                                                            • Opcode ID: 79f7e83ee25dbaf4f6ba203ef53fa61d55cf3e91d5ec3e1fc7d7f9d654101a3a
                                                            • Instruction ID: 272fab1586acce923c8f1fd0d05f69d307b7118afeee6d5b5eb12b7e5b0ceb8f
                                                            • Opcode Fuzzy Hash: 79f7e83ee25dbaf4f6ba203ef53fa61d55cf3e91d5ec3e1fc7d7f9d654101a3a
                                                            • Instruction Fuzzy Hash: 57512A35BC871577F6309A648C86F8A66A4FB85F90F714511B708BE2C1DBF0F8808699
                                                            Function 10016D20 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1002C6E0: GetCurrentThreadId.KERNEL32 ref: 1002C6F2
                                                              • Part of subcall function 1002C6E0: GetThreadDesktop.USER32(00000000), ref: 1002C6F9
                                                              • Part of subcall function 1002C6E0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C72C
                                                              • Part of subcall function 1002C6E0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C737
                                                              • Part of subcall function 1002C6E0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C75E
                                                              • Part of subcall function 1002C6E0: lstrcmpiA.KERNEL32(?,?), ref: 1002C76D
                                                              • Part of subcall function 1002C6E0: SetThreadDesktop.USER32(00000000), ref: 1002C778
                                                              • Part of subcall function 1002C6E0: CloseDesktop.USER32(00000000), ref: 1002C790
                                                              • Part of subcall function 1002C6E0: CloseDesktop.USER32(00000000), ref: 1002C793
                                                            • SetCursorPos.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D88
                                                            • WindowFromPoint.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D90
                                                            • SetCapture.USER32(00000000,?,?,?,?,1001697A,?,?), ref: 10016D97
                                                            • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001697A,?,?), ref: 10016DAD
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10016DB0
                                                            • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001697A,?,?), ref: 10016DBE
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10016DC1
                                                            • MapVirtualKeyA.USER32(?,00000000), ref: 10016DFA
                                                            • MapVirtualKeyA.USER32(?,00000000), ref: 10016E14
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                            • String ID: USER32.dll$keybd_event$mouse_event
                                                            • API String ID: 1441364844-718119381
                                                            • Opcode ID: 7875ab08effde958aebc4eb9e339dc95875e0b95e9873accb908d891e66ba4da
                                                            • Instruction ID: ce01905b7fdd4051b4caf32631572d551a673ef4d39988108073ee24213574ef
                                                            • Opcode Fuzzy Hash: 7875ab08effde958aebc4eb9e339dc95875e0b95e9873accb908d891e66ba4da
                                                            • Instruction Fuzzy Hash: 62513E3ABC0729B7F630DA64CD4BF5A6A94E749F90F314615B704BE1C1D5F0F8808A99
                                                            Function 10002CD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 144librarymemoryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DD9E,?,100FA3E4,?), ref: 100109D0
                                                              • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                            • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10097D78,000000FF), ref: 10002D12
                                                            • LoadLibraryA.KERNEL32(CHROMEUSERINFO.dll,?,?,?,?,?,?,?,?,?,?,?,10097D78,000000FF), ref: 10002D22
                                                            • GetProcAddress.KERNEL32(00000000,fnGetChromeUserInfo), ref: 10002D3E
                                                            • GetProcAddress.KERNEL32(00000000,fnDeleteChromeUserInfo), ref: 10002D4C
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097D78,000000FF), ref: 10002E53
                                                            • LocalSize.KERNEL32(00000000), ref: 10002E5C
                                                            • LocalFree.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097D78,000000FF), ref: 10002E6C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AddressProc$AllocLibraryLoad$FreeSize
                                                            • String ID: CHROMEUSERINFO.dll$CHROME_NO_DATA$CHROME_UNKNOW$fnDeleteChromeUserInfo$fnGetChromeUserInfo
                                                            • API String ID: 1379963177-1650604611
                                                            • Opcode ID: 47972f9cae56794b55755b17139d9638c03c461175e1a4b84839bbb732861cc0
                                                            • Instruction ID: 55e821d808eef4ac33a230b4d54463be9f7d0620ae9cb200824ed7a79c23618c
                                                            • Opcode Fuzzy Hash: 47972f9cae56794b55755b17139d9638c03c461175e1a4b84839bbb732861cc0
                                                            • Instruction Fuzzy Hash: 434123716002585FD728CF288C45AAF7BD5FB8A7A0F580729F90AE7780CB78DE018791
                                                            Function 1000F020 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(360se6.exe), ref: 1000F047
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F05F
                                                            • #540.MFC42 ref: 1000F069
                                                            • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F09B
                                                            • #924.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0B3
                                                            • #800.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0C4
                                                            • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0CE
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                              • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                              • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                              • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                              • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                              • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                              • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                              • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                            • #800.MFC42 ref: 1000F0ED
                                                            • #800.MFC42 ref: 1000F101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                            • String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
                                                            • API String ID: 1983172782-1244823433
                                                            • Opcode ID: 9774a40f9e018d58ef8b0c15c7615589432244e57f6a25fa5e09e825ec443299
                                                            • Instruction ID: f5b707b3f35c931670b2857d94e228516327d067c67176031b17220258f07fa3
                                                            • Opcode Fuzzy Hash: 9774a40f9e018d58ef8b0c15c7615589432244e57f6a25fa5e09e825ec443299
                                                            • Instruction Fuzzy Hash: 2A216579408784ABE364EB54D882FDFB7D4EB98710F40891CF19D421D1DBB4A905DB63
                                                            Function 1000F120 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(QQBrowser.exe), ref: 1000F147
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F15F
                                                            • #540.MFC42 ref: 1000F169
                                                            • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F19B
                                                            • #924.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1B3
                                                            • #800.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1C4
                                                            • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1CE
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                              • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                              • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                              • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                              • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                              • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                              • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                              • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                            • #800.MFC42 ref: 1000F1ED
                                                            • #800.MFC42 ref: 1000F201
                                                            Strings
                                                            • \AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 1000F1A0
                                                            • QQBrowser.exe, xrefs: 1000F142
                                                            • C:\Users\, xrefs: 1000F195
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                            • String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
                                                            • API String ID: 1983172782-2662846904
                                                            • Opcode ID: b6307e8d1111fce2fb5e5f5818630d89460a98ba63fb61117d7c9e2cd21df203
                                                            • Instruction ID: fd803a1a8fa8bb17a101dbb422f8058ab97cee8bf3791145b1e3a19203f03486
                                                            • Opcode Fuzzy Hash: b6307e8d1111fce2fb5e5f5818630d89460a98ba63fb61117d7c9e2cd21df203
                                                            • Instruction Fuzzy Hash: 5D216579408784ABE364EB54D886FDFB7D4EF98710F40891CF19D421D1DBB4A9058BA3
                                                            Function 1000F220 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(SogouExplorer.exe), ref: 1000F247
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F25F
                                                            • #540.MFC42 ref: 1000F269
                                                            • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F29B
                                                            • #924.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2B3
                                                            • #800.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2C4
                                                            • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2CE
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                              • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                              • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                              • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                              • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                              • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                              • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                              • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                            • #800.MFC42 ref: 1000F2ED
                                                            • #800.MFC42 ref: 1000F301
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                            • String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
                                                            • API String ID: 1983172782-2055279553
                                                            • Opcode ID: c396ed5f624f3e39d63c0207a02520e7106d08471b477fa28a237fe7ab2ace6b
                                                            • Instruction ID: 1fd62fa28d9738b7576a2f70916a538ec5f7a092b8669d5595dd2288a8160510
                                                            • Opcode Fuzzy Hash: c396ed5f624f3e39d63c0207a02520e7106d08471b477fa28a237fe7ab2ace6b
                                                            • Instruction Fuzzy Hash: 17216579408784ABE324EB54D882FDFB7D4EB98700F44891DF19D421D1DBB4A9058B63
                                                            Function 1000EDE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(chrome.exe), ref: 1000EE07
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EE1F
                                                            • #540.MFC42 ref: 1000EE29
                                                            • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EE5B
                                                            • #924.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE73
                                                            • #800.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE84
                                                            • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE8E
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                              • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                              • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                              • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                              • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                              • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                              • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                              • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                            • #800.MFC42 ref: 1000EEAD
                                                            • #800.MFC42 ref: 1000EEC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                            • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                            • API String ID: 1983172782-2559963756
                                                            • Opcode ID: 45b8b0675cfc662bf732b96f1cd56631b9d7d0838bc75929f1eb6601d6ad915d
                                                            • Instruction ID: 4f216ba6bee0c5160a3f684a656ca381d483d47dd966b0cf52e8dd2b1d61ddda
                                                            • Opcode Fuzzy Hash: 45b8b0675cfc662bf732b96f1cd56631b9d7d0838bc75929f1eb6601d6ad915d
                                                            • Instruction Fuzzy Hash: D7216579408784AFE324EB54D886FDFB7D4EB98700F40891CB29D421D1DBB4A9058B63
                                                            Function 1000EEE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(Skype.exe), ref: 1000EF07
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EF1F
                                                            • #540.MFC42 ref: 1000EF29
                                                            • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EF5B
                                                            • #924.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF73
                                                            • #800.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF84
                                                            • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF8E
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                              • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                              • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                              • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                              • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                              • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                              • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                              • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                              • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                            • #800.MFC42 ref: 1000EFAD
                                                            • #800.MFC42 ref: 1000EFC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                            • String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
                                                            • API String ID: 1983172782-3499480952
                                                            • Opcode ID: 419168f5eff27f7ad44f07f859ccee352424152542c9961b10033339dc99ef51
                                                            • Instruction ID: 644b2414cab5891f6259ff0769fdff6720f110dd1d47251bf2942eee25dfd87c
                                                            • Opcode Fuzzy Hash: 419168f5eff27f7ad44f07f859ccee352424152542c9961b10033339dc99ef51
                                                            • Instruction Fuzzy Hash: 2B216579408784ABE364EB54D882FDFB7D4EB98700F40891CB29D421D1DBB4A9058B63
                                                            Function 10018D40 Relevance: 19.6, APIs: 13, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Delete$#825$Object$CursorDestroyRelease
                                                            • String ID:
                                                            • API String ID: 719826280-0
                                                            • Opcode ID: f29ac7dc362ba99e9770f07e2ee9a5fb9e84fa69c0244321cab12ecf15b9cd83
                                                            • Instruction ID: 18d7e8090aa97cb3e57913efe2ebb57b15833199bda52090397c7c92e1f0da22
                                                            • Opcode Fuzzy Hash: f29ac7dc362ba99e9770f07e2ee9a5fb9e84fa69c0244321cab12ecf15b9cd83
                                                            • Instruction Fuzzy Hash: 89114CBA6007109BD220EBB5CC80E57F3EDFF98200B15491EE68A83360CA75FC418B60
                                                            Function 100074F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • malloc.MSVCRT ref: 10007519
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 10007541
                                                            • free.MSVCRT ref: 1000759F
                                                            • GetFileAttributesA.KERNEL32(?), ref: 100075AD
                                                            • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100075D4
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 100075E3
                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 100075F9
                                                            • ReadFile.KERNEL32(?,00000000,?,0000035D,00000000), ref: 1000761D
                                                            • CloseHandle.KERNEL32(?), ref: 1000762A
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 1000766A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Virtual$AllocAttributesCloseCreateFolderFreeHandlePathReadSizeSpecialfreemalloc
                                                            • String ID: Main
                                                            • API String ID: 2820283417-521822810
                                                            • Opcode ID: 8bd1a17cf42312b28f376e9ecb23a63500a0430d72801a9b3cf08ce414ccfa74
                                                            • Instruction ID: bdf64600dfa1e331f13f34fff0ab18a60f258f90d20660a8981447130f458eed
                                                            • Opcode Fuzzy Hash: 8bd1a17cf42312b28f376e9ecb23a63500a0430d72801a9b3cf08ce414ccfa74
                                                            • Instruction Fuzzy Hash: C35118756002005BE718DB388C89FA73799FB84720F184739FE1ADB2D5DE79A904C764
                                                            Function 1001AA00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94stringfilenetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                              • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                              • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                              • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,756F23A0), ref: 1001AA9A
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAD4
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAE4
                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAF4
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,756F23A0), ref: 1001AAFB
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,756F23A0), ref: 1001AB08
                                                            • gethostname.WS2_32(?,?), ref: 1001AB10
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,756F23A0), ref: 1001AB17
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrlen$#823$AddressCloseCreateHandleLibraryLoadProcReadSizegethostname
                                                            • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                            • API String ID: 1105965372-3579490797
                                                            • Opcode ID: e9d8c468fa3a80b4a242bb30858b8e7f25102185770173e2e4f74d48491c0f5d
                                                            • Instruction ID: 28c68c63a2fdd688cc72d0670467135b388563cdd73023495959d553aeaf9efb
                                                            • Opcode Fuzzy Hash: e9d8c468fa3a80b4a242bb30858b8e7f25102185770173e2e4f74d48491c0f5d
                                                            • Instruction Fuzzy Hash: D531B475604754AFE320CB28CC90FEBB799FB89350F044929FA49A7290DB716905CFA2
                                                            Function 10026E30 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69stringmemorylibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 10026E45
                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026E5B
                                                            • lstrcatA.KERNEL32(?,?), ref: 10026E6E
                                                            • LocalAlloc.KERNEL32(00000040,00000400), ref: 10026E7B
                                                            • GetFileAttributesA.KERNEL32(?), ref: 10026E8B
                                                            • LoadLibraryA.KERNEL32(?), ref: 10026E9E
                                                            • lstrlenA.KERNEL32(?,?,?,756F0F00), ref: 10026EB9
                                                            • lstrlenA.KERNEL32(?,?,756F0F00), ref: 10026ED9
                                                            • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,756F0F00), ref: 10026EE3
                                                            • LocalFree.KERNEL32(00000000,?,756F0F00), ref: 10026EF7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                                                            • String ID: \termsrv_t.dll
                                                            • API String ID: 2807520882-1337493607
                                                            • Opcode ID: 2eae8c9f0c1c5d8a5ff5e8accaf5b31a043754681aa6c7b99b64216990864f02
                                                            • Instruction ID: ec4cb8a36d4fb7683c2a940959f837eaf9d91c00f0ff4821bc66825f5898c339
                                                            • Opcode Fuzzy Hash: 2eae8c9f0c1c5d8a5ff5e8accaf5b31a043754681aa6c7b99b64216990864f02
                                                            • Instruction Fuzzy Hash: F321F37A100305AFD724DF60DC88EEB77A8FB85310F044A1CFA5A97191EB70E509CB62
                                                            Function 100233F0 Relevance: 18.2, APIs: 12, Instructions: 200networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: inet_ntoa$htons$inet_addr
                                                            • String ID:
                                                            • API String ID: 2325850693-0
                                                            • Opcode ID: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                            • Instruction ID: 343c041bbf9a7bb56ef10b87d1a574300f21d5de58c0c6039e0fd4db576c1ed8
                                                            • Opcode Fuzzy Hash: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                            • Instruction Fuzzy Hash: BC513A3A7046684BCB18DF38A8501AFB7D1FF89620B9985ADFD8AD7341DE21EC01C765
                                                            Function 1000BA50 Relevance: 18.1, APIs: 12, Instructions: 75processstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BA5E
                                                            • Process32First.KERNEL32(00000000,?), ref: 1000BA73
                                                            • GetLastError.KERNEL32(00000000,?), ref: 1000BA80
                                                            • _wcsupr.MSVCRT ref: 1000BA9D
                                                            • _wcsupr.MSVCRT ref: 1000BAA6
                                                            • wcsstr.MSVCRT ref: 1000BAAA
                                                            • Process32Next.KERNEL32(00000000,?), ref: 1000BACD
                                                            • _strlwr.MSVCRT ref: 1000BAE7
                                                            • _strlwr.MSVCRT ref: 1000BAEA
                                                            • strstr.MSVCRT ref: 1000BAF2
                                                            • Process32Next.KERNEL32(00000000,?), ref: 1000BB01
                                                            • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1000BB0B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$Next_strlwr_wcsupr$CloseCreateErrorFirstHandleLastSnapshotToolhelp32strstrwcsstr
                                                            • String ID:
                                                            • API String ID: 146143966-0
                                                            • Opcode ID: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                            • Instruction ID: b4f5de978f8eaf38a3e5bb4c2647caf8304cc2ea79445660ac4d1f08fe3e4252
                                                            • Opcode Fuzzy Hash: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                            • Instruction Fuzzy Hash: 161193762403196BF350EBA59C85EEB7B9CEFC1390F840929FD0582145EB79E908C6B2
                                                            Function 10025D30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102registrysleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NetUserDel.NETAPI32(00000000,00000000), ref: 10025D58
                                                            • #825.MFC42(00000000,00000000,00000000), ref: 10025D60
                                                            • wsprintfA.USER32 ref: 10025DA8
                                                            • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10025DC8
                                                            • Sleep.KERNEL32(00000032), ref: 10025DD4
                                                            • RegQueryValueExA.ADVAPI32 ref: 10025E01
                                                            • RegCloseKey.ADVAPI32(1012B074), ref: 10025E0C
                                                            • wsprintfA.USER32 ref: 10025E21
                                                              • Part of subcall function 10025810: LocalSize.KERNEL32(00000000), ref: 10025820
                                                              • Part of subcall function 10025810: LocalFree.KERNEL32(00000000,?,10025D10,00000001,?,00000000,00000001,?,?), ref: 10025830
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Localwsprintf$#825CloseFreeOpenQuerySizeSleepUserValue
                                                            • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                                                            • API String ID: 2119749478-1111274145
                                                            • Opcode ID: 9054a69acac9650487ded3c16affc68c44e4379823cbc8a35e98858ac4305ac3
                                                            • Instruction ID: 4128959c68e51666426083b25ac39b65fe984030dbd30c4103d0800a1e745fdf
                                                            • Opcode Fuzzy Hash: 9054a69acac9650487ded3c16affc68c44e4379823cbc8a35e98858ac4305ac3
                                                            • Instruction Fuzzy Hash: 1C315A75204305ABE210DB24EC85FBF73DCEBC4255F81092CF94692142EA76ED0C87A6
                                                            Function 1000B620 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B634
                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000B6A9
                                                            • GetFileSize.KERNEL32 ref: 1000B6BC
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000B6D0
                                                            • lstrlenA.KERNEL32(?), ref: 1000B6DE
                                                            • #823.MFC42(00000000), ref: 1000B6E7
                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 1000B70D
                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000B716
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000B71D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$lstrlen$#823CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                            • String ID: .key
                                                            • API String ID: 2856261289-343438762
                                                            • Opcode ID: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                            • Instruction ID: 027454ab2bd30931becd60e1eca53f1fb32a561b9c5790d131e19d17de7c16c4
                                                            • Opcode Fuzzy Hash: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                            • Instruction Fuzzy Hash: 2A215C752006042BF724DA789C8AFAB3A89FB84760F580739FE57C71D1DEA49D088760
                                                            Function 100014B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                            • API String ID: 2574300362-4065288365
                                                            • Opcode ID: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                            • Instruction ID: 97c40741ceac41b55f427a3e19617a04594bb35f0b993fe0b131869bec9d13a6
                                                            • Opcode Fuzzy Hash: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                            • Instruction Fuzzy Hash: C5212676600204ABDB10DF68EC84AA67BE8FFC8310F154469EB049B301D736E945DBE0
                                                            Function 1000E5B0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60registryfilestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000E5EA
                                                            • lstrlenA.KERNEL32 ref: 1000E609
                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 1000E612
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000E619
                                                            • RegCreateKeyA.ADVAPI32(80000001,TGByte\Setup,?), ref: 1000E62E
                                                            • RegSetValueExA.ADVAPI32(00000000,Host,00000000,00000001,?), ref: 1000E650
                                                            • RegCloseKey.ADVAPI32(?), ref: 1000E65B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateFile$HandleValueWritelstrlen
                                                            • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                            • API String ID: 1763583472-3579490797
                                                            • Opcode ID: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                            • Instruction ID: 77af767004de95c6ec99707751be97fa26c4c007db1504f7e5df3f5080d650d4
                                                            • Opcode Fuzzy Hash: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                            • Instruction Fuzzy Hash: 9E11A375100310BBE320DB68CC49FEB7BADFB89751F044A18F659A21D0DBB4A8058BA2
                                                            Function 1002C0B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 59libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BE79,00000000), ref: 1002C0CB
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C0D4
                                                              • Part of subcall function 1002C000: LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,756F0BD0,00000000,?,756EF550), ref: 1002C01A
                                                              • Part of subcall function 1002C000: GetProcAddress.KERNEL32(00000000), ref: 1002C023
                                                              • Part of subcall function 1002C000: LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,756EF550), ref: 1002C031
                                                              • Part of subcall function 1002C000: GetProcAddress.KERNEL32(00000000), ref: 1002C034
                                                              • Part of subcall function 1002C000: GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1002C058
                                                            • LoadLibraryA.KERNEL32(USER32.dll,OpenInputDesktop,?,?,00000000,1002BE79,00000000), ref: 1002C0F4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C0FD
                                                            • LoadLibraryA.KERNEL32(USER32.dll,CloseDesktop), ref: 1002C12B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C12E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$InformationObjectUser
                                                            • String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$USER32.dll
                                                            • API String ID: 3339922732-643134891
                                                            • Opcode ID: 1712cbfc25e9f7c03d4d435c85ecbccf8d7d6f15b3a09a2f6e5799ddaac7efbe
                                                            • Instruction ID: 6341fdd70d8c26c23387031e32f7c5383bd1d5dbcf592f3321e2a6170ee8d8aa
                                                            • Opcode Fuzzy Hash: 1712cbfc25e9f7c03d4d435c85ecbccf8d7d6f15b3a09a2f6e5799ddaac7efbe
                                                            • Instruction Fuzzy Hash: AA01D6B77412297BF611A3EC6C81FCA2348EFC57A5F664121F704E7141C794AC0152B5
                                                            Function 100220E0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 100220F7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10022100
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 1002210E
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10022111
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForMultipleObjects), ref: 1002211F
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10022122
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: KERNEL32.dll$TerminateProcess$TerminateThread$WaitForMultipleObjects
                                                            • API String ID: 2574300362-2489239429
                                                            • Opcode ID: 2c8e786a777950bf243c6a2a702a730d15309ca6ba7001495b58208f0e3ea42f
                                                            • Instruction ID: 19dc62fa31c76917df57027a573d130e89ca9628d5a43a391ac43829b8dc1738
                                                            • Opcode Fuzzy Hash: 2c8e786a777950bf243c6a2a702a730d15309ca6ba7001495b58208f0e3ea42f
                                                            • Instruction Fuzzy Hash: DE019E756403182BCA10EBB59C45F9B7AD8EBC8760F000919FA4597280DE74F840DBA9
                                                            Function 10023E10 Relevance: 16.7, APIs: 11, Instructions: 175sleepnetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 10023EAA
                                                            • _errno.MSVCRT ref: 10023EB4
                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 10023ECC
                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 10023EE2
                                                            • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 10023F1C
                                                            • inet_addr.WS2_32(00000000), ref: 10023F9D
                                                            • htons.WS2_32(?), ref: 10023FAC
                                                            • Sleep.KERNEL32(00000005), ref: 10023FDC
                                                            • Sleep.KERNEL32(00000005,?,?), ref: 10024047
                                                            • closesocket.WS2_32 ref: 1002405C
                                                            • closesocket.WS2_32(?), ref: 10024062
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleepclosesocket$_errnohtonsinet_addrrecvfromselect
                                                            • String ID:
                                                            • API String ID: 1415794423-0
                                                            • Opcode ID: 1f6bbc334ae99e8125efa1dd366824f44bf37063a0db2e424dfbd468bac90fa2
                                                            • Instruction ID: a97ccd8b7132b22a396c5fd2d8cf8f8f5a932aca3e9da1bded24cdb5bd09ce6e
                                                            • Opcode Fuzzy Hash: 1f6bbc334ae99e8125efa1dd366824f44bf37063a0db2e424dfbd468bac90fa2
                                                            • Instruction Fuzzy Hash: 8761B1745083419BD710DF24D884AAFB7F4FFC8704F418A2EFA9987290E774E9458B62
                                                            Function 10023C20 Relevance: 16.7, APIs: 11, Instructions: 151stringnetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strchr.MSVCRT ref: 10023C39
                                                            • atoi.MSVCRT(?), ref: 10023C66
                                                            • strchr.MSVCRT ref: 10023CA8
                                                            • strncpy.MSVCRT ref: 10023CDF
                                                            • strchr.MSVCRT ref: 10023CEB
                                                            • strncpy.MSVCRT ref: 10023D13
                                                            • strncpy.MSVCRT ref: 10023D2F
                                                            • InitializeCriticalSection.KERNEL32(1012C618), ref: 10023D96
                                                              • Part of subcall function 10023B20: WSAStartup.WS2_32(00000202,?), ref: 10023B31
                                                              • Part of subcall function 10023B20: socket.WS2_32(00000002,00000001,00000006), ref: 10023B45
                                                              • Part of subcall function 10023B20: htons.WS2_32 ref: 10023B78
                                                              • Part of subcall function 10023B20: bind.WS2_32 ref: 10023B93
                                                              • Part of subcall function 10023B20: listen.WS2_32(00000000,00000032), ref: 10023BA4
                                                            • WSACleanup.WS2_32 ref: 10023DA1
                                                            • DeleteCriticalSection.KERNEL32(1012C618), ref: 10023DAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeStartupatoibindhtonslistensocket
                                                            • String ID:
                                                            • API String ID: 2616448033-0
                                                            • Opcode ID: ae17c836791d05bfd682294e5229fbbd1498bed123dcc7f05ba2f328a573c3ae
                                                            • Instruction ID: 74bdf802d94b5355f7ddaa2358f373a59af5b12c835a3c2690ac803e767a2c4c
                                                            • Opcode Fuzzy Hash: ae17c836791d05bfd682294e5229fbbd1498bed123dcc7f05ba2f328a573c3ae
                                                            • Instruction Fuzzy Hash: 9E41DF365106081BD32C9A789C458FFBBD5FBC4320F554B2EFA2B836D0DEB49E088694
                                                            Function 100089F0 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                            • String ID:
                                                            • API String ID: 3289936468-0
                                                            • Opcode ID: ad41f2767d6a54881d70bda56907fa80ea6bcfdd6511d3c73f2fddfa0e33c373
                                                            • Instruction ID: 0b6167630dda805a4301ea20a474f38b87242d2fac6e95a20d8922163b170acb
                                                            • Opcode Fuzzy Hash: ad41f2767d6a54881d70bda56907fa80ea6bcfdd6511d3c73f2fddfa0e33c373
                                                            • Instruction Fuzzy Hash: 0541E9B4D046559FF721CF588C447EEBBE4FB0A6E0F14066AE8D5A3645C3344A02CFA6
                                                            Function 10011330 Relevance: 16.6, APIs: 11, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #540.MFC42 ref: 10011358
                                                            • #858.MFC42(00000004), ref: 10011376
                                                            • #922.MFC42(?,00000000,00000000,?,?,?,?), ref: 100113A9
                                                            • #858.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113B8
                                                            • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113C6
                                                            • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113D4
                                                            • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113E1
                                                            • #939.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011409
                                                            • #800.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011416
                                                            • #535.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011426
                                                            • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011438
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #800$#858$#535#540#922#939
                                                            • String ID:
                                                            • API String ID: 1721966335-0
                                                            • Opcode ID: 3ba8986b4c6a77790e30e9554aa32793a9c3aa4d6a146259788d1668c68c8bfc
                                                            • Instruction ID: e89469ddaf57ae934d918304d26598c65b7e007b2a9619b4dd841fae32280898
                                                            • Opcode Fuzzy Hash: 3ba8986b4c6a77790e30e9554aa32793a9c3aa4d6a146259788d1668c68c8bfc
                                                            • Instruction Fuzzy Hash: 6E31817510C381ABC305EB64D491B9FBBE8EF98714F440A0EF49993292DB74EA09C767
                                                            Function 10019680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87servicesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000008), ref: 100196A1
                                                            • OpenServiceA.ADVAPI32(00000000,?,00000002), ref: 100196D9
                                                            • LockServiceDatabase.ADVAPI32(00000000), ref: 100196E2
                                                            • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019728
                                                            • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10019733
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10019740
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10019743
                                                            • Sleep.KERNEL32(000000C8), ref: 1001974A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$Open$CloseDatabaseHandleProcess$ChangeConfigCurrentLockManagerSleepTokenUnlock
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2207141857-2896544425
                                                            • Opcode ID: 8f448660febfb48de157a8930333233241c4580701365fdad3c94cf9ec8c552b
                                                            • Instruction ID: 3f75dfd3f21eee81022adff06054c224093f2a112b2b7d3e7d70c51ed522fe8b
                                                            • Opcode Fuzzy Hash: 8f448660febfb48de157a8930333233241c4580701365fdad3c94cf9ec8c552b
                                                            • Instruction Fuzzy Hash: 73213D3965411467F320AB789C4AFEF3B98FB84761F180326FA199B2C1DD74EC448675
                                                            Function 1001AB30 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                              • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                              • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                              • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001ABB6
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001ABF3
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC03
                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC13
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC1A
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,00000000,756E83C0,756F32C0,756F23A0), ref: 1001AC21
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                            • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                            • API String ID: 1069036285-946259135
                                                            • Opcode ID: 789955182c9c8c8ac37479f1624516a99c739d52e999dad33b5efcec175bc29c
                                                            • Instruction ID: 0b4bd68d92dccd01e716d8b7507cbbf2eae942960c4f9f2dc43622461c8512b7
                                                            • Opcode Fuzzy Hash: 789955182c9c8c8ac37479f1624516a99c739d52e999dad33b5efcec175bc29c
                                                            • Instruction Fuzzy Hash: A8212771204710AFE310CB68CC91BEBB7D9FB89310F444A2CFA49A73D0DA755A45CBA2
                                                            Function 10019850 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78servicesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1001B7A0: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B7AA
                                                              • Part of subcall function 1001B7A0: OpenProcessToken.ADVAPI32(00000000), ref: 1001B7B1
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10019871
                                                            • OpenServiceA.ADVAPI32(00000000,?,00000034), ref: 100198A9
                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100198B7
                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 100198DA
                                                            • ControlService.ADVAPI32(00000000,00000001,?), ref: 100198ED
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FA
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FD
                                                            • Sleep.KERNEL32(000000C8), ref: 10019904
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQuerySleepStartStatusToken
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 3878120848-2896544425
                                                            • Opcode ID: 4d107ece45e8ad2c290f9123746f1f6d225fcf67a686e9c16131e255270a7715
                                                            • Instruction ID: 03285db3a43c30bee2f925801d2787c47ebbd9c9b755c85a568081a2209ea1e2
                                                            • Opcode Fuzzy Hash: 4d107ece45e8ad2c290f9123746f1f6d225fcf67a686e9c16131e255270a7715
                                                            • Instruction Fuzzy Hash: E821EB352502146BF714EB709C8AFBF77D4FBC8351F15061AFA0A971C0DEB0AD448665
                                                            Function 10008080 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                            • #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                            • #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                            • #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                            • #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                            • #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                            • #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                            • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #3811$#2614#860
                                                            • String ID: *.*
                                                            • API String ID: 4293058641-438819550
                                                            • Opcode ID: 4d19b4910cc2bb10f39d2996b8772d86ac95059f3e878c7d9acea49ec6f724aa
                                                            • Instruction ID: 74c8b08ff7217f819819058c3304dc917eac5b76196c10dd8f2b36031a0d8b1e
                                                            • Opcode Fuzzy Hash: 4d19b4910cc2bb10f39d2996b8772d86ac95059f3e878c7d9acea49ec6f724aa
                                                            • Instruction Fuzzy Hash: AC11F5B4805B009FC764DF65E588A46B7F4FF98700B409A2EE18AC7A20EB30F805CF40
                                                            Function 100059D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,10005979,?,?), ref: 100059E4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100059ED
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,10005979,?,?), ref: 100059FB
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100059FE
                                                            • malloc.MSVCRT ref: 10005A1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$malloc
                                                            • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                                                            • API String ID: 1625907898-566195008
                                                            • Opcode ID: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                            • Instruction ID: cce5c33cb54e4e20ebcd19e924e9cf720d43bdeab14a6bb2b58a7cbeabffb214
                                                            • Opcode Fuzzy Hash: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                            • Instruction Fuzzy Hash: A5F0C8E25403196BE620ABB48C46E7BB7ECEF85351F05482AF545D3240DA68E8008771
                                                            Function 10018200 Relevance: 15.2, APIs: 10, Instructions: 153sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                              • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                            • GetCursorPos.USER32(?), ref: 10018246
                                                            • GetSystemMetrics.USER32(00000000), ref: 10018255
                                                            • _ftol.MSVCRT ref: 10018273
                                                            • _ftol.MSVCRT ref: 10018288
                                                            • GetCursorInfo.USER32(?,?,00000008), ref: 100182AE
                                                            • DestroyCursor.USER32(?), ref: 100182D9
                                                            • BitBlt.GDI32(?,00000000,00000000,10016B8A,?,?,00000000,00000000,?), ref: 1001831C
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 10018373
                                                            • Sleep.KERNEL32(00000001), ref: 10018393
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 1001839C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Cursor$CounterPerformanceQuery_ftol$DestroyInfoMetricsReleaseSleepSystem
                                                            • String ID:
                                                            • API String ID: 2306850792-0
                                                            • Opcode ID: 420742438f923d5d07bf1f35002c576389c683ef3b2fc26c65538d8c264dc46e
                                                            • Instruction ID: b2528584af84ae31f2d28fd0945d3324163261087a7a92d01fca4953f26835fc
                                                            • Opcode Fuzzy Hash: 420742438f923d5d07bf1f35002c576389c683ef3b2fc26c65538d8c264dc46e
                                                            • Instruction Fuzzy Hash: 88517D35204B019FE324DF29C881A5BB7E5FB88700F544A1DF6969B290D770FB85CB61
                                                            Function 10018000 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReleaseDC.USER32(00000000,?), ref: 10018034
                                                            • DeleteDC.GDI32(?), ref: 10018044
                                                            • DeleteDC.GDI32(?), ref: 1001804A
                                                            • DeleteDC.GDI32(?), ref: 10018050
                                                            • DeleteObject.GDI32(?), ref: 1001805C
                                                            • DeleteObject.GDI32(?), ref: 10018062
                                                            • #825.MFC42(?,?,?,?,?,?,?,10098C9C,000000FF,10017FE8), ref: 10018083
                                                            • #825.MFC42(?,?,?,?,?,?,?,10098C9C,000000FF,10017FE8), ref: 10018093
                                                            • #825.MFC42(?,?,?,?,?,?,?,10098C9C,000000FF,10017FE8), ref: 100180A3
                                                            • DestroyCursor.USER32(?), ref: 100180C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Delete$#825$Object$CursorDestroyRelease
                                                            • String ID:
                                                            • API String ID: 719826280-0
                                                            • Opcode ID: 4fc7fcef8617cb131733211e65722299b8ecf107ae564cd36942974a129e7260
                                                            • Instruction ID: 9125ca40980490e5fe4f92f0a218baf3cd2dfe4bef4c2acf6936019ec40401f6
                                                            • Opcode Fuzzy Hash: 4fc7fcef8617cb131733211e65722299b8ecf107ae564cd36942974a129e7260
                                                            • Instruction Fuzzy Hash: AE21ADB6600B449BE620DF65CC80B57B3E8FB88710F450A1DE59A87390CB79F9458BA1
                                                            Function 1002C490 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1002BF60: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BF81
                                                              • Part of subcall function 1002BF60: Process32First.KERNEL32(00000000,00000000), ref: 1002BF9B
                                                              • Part of subcall function 1002BF60: _strcmpi.MSVCRT ref: 1002BFB7
                                                              • Part of subcall function 1002BF60: Process32Next.KERNEL32(00000000,?), ref: 1002BFC6
                                                              • Part of subcall function 1002BF60: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BFD0
                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1002C4F2
                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1002C50C
                                                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1002C532
                                                            • #823.MFC42(?), ref: 1002C53F
                                                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 1002C561
                                                            • #823.MFC42(00000100), ref: 1002C583
                                                            • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 1002C5B3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Token$#823InformationOpenProcessProcess32$AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32_strcmpi
                                                            • String ID: explorer.exe
                                                            • API String ID: 1409679202-3187896405
                                                            • Opcode ID: 3662e2fe379a68e975c9fafbf634c605d8ac74f6eb812e0a102f03f7a702ff73
                                                            • Instruction ID: cad86689cd769624bca1143e9ffe7826958a2a6589463e2f62e35a54655a614f
                                                            • Opcode Fuzzy Hash: 3662e2fe379a68e975c9fafbf634c605d8ac74f6eb812e0a102f03f7a702ff73
                                                            • Instruction Fuzzy Hash: E4412BB5D00628AFDB51EFA9EC85FDEBBB8FB48710F10416AF519A3240D6706944CFA4
                                                            Function 10026D20 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026D46
                                                            • lstrcatA.KERNEL32(?,?), ref: 10026D58
                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 10026D75
                                                            • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10026D86
                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10026DA3
                                                            • CloseHandle.KERNEL32(00000000), ref: 10026DAA
                                                            • LocalFree.KERNEL32(?), ref: 10026DDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                                                            • String ID: p
                                                            • API String ID: 3379061965-2181537457
                                                            • Opcode ID: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                            • Instruction ID: 60c71b90a0802acaa0e5dbf25da7476a72f7519069fb5f0452f7d82c481299c6
                                                            • Opcode Fuzzy Hash: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                            • Instruction Fuzzy Hash: 8621DE75244305ABE310DF58CC85FDBB7E8FBC8704F044A1DF68996190D774A608CBA2
                                                            Function 100292E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56threadprocessinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 100291D0: GetCurrentProcess.KERNEL32(00000028), ref: 100291E0
                                                              • Part of subcall function 100291D0: OpenProcessToken.ADVAPI32(00000000), ref: 100291E7
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 1002930A
                                                            • Thread32First.KERNEL32(00000000,0000001C), ref: 1002931B
                                                            • OpenThread.KERNEL32(001F03FF,00000000,?,?,?,00000000,0000001C,00000004,00000000), ref: 10029350
                                                            • SuspendThread.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029355
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029358
                                                            • Thread32Next.KERNEL32(00000000,?), ref: 10029364
                                                            • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000004,00000000), ref: 10029370
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextSnapshotSuspendTokenToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 3882456823-2896544425
                                                            • Opcode ID: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                            • Instruction ID: c9b2ece34eb72369a73d0c6b8bbf455fdbdca1907ff0e80fe1b749c937fc1a21
                                                            • Opcode Fuzzy Hash: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                            • Instruction Fuzzy Hash: 1F01AD35201359BBE210DB59DC81EAFB3E8FFC9640F844929FA4497280E770AD048BA6
                                                            Function 10024C50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024C70
                                                            • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024C90
                                                            • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024CA4
                                                            • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024CB8
                                                            • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024CCB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeMemory$InformationQuerySession
                                                            • String ID: Console$ICA$RDP
                                                            • API String ID: 2964284127-2419630658
                                                            • Opcode ID: c2d0dcc794624c0052cd4fa6c32e54106a44bcb57f0ed94e93314d7cf4d80acb
                                                            • Instruction ID: aa85f9e54ce4b9dc6c4584e996c90b9195fcc2f3ec5e1275340c8dbd1373f8df
                                                            • Opcode Fuzzy Hash: c2d0dcc794624c0052cd4fa6c32e54106a44bcb57f0ed94e93314d7cf4d80acb
                                                            • Instruction Fuzzy Hash: CA0128B6604221B78504EB5CBC418ABB2D8EF90B55F85443EF544EB240D630ED1CCBF6
                                                            Function 1002AF00 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 52registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 1002AF42
                                                            • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 1002AF63
                                                            • RegCloseKey.ADVAPI32(?), ref: 1002AF6E
                                                            • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AF7B
                                                              • Part of subcall function 1002AC20: lstrcatA.KERNEL32(00000000,?), ref: 1002AC76
                                                              • Part of subcall function 1002AC20: lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AC85
                                                              • Part of subcall function 1002AC20: FindFirstFileA.KERNEL32(00000000,?), ref: 1002ACA1
                                                            • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 1002AFB0
                                                            Strings
                                                            • P, xrefs: 1002AF28
                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 1002AF38
                                                            • Favorites, xrefs: 1002AF5D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocLocallstrcat$CloseFileFindFirstOpenQueryValue
                                                            • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                            • API String ID: 3779601296-2418616894
                                                            • Opcode ID: c7f301a8892c09be8f66952b4e1b8ad4ab08046c3687469b4240e30df41dd5cf
                                                            • Instruction ID: be6ccdae06dda12c8bd7ad760bbdc5e70e015bfb4fdb4b2f3f464b4e32f5f189
                                                            • Opcode Fuzzy Hash: c7f301a8892c09be8f66952b4e1b8ad4ab08046c3687469b4240e30df41dd5cf
                                                            • Instruction Fuzzy Hash: 4B1191B4104301FFE300DF14CC89F9A77A5FB88714F504E1DF648A26A1D7B8A549CB62
                                                            Function 10029260 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46threadprocessCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 100291D0: GetCurrentProcess.KERNEL32(00000028), ref: 100291E0
                                                              • Part of subcall function 100291D0: OpenProcessToken.ADVAPI32(00000000), ref: 100291E7
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 10029287
                                                            • Thread32First.KERNEL32(00000000,0000001C), ref: 10029294
                                                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 100292AF
                                                            • OpenThread.KERNEL32(001F03FF,00000000,?,00000004,00000000), ref: 100292C2
                                                            • ResumeThread.KERNEL32(00000000), ref: 100292CB
                                                            • CloseHandle.KERNEL32(00000000), ref: 100292D2
                                                            • CloseHandle.KERNEL32(00000000,00000004,00000000), ref: 100292D5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextResumeSnapshotTokenToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2312015761-2896544425
                                                            • Opcode ID: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                            • Instruction ID: dc2dfed401e7aafeb9ca4dedbb91efe23decc54c2089ee1b3f1f9eccfc6b96e4
                                                            • Opcode Fuzzy Hash: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                            • Instruction Fuzzy Hash: 2801D135200204BFE200EBA89C81FAF77A8FFC1790F844118FA0486181D770AC0987B7
                                                            Function 100174F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 24libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(dwmapi.dll,10098C30,100176EF), ref: 100174F6
                                                            • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 1001750F
                                                            • GetProcAddress.KERNEL32(00000000,DwmEnableComposition), ref: 1001751B
                                                              • Part of subcall function 100174D0: #102.DWMAPI(00000000,10017526), ref: 100174DB
                                                            • FreeLibrary.KERNEL32(00000000), ref: 10017527
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryProc$#102FreeLoad
                                                            • String ID: DwmEnableComposition$DwmIsCompositionEnabled$dwmapi.dll$ou
                                                            • API String ID: 921056788-1563854943
                                                            • Opcode ID: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                            • Instruction ID: 097d5d8727ad8e33cdd34a5b3c5461012fd188f398f7b1a472d6bf7998d0c64f
                                                            • Opcode Fuzzy Hash: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                            • Instruction Fuzzy Hash: 60E0C22A402D36A7D311B72D5C04CCF16A9FF866E030A0210F908F6111DB30CD4298B2
                                                            Function 100151F0 Relevance: 13.7, APIs: 9, Instructions: 212registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015221
                                                            • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 10015257
                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100152AB
                                                            • malloc.MSVCRT ref: 100152EC
                                                            • malloc.MSVCRT ref: 100152F7
                                                            • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 10015381
                                                            • free.MSVCRT ref: 10015418
                                                            • free.MSVCRT ref: 1001541F
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10015428
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocLocalfreemalloc$EnumInfoOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 1291067549-0
                                                            • Opcode ID: 3aff782871feffa6199a4ef382e9e7048e960deebc6dccafa5cb50413d84a3ef
                                                            • Instruction ID: 48d272af8f6520327eeb7844bc7bd323907ec9176bf96048aa0cfdb93c928f0f
                                                            • Opcode Fuzzy Hash: 3aff782871feffa6199a4ef382e9e7048e960deebc6dccafa5cb50413d84a3ef
                                                            • Instruction Fuzzy Hash: 9371D1716083059FD718CF28C880B6BBBE9FBC8745F484A1DF9869B350DA75EA44CB52
                                                            Function 100183C0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateRectRgnIndirect.GDI32(?), ref: 10018486
                                                            • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001851A
                                                            • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001851F
                                                            • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10018530
                                                            • DeleteObject.GDI32(?), ref: 10018537
                                                            • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,10016B8A), ref: 10018547
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                                                            • String ID:
                                                            • API String ID: 643377033-0
                                                            • Opcode ID: 8ebf0844cbb630079c9b4224c3bcbd82b2710e8a4d60d2e626d4a2adb73fc813
                                                            • Instruction ID: 16a6b537ea68fba0d38db24bfd4872a823279d7589371e79502dbd8e229c51d2
                                                            • Opcode Fuzzy Hash: 8ebf0844cbb630079c9b4224c3bcbd82b2710e8a4d60d2e626d4a2adb73fc813
                                                            • Instruction Fuzzy Hash: 5F5191B56087028BD314DF29D880A5BB7E6FFC8710F15492DF48ACB311EB74EA458B56
                                                            Function 1002C6E0 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 1002C6F2
                                                            • GetThreadDesktop.USER32(00000000), ref: 1002C6F9
                                                            • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C72C
                                                            • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C737
                                                            • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C75E
                                                            • lstrcmpiA.KERNEL32(?,?), ref: 1002C76D
                                                            • SetThreadDesktop.USER32(00000000), ref: 1002C778
                                                            • CloseDesktop.USER32(00000000), ref: 1002C790
                                                            • CloseDesktop.USER32(00000000), ref: 1002C793
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                            • String ID:
                                                            • API String ID: 3718465862-0
                                                            • Opcode ID: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                            • Instruction ID: 48e542515b6c1ca4d7234bca35d0ba6a1de82816a2056b53806f7647230435d7
                                                            • Opcode Fuzzy Hash: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                            • Instruction Fuzzy Hash: EC11EB751043196BF350DF68DC4AFDB77D8FB84700F010A19F74592191EBB4A549CBA6
                                                            Function 10010EF0 Relevance: 13.6, APIs: 9, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F11
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F1F
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F2C
                                                            • #541.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F39
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F46
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F53
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F60
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F6D
                                                            • #540.MFC42(?,?,?,?,10098661,000000FF,10008360,1012B074,00000000,00000000), ref: 10010F90
                                                              • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110F5
                                                              • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110FD
                                                              • Part of subcall function 100110D0: #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                              • Part of subcall function 100110D0: #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                              • Part of subcall function 100110D0: #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                              • Part of subcall function 100110D0: PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                              • Part of subcall function 100110D0: #860.MFC42(00000000), ref: 1001117C
                                                              • Part of subcall function 100110D0: PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                              • Part of subcall function 100110D0: PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                              • Part of subcall function 100110D0: _splitpath.MSVCRT ref: 100111C5
                                                              • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                              • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                              • Part of subcall function 100110D0: #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #540$#860$#2614Path$Args$#541#6143#6876RemoveSpacesUnquote_splitpath
                                                            • String ID:
                                                            • API String ID: 882339912-0
                                                            • Opcode ID: 9886fada1c81e5c7ea52d6bce4f4a50c005a8f44ba86d2b47653e899cb23410e
                                                            • Instruction ID: 9ce8844b1ae91519f82c9427ceaffad0371baea637e3ddca53f795ffc82fd741
                                                            • Opcode Fuzzy Hash: 9886fada1c81e5c7ea52d6bce4f4a50c005a8f44ba86d2b47653e899cb23410e
                                                            • Instruction Fuzzy Hash: 4B212C780057818ED314DF29D582B5AFBE4FF98B10F40890EE4DA53651DBB4BA09DB63
                                                            Function 10017C20 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(00000000), ref: 10017C2A
                                                            • GetClipboardData.USER32(00000001), ref: 10017C36
                                                            • CloseClipboard.USER32 ref: 10017C46
                                                            • GlobalSize.KERNEL32(00000000), ref: 10017C55
                                                            • GlobalLock.KERNEL32(00000000), ref: 10017C5F
                                                            • #823.MFC42(00000001), ref: 10017C68
                                                            • GlobalUnlock.KERNEL32(?), ref: 10017C8F
                                                            • CloseClipboard.USER32 ref: 10017C95
                                                            • #825.MFC42(00000000), ref: 10017CA7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                            • String ID:
                                                            • API String ID: 15072309-0
                                                            • Opcode ID: 4db2a3092db81ba8cd221ab7812f7ac01f439ef8351ba7ca641189aa6a372f47
                                                            • Instruction ID: eecfb4a29c280975ed6dbc920f88914847c67d08282cb3fbea726f1268ec2aea
                                                            • Opcode Fuzzy Hash: 4db2a3092db81ba8cd221ab7812f7ac01f439ef8351ba7ca641189aa6a372f47
                                                            • Instruction Fuzzy Hash: 0301C4395046246FE710EB649C89ADB36A8FB48652F880229FD0AD6250EB75A904C6F2
                                                            Function 1001A8D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strstr.MSVCRT ref: 1001A901
                                                            • lstrcatA.KERNEL32(1012BBB0,00000000,?,?,?,?,?,?,?,?,?,1001B6D0), ref: 1001A92F
                                                            • lstrcatA.KERNEL32(1012BBB0,100FA644,?,?,?,?,?,?,?,?,?,1001B6D0), ref: 1001A93B
                                                            • lstrcatA.KERNEL32(1012BBB0,1011F63C,?,?,?,?,?,1001B6D0), ref: 1001A9D2
                                                            • lstrcatA.KERNEL32(1012BBB0,1011F62C,?,?,?,?,?,1001B6D0), ref: 1001A9E6
                                                              • Part of subcall function 1002BF60: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BF81
                                                              • Part of subcall function 1002BF60: Process32First.KERNEL32(00000000,00000000), ref: 1002BF9B
                                                              • Part of subcall function 1002BF60: _strcmpi.MSVCRT ref: 1002BFB7
                                                              • Part of subcall function 1002BF60: Process32Next.KERNEL32(00000000,?), ref: 1002BFC6
                                                              • Part of subcall function 1002BF60: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BFD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_strcmpistrstr
                                                            • String ID: Skype.exe$Telegram.exe
                                                            • API String ID: 3711747558-160608118
                                                            • Opcode ID: 4e9b1eb5f795319e2145e561dc8f569e3da4823bd29c0f08e6ec0876ff4492fa
                                                            • Instruction ID: 9dedb0bcdbeeb537b4cfed803e7ecb6651a8d292ed761674a2bcb05f373695b6
                                                            • Opcode Fuzzy Hash: 4e9b1eb5f795319e2145e561dc8f569e3da4823bd29c0f08e6ec0876ff4492fa
                                                            • Instruction Fuzzy Hash: B331E8656042CA6BC300CE395CA169B7BD9EF5B294F974564EC88DF311F23ADCC88361
                                                            Function 1002C180 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1002C1BA
                                                            • lstrlenA.KERNEL32 ref: 1002C1D9
                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 1002C1E2
                                                            • CloseHandle.KERNEL32(00000000), ref: 1002C1E9
                                                              • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                              • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                              • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                              • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressFileLibraryLoadProc$CloseCreateHandleWritelstrlen
                                                            • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                            • API String ID: 46210954-946259135
                                                            • Opcode ID: 9fb7e4c99a757d5d1bb07248dd9a77cec7368a6b5622d5fb94839e933390e07c
                                                            • Instruction ID: c6cc8adcd457acce24a543496469d423a5f9c6f908ffb90332de9e70c382c7fa
                                                            • Opcode Fuzzy Hash: 9fb7e4c99a757d5d1bb07248dd9a77cec7368a6b5622d5fb94839e933390e07c
                                                            • Instruction Fuzzy Hash: B3115175104310AFE310DF18DC94BEBBBE9FB89710F444929FA48A72A1DB745909CBA2
                                                            Function 100124A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10098496,000000FF), ref: 100124D5
                                                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 100124E3
                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10098496,000000FF), ref: 10012522
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10098496,000000FF), ref: 1001252D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                                            • String ID: closesocket$ws2_32.dll$ou
                                                            • API String ID: 1041861973-2818410867
                                                            • Opcode ID: 317a56b4ed2048237b599bc8298f2c595dd1fcad07ede2f21fe3a7db7f7da3e3
                                                            • Instruction ID: 5633d58f56b6f802c8da8f0a53da40118ace4234f90d431c49674e0fc58f6e5b
                                                            • Opcode Fuzzy Hash: 317a56b4ed2048237b599bc8298f2c595dd1fcad07ede2f21fe3a7db7f7da3e3
                                                            • Instruction Fuzzy Hash: 09119AB5204B459BC300DF28DC84B9AFBE8FF84760F440B29F869A3391D77899548AA1
                                                            Function 1000BB20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39librarystringloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(user32.dll), ref: 1000BB2D
                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 1000BB3B
                                                            • strstr.MSVCRT ref: 1000BB74
                                                            • FreeLibrary.KERNEL32(00000000), ref: 1000BB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProcstrstr
                                                            • String ID: GetWindowTextA$user32.dll$ou
                                                            • API String ID: 1147820842-4136374823
                                                            • Opcode ID: db07f607d21a583f20db20c6735f1a8b053083e9b5a901446e297e29901bd8f7
                                                            • Instruction ID: eac537b1b91b2636b6f9a25c4ca2e162a8f3820dd06842638cfb43ec00a3305a
                                                            • Opcode Fuzzy Hash: db07f607d21a583f20db20c6735f1a8b053083e9b5a901446e297e29901bd8f7
                                                            • Instruction Fuzzy Hash: 05F0C8395002106BF321DB28CCC4BEB7BE8FF84341F044924F94996264DBB99549C6A1
                                                            Function 100125D0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 30libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10012560: EnterCriticalSection.KERNEL32(?,?,?,1001246B,?,00000001,?,?,?,00000000,100989C8,000000FF,1000EB8A), ref: 1001256B
                                                              • Part of subcall function 10012560: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,100989C8,000000FF,1000EB8A), ref: 10012585
                                                            • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100125F6
                                                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012604
                                                            • FreeLibrary.KERNEL32(00000000), ref: 10012619
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                            • String ID: 5$closesocket$ws2_32.dll$ou
                                                            • API String ID: 2819327233-158453285
                                                            • Opcode ID: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                            • Instruction ID: 2761632c92e94d1a980d48baebd45236be465951dd9527d8c45c8e1131a91282
                                                            • Opcode Fuzzy Hash: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                            • Instruction Fuzzy Hash: 83F0A77A100A116BD301EF1C9C84DDB77A8FF84752F440519FE4496201DB34E919C7B2
                                                            Function 10004CF0 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _CxxThrowException.MSVCRT(?,100F59A0), ref: 10004DC3
                                                            • #823.MFC42(10004C7C,?,00000004,00000000,00000004,10004C8B,00000004,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10004E37
                                                            • #823.MFC42(00000000,?,?,?,00000000,10097E10,000000FF,76B023A0,10004C8B,?,00000000), ref: 10004E48
                                                            • #825.MFC42(00000000,00000000,?,?,?), ref: 10004EAE
                                                            • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004EB4
                                                            • _CxxThrowException.MSVCRT(?), ref: 10004ED1
                                                            • #825.MFC42(?,?,?,?,?,00000000,10097E10,000000FF,76B023A0,10004C8B,?,00000000), ref: 10004EDE
                                                            • #825.MFC42(10097E10,?,?,?,?,00000000,10097E10,000000FF,76B023A0,10004C8B,?,00000000), ref: 10004EEE
                                                              • Part of subcall function 10004FA0: _ftol.MSVCRT ref: 10004FDF
                                                              • Part of subcall function 10004FA0: #823.MFC42(00000000), ref: 10004FE9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #825$#823$ExceptionThrow$_ftol
                                                            • String ID:
                                                            • API String ID: 3722084872-0
                                                            • Opcode ID: ea0e6fab0f3b200c2ac8e79381365aba0db2f19d8fc3d3a51e58946881df1860
                                                            • Instruction ID: 1eb660cc6e2df4aa71b2a13b12a972262dfe54efb613c0fda1e7e0f3bddcab5a
                                                            • Opcode Fuzzy Hash: ea0e6fab0f3b200c2ac8e79381365aba0db2f19d8fc3d3a51e58946881df1860
                                                            • Instruction Fuzzy Hash: CE51A5B5A00255ABEF00DF64C891BEEB7B9EF48790F414029F905AB345DF34BE058B95
                                                            Function 10018DF0 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                              • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                              • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                            • GetCursorPos.USER32(?), ref: 10018E2A
                                                            • GetCursorInfo.USER32(?), ref: 10018E4B
                                                            • DestroyCursor.USER32(?), ref: 10018E74
                                                            • GetTickCount.KERNEL32 ref: 10018F68
                                                            • Sleep.KERNEL32(00000001), ref: 10018F7D
                                                            • GetTickCount.KERNEL32 ref: 10018F7F
                                                            • GetTickCount.KERNEL32 ref: 10018F8C
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10018F90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                                                            • String ID:
                                                            • API String ID: 3294368536-0
                                                            • Opcode ID: 63450e5a0fe822e0395a25f919a40c26dd4f4efe6c8cd92b0433666551f734c0
                                                            • Instruction ID: 1ea9e8ebc3ff77753162b4b2b036303d6ca19110352040df77f1d61fb4639ff5
                                                            • Opcode Fuzzy Hash: 63450e5a0fe822e0395a25f919a40c26dd4f4efe6c8cd92b0433666551f734c0
                                                            • Instruction Fuzzy Hash: 265181752007049FD724DF28C884A6AB3E6FFC8350B544A2DF586CB651D730FA86CB61
                                                            Function 10015040 Relevance: 12.2, APIs: 8, Instructions: 159registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015071
                                                            • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 100150A7
                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100150E6
                                                            • #823.MFC42(?,?,?,?,00000000,000F003F,?), ref: 10015123
                                                            • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 10015178
                                                            • #825.MFC42(00000000), ref: 100151BD
                                                            • RegCloseKey.ADVAPI32(?), ref: 100151CA
                                                            • LocalReAlloc.KERNEL32(?,?,00000042), ref: 100151D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocLocal$#823#825CloseEnumInfoOpenQuery
                                                            • String ID:
                                                            • API String ID: 601778281-0
                                                            • Opcode ID: 1ce751000493436edd1ec85b03782dd988cc6b25906ba9008f3a9b543ed6fd7c
                                                            • Instruction ID: 4b5b00cc76cbe3299748f3fbd7ead03af72bbb381f34cc8e82e5542358ecfbd2
                                                            • Opcode Fuzzy Hash: 1ce751000493436edd1ec85b03782dd988cc6b25906ba9008f3a9b543ed6fd7c
                                                            • Instruction Fuzzy Hash: 8D518071604306AFD314DF28CC91B6BB7E9FB88610F584A2DF949DB380D635ED058BA2
                                                            Function 1000A3B0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10098081,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A40F
                                                            • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10098081,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A417
                                                            • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10098081,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A439
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A44B
                                                            • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A458
                                                            • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10098081,000000FF,10009756,-00000008,?,?,?,?,?,?,00000000,00000065), ref: 1000A460
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10098081,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A497
                                                            • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10098081,000000FF,10009756,-00000008,?,?,?), ref: 1000A4D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                            • String ID:
                                                            • API String ID: 1074130261-0
                                                            • Opcode ID: 6350f1f2d4d170595dd3b609a8f0085ddd945eda5729c850802c71e87cc507af
                                                            • Instruction ID: 15c9be6c0cdb5c9e4d0173154dbddd38cbee61e7854d4a8b0a5558341a99fe4d
                                                            • Opcode Fuzzy Hash: 6350f1f2d4d170595dd3b609a8f0085ddd945eda5729c850802c71e87cc507af
                                                            • Instruction Fuzzy Hash: FE41E2396407549FD710CF19C8C869ABBE5FBC9AA0F44862EEC5A87351C7759D80CB40
                                                            Function 10022E20 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _strnicmp
                                                            • String ID: CONNECT $GET $HEAD $POST
                                                            • API String ID: 2635805826-4031508290
                                                            • Opcode ID: db007650dd00c0ac6180381b20bbf3d8d239f44ac46bea43200cb644bc6fc341
                                                            • Instruction ID: 012f8f1bab248a6834d13abe60be589de9175014240b925c74764c6b752a3023
                                                            • Opcode Fuzzy Hash: db007650dd00c0ac6180381b20bbf3d8d239f44ac46bea43200cb644bc6fc341
                                                            • Instruction Fuzzy Hash: 21014C353006116BE700EA6DFC00BCAB3D9FF85755F860466E944DA290E3B899458B95
                                                            Function 10003870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: sprintf$floor
                                                            • String ID: %.0f
                                                            • API String ID: 389794084-4293663076
                                                            • Opcode ID: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                            • Instruction ID: a274ceac6ce3522e1593489d29bd3f77ae1b15863641420014f16e45a4b04ce6
                                                            • Opcode Fuzzy Hash: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                            • Instruction Fuzzy Hash: F0417CB1A04615A7F3028B54ED9879777ACFFC23D6F044261FE8892294DB21D974C7E2
                                                            Function 100253F0 Relevance: 10.6, APIs: 7, Instructions: 115stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mbstowcs.MSVCRT ref: 1002544C
                                                            • NetUserGetLocalGroups.NETAPI32(00000000,?,00000000,00000001,?,000000FF,?,?,000000FF,756F0440,1012C940), ref: 10025472
                                                            • wcslen.MSVCRT ref: 100254B2
                                                            • malloc.MSVCRT ref: 100254BA
                                                            • wsprintfA.USER32 ref: 100254CC
                                                            • strncpy.MSVCRT ref: 100254DD
                                                            • free.MSVCRT ref: 100254E4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: GroupsLocalUserfreemallocmbstowcsstrncpywcslenwsprintf
                                                            • String ID:
                                                            • API String ID: 4292357205-0
                                                            • Opcode ID: 996f182e4eaca770aebca2e2dc31204225a4ef886ee2811c3a3753bade0f0f89
                                                            • Instruction ID: 557e80256ca594a6fbaa7155c5dede8bb08721d40b80f00c8ee40f21b64cfd6f
                                                            • Opcode Fuzzy Hash: 996f182e4eaca770aebca2e2dc31204225a4ef886ee2811c3a3753bade0f0f89
                                                            • Instruction Fuzzy Hash: C33115751097626BD315CF24DC409EBBBE9FB88751F400A2CF99AC3281D771DA058B96
                                                            Function 1002CB30 Relevance: 10.6, APIs: 7, Instructions: 108networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 1002CBB5
                                                            • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CBC9
                                                            • recv.WS2_32(?,?,00002000,00000000), ref: 1002CBE2
                                                            • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CC0A
                                                            • recv.WS2_32(?,?,00002000,00000000), ref: 1002CC23
                                                            • closesocket.WS2_32 ref: 1002CC59
                                                            • closesocket.WS2_32(?), ref: 1002CC5C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: closesocketrecv$select
                                                            • String ID:
                                                            • API String ID: 2008065562-0
                                                            • Opcode ID: b619ac7b9004eac4af8fc18577bf65ec3241826cea9485446d0ee020362c6dc5
                                                            • Instruction ID: 9e01edbcc11b0b78944ccf98f445ce25479c223fa328e15eb5ed2904f72659ce
                                                            • Opcode Fuzzy Hash: b619ac7b9004eac4af8fc18577bf65ec3241826cea9485446d0ee020362c6dc5
                                                            • Instruction Fuzzy Hash: B031A4752043596BE320CBA4EC86FEB77DCEB807C0F950829EA49E6181D774F90486F2
                                                            Function 10016640 Relevance: 10.6, APIs: 7, Instructions: 106synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098B91,000000FF), ref: 10016675
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,10098B91,000000FF), ref: 10016682
                                                            • #823.MFC42(000001F0), ref: 100166B0
                                                            • #823.MFC42(000001F0), ref: 100166E1
                                                              • Part of subcall function 10017D20: LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                            • #823.MFC42(000001F0), ref: 10016708
                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823$ExchangeInterlocked$CloseCursorHandleLoadObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 3589420723-0
                                                            • Opcode ID: 2bf1f3b9228b22b68d86165050bb01876b6f30b711b3be1950ba820d14e357f1
                                                            • Instruction ID: e6fc8a07f0f40e63328281120269b85414c7c346b20501a8294eb9f6b5dd2afd
                                                            • Opcode Fuzzy Hash: 2bf1f3b9228b22b68d86165050bb01876b6f30b711b3be1950ba820d14e357f1
                                                            • Instruction Fuzzy Hash: 9131B2B4644704ABE720DB348C92FAA77E5FB4C714F100A2DF69A9A2C1D775F580C751
                                                            Function 1002A110 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105sleeplibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 1002A132
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002A139
                                                            • _ftol.MSVCRT ref: 1002A23D
                                                            • Sleep.KERNEL32(000003E8), ref: 1002A26E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcSleep_ftol
                                                            • String ID: NtQuerySystemInformation$ntdll
                                                            • API String ID: 720640769-3593917365
                                                            • Opcode ID: 483c0222d2d47d0a18bc5662c4083f41ef4230f6608705a06aab3dff5bbc17b2
                                                            • Instruction ID: 5dcfdc78d05b3555619dec257a8f7a796c978ef3ca70ed51b93338e930e5caf5
                                                            • Opcode Fuzzy Hash: 483c0222d2d47d0a18bc5662c4083f41ef4230f6608705a06aab3dff5bbc17b2
                                                            • Instruction Fuzzy Hash: 6241A5B5A08305AFE350DF65DC85A8BB7E4FBC9750F418E1DF589A2210EF3199448B92
                                                            Function 10009430 Relevance: 10.6, APIs: 7, Instructions: 101stringfilememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000947B
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF), ref: 10009494
                                                            • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094B7
                                                            • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094C0
                                                            • LocalAlloc.KERNEL32(00000040,-0000000A,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094CE
                                                            • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094FC
                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009524
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                                            • String ID:
                                                            • API String ID: 2793549963-0
                                                            • Opcode ID: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                            • Instruction ID: 308c1cce03677ded8cce1838fe27e550398bb3d797b3be4da8be1d4d23af97c4
                                                            • Opcode Fuzzy Hash: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                            • Instruction Fuzzy Hash: 0D3108327002145BD714DE78DC95B9AB2D6FB88621F484639FE1AD73C0DAB5A805C660
                                                            Function 100076F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,?,?), ref: 1000771C
                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?), ref: 10007792
                                                            • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?), ref: 100077A7
                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 100077C4
                                                            • CloseHandle.KERNEL32(00000000,?,?), ref: 100077CB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateFolderHandlePathPointerSpecialWrite
                                                            • String ID: p
                                                            • API String ID: 2004626570-2181537457
                                                            • Opcode ID: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                            • Instruction ID: 1e1907684de1c8bd89ee597228f05c738f3ecf463b7a0146f2a5c42f798544d2
                                                            • Opcode Fuzzy Hash: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                            • Instruction Fuzzy Hash: 6331D7756447045BD318CA28CC45FABB796FBC8320F084B2DF95A972D0DAB49E05C751
                                                            Function 10004A60 Relevance: 10.6, APIs: 7, Instructions: 98networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                              • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                              • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                              • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                              • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                            • ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                            • socket.WS2_32 ref: 10004A86
                                                            • gethostbyname.WS2_32(?), ref: 10004AA6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                                            • String ID:
                                                            • API String ID: 513860241-0
                                                            • Opcode ID: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                            • Instruction ID: 62eb8b1d62288b4d868ce5131d155c72f0045e0f91344af4bf02a89a0577a84d
                                                            • Opcode Fuzzy Hash: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                            • Instruction Fuzzy Hash: DF31C0B5244301AFE310DF28CC85FD777E4FF85314F004A1DF2999A280DBB1A4888B66
                                                            Function 10011670 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116CA
                                                            • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116DB
                                                            • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116ED
                                                            • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116F9
                                                            • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 1001173E
                                                            • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011756
                                                              • Part of subcall function 10011790: #540.MFC42 ref: 100117B7
                                                              • Part of subcall function 10011790: #2818.MFC42(00000000, %c%s,?,?), ref: 100117E0
                                                              • Part of subcall function 10011790: #2763.MFC42(00000020), ref: 100117FD
                                                              • Part of subcall function 10011790: #537.MFC42(100FACDC,00000000,00000020), ref: 10011815
                                                              • Part of subcall function 10011790: #537.MFC42(100FB4F0,100FACDC,00000000,00000020), ref: 1001182A
                                                              • Part of subcall function 10011790: #922.MFC42(?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001183B
                                                              • Part of subcall function 10011790: #922.MFC42(?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001184C
                                                              • Part of subcall function 10011790: #939.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001185B
                                                              • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011869
                                                              • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011877
                                                              • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011885
                                                              • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011893
                                                              • Part of subcall function 10011790: #535.MFC42(00000000), ref: 100118F0
                                                              • Part of subcall function 10011790: #800.MFC42(00000000), ref: 10011906
                                                            • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,100987F8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011766
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                                                            • String ID:
                                                            • API String ID: 37758464-0
                                                            • Opcode ID: 76aec08ac5c898129d212ad006936d1e707c60b2df00c4ace098ed764cc725ba
                                                            • Instruction ID: dec424003b06c6c1f51d6b436f7432b55da77ee7a9402acd53708604d80224e9
                                                            • Opcode Fuzzy Hash: 76aec08ac5c898129d212ad006936d1e707c60b2df00c4ace098ed764cc725ba
                                                            • Instruction Fuzzy Hash: DB31B236304B509BC718DB19C981A5EB3E5FBC8660F840A2DE55A9BB81CA34FD46CB51
                                                            Function 10017930 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(0000000A), ref: 1001797C
                                                            • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1001799A
                                                            • PostMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 100179AD
                                                            • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 100179C9
                                                            • PostMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 100179DC
                                                              • Part of subcall function 10017350: WaitForSingleObject.KERNEL32(?), ref: 10017379
                                                              • Part of subcall function 10017350: CloseHandle.KERNEL32(?), ref: 10017386
                                                              • Part of subcall function 10017350: #823.MFC42(00000110), ref: 100173AA
                                                            • BlockInput.USER32(?), ref: 100179EE
                                                              • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000000), ref: 10017CD7
                                                              • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000001), ref: 10017CE0
                                                            • BlockInput.USER32(00000000), ref: 10017A21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: System$BlockInfoInputMessageMetricsParametersPost$#823CloseHandleObjectSingleSleepWait
                                                            • String ID:
                                                            • API String ID: 3920574744-0
                                                            • Opcode ID: 1f6632d498e932c4da97c3461f26f80aa21c51f366b72cbae2a503485bf1bf16
                                                            • Instruction ID: 0486786d509ac0a650241a78aaad2ae417e230b3ca14bbaed7d2c7c526a6cf37
                                                            • Opcode Fuzzy Hash: 1f6632d498e932c4da97c3461f26f80aa21c51f366b72cbae2a503485bf1bf16
                                                            • Instruction Fuzzy Hash: 1F21D13534034521EA15EA340C83FAD67A6EF46B50F541538BA6E6F2C3CDB5E8899624
                                                            Function 10025980 Relevance: 10.6, APIs: 7, Instructions: 78stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00000000), ref: 10025999
                                                            • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 100259C8
                                                              • Part of subcall function 10024700: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024724
                                                              • Part of subcall function 10024700: #823.MFC42(00000002,?,00000000,00000000), ref: 10024731
                                                              • Part of subcall function 10024700: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002474D
                                                            • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 100259FD
                                                            • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 10025A05
                                                            • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 10025A12
                                                            • NetApiBufferFree.NETAPI32(?), ref: 10025A44
                                                            • LocalFree.KERNEL32(?), ref: 10025A4E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                                                            • String ID:
                                                            • API String ID: 1574401665-0
                                                            • Opcode ID: 6fe5fd58d8ee82ea9393aadbb7557f19d2e1071f35b8592cf17d8dff8678a0a3
                                                            • Instruction ID: 6eec9c2782751250a0be1b7ab04284a5aa44dfebb385743ab58da5b817ddab4a
                                                            • Opcode Fuzzy Hash: 6fe5fd58d8ee82ea9393aadbb7557f19d2e1071f35b8592cf17d8dff8678a0a3
                                                            • Instruction Fuzzy Hash: 5E21BEB56083016FD300DF68ECC2E6BBBECEB84700F44082DF58587212DA74E94C8BA2
                                                            Function 100235E0 Relevance: 10.6, APIs: 7, Instructions: 67networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • htons.WS2_32 ref: 10023603
                                                            • inet_addr.WS2_32(?), ref: 10023619
                                                            • inet_addr.WS2_32(?), ref: 10023637
                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 10023643
                                                            • setsockopt.WS2_32 ref: 1002366E
                                                            • connect.WS2_32(?,?,00000010), ref: 1002367E
                                                            • closesocket.WS2_32 ref: 1002368C
                                                              • Part of subcall function 100233D0: gethostbyname.WS2_32(?), ref: 100233D5
                                                              • Part of subcall function 100233D0: inet_ntoa.WS2_32(00000000), ref: 100233E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: inet_addr$closesocketconnectgethostbynamehtonsinet_ntoasetsockoptsocket
                                                            • String ID:
                                                            • API String ID: 1372979013-0
                                                            • Opcode ID: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                            • Instruction ID: 39bc2628e44f28d98c88e5444450c5f814f4e04a5d8b8e63c57a2dc5f5728de5
                                                            • Opcode Fuzzy Hash: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                            • Instruction Fuzzy Hash: DE118E74504311ABE310DF289C89AABB7E8FF84360F548A1DF598D62D1E7B0D5448B92
                                                            Function 10017270 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 100172AD
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 100172B8
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098BF6,000000FF,1000CE1B), ref: 100172C9
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098BF6,000000FF,1000CE1B), ref: 100172D4
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098BF6,000000FF,1000CE1B), ref: 100172E3
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098BF6,000000FF,1000CE1B), ref: 100172EC
                                                            • DestroyCursor.USER32(?), ref: 1001731C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                                                            • String ID:
                                                            • API String ID: 2236516186-0
                                                            • Opcode ID: 4fc066552331a9b753ce804f4efc897c066582561d64707b9c41e62612b136bc
                                                            • Instruction ID: 873cdca44efa60ec6db996f9dbefe7e42f31b0f6f63ca51d9f4cbc2009f4f1ed
                                                            • Opcode Fuzzy Hash: 4fc066552331a9b753ce804f4efc897c066582561d64707b9c41e62612b136bc
                                                            • Instruction Fuzzy Hash: FA211D752007559FD224DB69CC80BD6B3E8FF89720F150B1EE6AA97390CBB5B8018B91
                                                            Function 1002CEE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000064,?,?), ref: 1002CEF1
                                                            • wsprintfA.USER32 ref: 1002CF1C
                                                            • closesocket.WS2_32(00000000), ref: 1002CF34
                                                            • TerminateThread.KERNEL32(?,00000000), ref: 1002CF6C
                                                            • CloseHandle.KERNEL32(1012E314), ref: 1002CF73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                                                            • String ID: nsocket-di:%d
                                                            • API String ID: 1790861966-355283319
                                                            • Opcode ID: d4ad5069f22e8002b49ebd921c70fc0b978fa034c0404fe3f575d6b18d6195fa
                                                            • Instruction ID: cdf4fee1ae8db883b46f4a18b858b7db2e5338d41a9e03fa03d21406ba665881
                                                            • Opcode Fuzzy Hash: d4ad5069f22e8002b49ebd921c70fc0b978fa034c0404fe3f575d6b18d6195fa
                                                            • Instruction Fuzzy Hash: AA118834600265ABD750DB2CECC8F923BE5F740364F644229E808D77A8D778A84ACBA1
                                                            Function 1000EA00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(00000000), ref: 1000EA0F
                                                            • GetSystemMetrics.USER32(00000001), ref: 1000EA13
                                                            • ChangeDisplaySettingsA.USER32 ref: 1000EA49
                                                            • ChangeDisplaySettingsA.USER32(?,00000001), ref: 1000EA56
                                                            • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 1000EA66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ChangeDisplaySettings$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 840903655-3916222277
                                                            • Opcode ID: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                            • Instruction ID: 9ef3ec576e7027de0717f9877b67978966fede7fd05d5f4f5218d1c1f9d83b39
                                                            • Opcode Fuzzy Hash: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                            • Instruction Fuzzy Hash: F3F03A31A58324AAF720DB748D45F9B7AE4BF44B48F44091DB6589A1D0E7F5A4088F93
                                                            Function 1001AD60 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B3BF,?,?,?), ref: 1001AD69
                                                            • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AD7B
                                                            • FreeLibrary.KERNEL32(00000000), ref: 1001ADA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: RtlGetNtVersionNumbers$ntdll.dll$ou
                                                            • API String ID: 145871493-651161111
                                                            • Opcode ID: 564185d21d0a2884fa8180f79d4cfa473eb3de85f2085817f5be64484bbe9a88
                                                            • Instruction ID: 4bb39ff8cc9eb2274461f872c6a94059e0b807a4ed658505fc8f7113cdd27df8
                                                            • Opcode Fuzzy Hash: 564185d21d0a2884fa8180f79d4cfa473eb3de85f2085817f5be64484bbe9a88
                                                            • Instruction Fuzzy Hash: E2F0307A3016626BD351DF29DC8899B77A5EFC5711B154928F809D7340C738DC42C7B1
                                                            Function 10018570 Relevance: 9.1, APIs: 6, Instructions: 129windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDIBSection.GDI32(?,00000000,00000000,76435D50,00000000,00000000), ref: 100185E1
                                                            • SelectObject.GDI32(00000000,00000000), ref: 100185EF
                                                            • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001860E
                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001862F
                                                            • DeleteObject.GDI32(?), ref: 10018685
                                                            • free.MSVCRT ref: 10018694
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$CreateDeleteSectionSelectfree
                                                            • String ID:
                                                            • API String ID: 2595996717-0
                                                            • Opcode ID: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                            • Instruction ID: fa73614132ced6616fd7bc227f346a67f57bb193df799f847b61321046b9127f
                                                            • Opcode Fuzzy Hash: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                            • Instruction Fuzzy Hash: E34126B5600705AFD714DF68CC84E6BB7EAFB88600F14891DF98A8B390D670EE458B61
                                                            Function 100168D0 Relevance: 9.1, APIs: 6, Instructions: 121keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000000), ref: 10016966
                                                            • BlockInput.USER32(?,?,?), ref: 10016989
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 100169A0
                                                            • BlockInput.USER32(?,?,?), ref: 100169A9
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 100169C0
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 100169D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BlockExchangeInputInterlocked
                                                            • String ID:
                                                            • API String ID: 3466551546-0
                                                            • Opcode ID: a68a8d8315b8aecd7e9a85022baec64c8f8fafa141470f5a7ff8bb101bc346ec
                                                            • Instruction ID: f5de751bbc59c9fe2e4e11a77efb486bd7b1c0e5de6b033e1d032c1a72320526
                                                            • Opcode Fuzzy Hash: a68a8d8315b8aecd7e9a85022baec64c8f8fafa141470f5a7ff8bb101bc346ec
                                                            • Instruction Fuzzy Hash: 8631E33B3086A156D294E738BC51DEFA755EFD9320B44893BF5869A241CA20E89683B4
                                                            Function 100245D0 Relevance: 9.1, APIs: 6, Instructions: 118stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: malloc$realloc$strstr
                                                            • String ID:
                                                            • API String ID: 686937093-0
                                                            • Opcode ID: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                            • Instruction ID: f12e391fd8c4db450d37198345dff2d4bae4fbfc056869d3ddab37a8f09edeef
                                                            • Opcode Fuzzy Hash: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                            • Instruction Fuzzy Hash: E23146766002114FC704CF3CAC8426AFBE5EBC9622F45066DEA89C3390DE75DD0A87A2
                                                            Function 10018880 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10017EFB,?,?,?,?,?,?,00000000), ref: 100188AB
                                                            • GetDC.USER32(00000000), ref: 10018906
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10018913
                                                            • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10018926
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 1001892F
                                                            • DeleteObject.GDI32(00000000), ref: 10018936
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                            • String ID:
                                                            • API String ID: 1489246511-0
                                                            • Opcode ID: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                            • Instruction ID: 595f5d04680e63bd3569864e733df38cb12ba5dfb14351ca9a0a688611868c86
                                                            • Opcode Fuzzy Hash: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                            • Instruction Fuzzy Hash: B831E6716057018FD324CF69CCC4B66FBE6FF85308F188A6DE5498B291D770A609CB50
                                                            Function 100190D0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #823.MFC42(?,0000005C,00000000,00000000,00000060,00000000,10018C0A,?,?,00000001), ref: 100190FB
                                                            • GetDC.USER32(00000000), ref: 10019156
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10019163
                                                            • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019176
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 1001917F
                                                            • DeleteObject.GDI32(00000000), ref: 10019186
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                            • String ID:
                                                            • API String ID: 1489246511-0
                                                            • Opcode ID: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                            • Instruction ID: 563e9de2dbd4fcc8b714005d1123d6e11f211ecc1d0cf2720864bb066b39cb00
                                                            • Opcode Fuzzy Hash: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                            • Instruction Fuzzy Hash: F931F3712057029FD324CF29CC88B5BFBE6FF89344F188A6DE5498B291E771A549CB50
                                                            Function 10003040 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 101stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strncmp
                                                            • String ID: false$null$true
                                                            • API String ID: 1114863663-2913297407
                                                            • Opcode ID: 5a9f50220f4edb0b90a1341632faab901d89b2df17a39ef332c967927222a33e
                                                            • Instruction ID: c263aaae331d4c71d2842857f311a7eed06a19dc11cc0fc9379550f4bc3a2ba2
                                                            • Opcode Fuzzy Hash: 5a9f50220f4edb0b90a1341632faab901d89b2df17a39ef332c967927222a33e
                                                            • Instruction Fuzzy Hash: DD21B77A6052156AE311DB29FC41ACBB7DCDFC52B0F06C42AF54886209E330E9878B91
                                                            Function 100084B0 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008505
                                                            • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000850C
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008539
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000854C
                                                            • #825.MFC42(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000859A
                                                            • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 100085BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #825$CloseHandle$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                            • String ID:
                                                            • API String ID: 2070391518-0
                                                            • Opcode ID: fc8e9e331d43c08598609043b432de6017190aa81caf279ba516a1e28a190f62
                                                            • Instruction ID: 71f2dda46ce1987057b4a5f2ae482778b7c2c181f8379628c0612ac2f0b95c41
                                                            • Opcode Fuzzy Hash: fc8e9e331d43c08598609043b432de6017190aa81caf279ba516a1e28a190f62
                                                            • Instruction Fuzzy Hash: 9641ACB5600B019FD304CF68C881B96F7E0FF49750F404A2DE2AA87381EB70BA55CB81
                                                            Function 10009A60 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AAA
                                                            • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ABB
                                                            • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ACC
                                                            • #825.MFC42(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AF5
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B2A
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$CloseHandle$#825
                                                            • String ID:
                                                            • API String ID: 3981934315-0
                                                            • Opcode ID: 4a835b031bccdd95b808fd1098978413792ae2bf40675962b25d037a432427fe
                                                            • Instruction ID: c415adc59df03e05012e168aefc05a271816b63e136840ace363764f060256d4
                                                            • Opcode Fuzzy Hash: 4a835b031bccdd95b808fd1098978413792ae2bf40675962b25d037a432427fe
                                                            • Instruction Fuzzy Hash: 113182747006019FE744CF29C980A96B7E9FF85790B148669F95ACB395EB30EC41CBA0
                                                            Function 1002CDA0 Relevance: 9.1, APIs: 6, Instructions: 88sleepthreadnetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _snprintf.MSVCRT ref: 1002CDDF
                                                              • Part of subcall function 1002CCE0: inet_addr.WS2_32(?), ref: 1002CCEA
                                                            • recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CE41
                                                            • CreateThread.KERNEL32(00000000,00000000,1002CD00,?,00000000,?), ref: 1002CE90
                                                            • CloseHandle.KERNEL32(00000000), ref: 1002CEA4
                                                            • Sleep.KERNEL32(000003E8), ref: 1002CEAD
                                                            • closesocket.WS2_32(00000000), ref: 1002CEC1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                                                            • String ID:
                                                            • API String ID: 1576220768-0
                                                            • Opcode ID: 6aa197557c8a4968cf754500704a7707de6fe9e014b659ee697216ff6dd103bb
                                                            • Instruction ID: da13d2d9b38d9f2467477cf3a7906758d7dc795f7d06ae5c1944d8c28f7adce0
                                                            • Opcode Fuzzy Hash: 6aa197557c8a4968cf754500704a7707de6fe9e014b659ee697216ff6dd103bb
                                                            • Instruction Fuzzy Hash: D231CD74204345ABE310DF58EC80FAB77F8FB85740F10492DFA8893290D775A846CBA2
                                                            Function 10025230 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 49stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 1002527A
                                                              • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                              • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                              • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                              • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                            • lstrlenA.KERNEL32(?), ref: 100252A6
                                                            • lstrlenA.KERNEL32(?), ref: 100252B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823lstrlen$AddressLibraryLoadProcwsprintf
                                                            • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                            • API String ID: 2676723305-3034822107
                                                            • Opcode ID: 1f314da7e583021de2ad2a1ea9a6844b1c0291cd7e5751bed9ecb838fe37b48f
                                                            • Instruction ID: 4bb0fb85fb9d78cfa4787bdd1a87c1966b8880f1fc9f3591e709bc4635b744b3
                                                            • Opcode Fuzzy Hash: 1f314da7e583021de2ad2a1ea9a6844b1c0291cd7e5751bed9ecb838fe37b48f
                                                            • Instruction Fuzzy Hash: AF0149B13002243FE7249624DC42FFB739AEFC8314F40483DFB05A7280DA79AD4586A6
                                                            Function 1002E2B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: getenvmallocsscanf
                                                            • String ID: %ld%c$JPEGMEM$x
                                                            • API String ID: 677315340-3402169052
                                                            • Opcode ID: 681184bd14a44de6357dfd88d4a720438dc00c074bdd942409e72bd612c88f43
                                                            • Instruction ID: ed1f8d49ada8702e7a4c61247b7b10f5fc2996fa2df026a064b0551109eac072
                                                            • Opcode Fuzzy Hash: 681184bd14a44de6357dfd88d4a720438dc00c074bdd942409e72bd612c88f43
                                                            • Instruction Fuzzy Hash: 27418BB04447868FD320CF19E884957FBF8FF45344B904A6EE09A8B651E776EA09CF81
                                                            Function 1000EC20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000EC48
                                                              • Part of subcall function 1000EBE0: GetVersionExA.KERNEL32 ref: 1000EBF3
                                                            • ShellExecuteExA.SHELL32(0000003C), ref: 1000ECE7
                                                            • ExitProcess.KERNEL32 ref: 1000ECF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                            • String ID: <$runas
                                                            • API String ID: 984616556-1187129395
                                                            • Opcode ID: 270b7c88ad559ff0413a8ca2eda90aadb4643be4303ded88fe21c888fcf33843
                                                            • Instruction ID: 12e13802e1c679c18e6c17261305313e00af4dc41eecc125e8069397468085b0
                                                            • Opcode Fuzzy Hash: 270b7c88ad559ff0413a8ca2eda90aadb4643be4303ded88fe21c888fcf33843
                                                            • Instruction Fuzzy Hash: 2E21C3711087449FE314DB68C8147ABB7D5FBC4350F400E2DEB9AA32D0DBB59A09CB96
                                                            Function 10006F00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006B17,00000000), ref: 10006F50
                                                            • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006B17,00000000), ref: 10006F77
                                                            • GetProcessHeap.KERNEL32(00000000,10006B17,?,10006B17,00000000), ref: 10006F80
                                                            • HeapFree.KERNEL32(00000000), ref: 10006F87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Free$Heap$LibraryProcessVirtual
                                                            • String ID: ou
                                                            • API String ID: 548792435-3837949563
                                                            • Opcode ID: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                            • Instruction ID: eb7fda223cfc753f1fed3d2c8a6d49319030a12fba69635afc4c9d01848446bd
                                                            • Opcode Fuzzy Hash: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                            • Instruction Fuzzy Hash: E8112A756007129BE720CF69DC84F57B3E9BF48790F154A28F56AD7694DB30F8418B60
                                                            Function 10009E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteExA.SHELL32 ref: 10009EC1
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009ED2
                                                            • CloseHandle.KERNEL32(?), ref: 10009EDD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseExecuteHandleObjectShellSingleWait
                                                            • String ID: <$@
                                                            • API String ID: 3837156514-1426351568
                                                            • Opcode ID: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                            • Instruction ID: 4f3a71a7022bf43642dcc1f3ab8c414678e0bae02fb7ae8385496add38081c6f
                                                            • Opcode Fuzzy Hash: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                            • Instruction Fuzzy Hash: 86F08C715083409BE704CF28C848A5BBBE4BFC4350F084A2DF289972A0DBB6DA44CB96
                                                            Function 10010B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15librarysleeploaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098BA0,000000FF), ref: 10010B7D
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                            • Sleep.KERNEL32(00000096,?,?,?,?,?,10098BA0,000000FF), ref: 10010B97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProcSleep
                                                            • String ID: KERNEL32.dll$WaitForSingleObject
                                                            • API String ID: 188063004-3889371928
                                                            • Opcode ID: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                            • Instruction ID: 2f25d5efcf6a9ea09ffc80339e96632aadd97f0a1fca395ea0de9424a810f75f
                                                            • Opcode Fuzzy Hash: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                            • Instruction Fuzzy Hash: 67D0C7790041256BEA2457A4AD4CDEA3654FB493317040744F525512D1CE609C40C770
                                                            Function 100069F0 Relevance: 7.6, APIs: 6, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                            • Instruction ID: c650882347852e35ffcbb4eb416d17d698f5a118f4f7130cf3c30c4ac611ed04
                                                            • Opcode Fuzzy Hash: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                            • Instruction Fuzzy Hash: E141D5B27003056FF704DF689C81B6777D9FB48395F24452AFA05DB686DB71E80487A0
                                                            Function 10029520 Relevance: 7.6, APIs: 5, Instructions: 98stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10005230: #823.MFC42 ref: 1000525B
                                                              • Part of subcall function 10005230: #823.MFC42(?), ref: 1000526A
                                                            • lstrlenA.KERNEL32(?), ref: 1002956B
                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029588
                                                            • lstrlenA.KERNEL32(?), ref: 100295C8
                                                            • LocalSize.KERNEL32(00000000), ref: 1002960C
                                                            • LocalFree.KERNEL32(00000000), ref: 1002961E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$#823lstrlen$AllocFreeSize
                                                            • String ID:
                                                            • API String ID: 933119475-0
                                                            • Opcode ID: cdae7a904792e846fd3fea4e9af41df8df69cf0f4685c43a3f35d7d847db5761
                                                            • Instruction ID: 66cafd84c347b934c93c31af2def3639912b3c360cb7e4f3ee6df9913f2fed7c
                                                            • Opcode Fuzzy Hash: cdae7a904792e846fd3fea4e9af41df8df69cf0f4685c43a3f35d7d847db5761
                                                            • Instruction Fuzzy Hash: E631AB752087528FD310CF18C884B5BBBE4FB89754F940A1DF99AA3390DB35E905CBA2
                                                            Function 10017350 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?), ref: 10017379
                                                            • CloseHandle.KERNEL32(?), ref: 10017386
                                                            • #823.MFC42(00000110), ref: 100173AA
                                                            • #823.MFC42(00000110), ref: 100173DB
                                                              • Part of subcall function 10018A50: LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                            • #823.MFC42(00000110), ref: 10017402
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823$CloseCursorHandleLoadObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 1032503192-0
                                                            • Opcode ID: 8dbd4dfffa7eb4f864a54e535c0165c7bec501c83a43a45126eceedb3b9b9d2e
                                                            • Instruction ID: 8f96a806d7b5fd2ee7e66a16f29252d08fbc7d9ad732bc0053a0653226171b49
                                                            • Opcode Fuzzy Hash: 8dbd4dfffa7eb4f864a54e535c0165c7bec501c83a43a45126eceedb3b9b9d2e
                                                            • Instruction Fuzzy Hash: 2431C4746447419BE720DB349C42BCABAE5FF49700F10092DF6AA9A2C2D7B1E584C792
                                                            Function 10019260 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDIBSection.GDI32(10019096,?,00000000,10019096,00000000,00000000), ref: 100192BE
                                                            • SelectObject.GDI32(?,00000000), ref: 100192CD
                                                            • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 100192EA
                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001930A
                                                            • DeleteObject.GDI32(?), ref: 10019332
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$CreateDeleteSectionSelect
                                                            • String ID:
                                                            • API String ID: 3188413882-0
                                                            • Opcode ID: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                            • Instruction ID: 171a801546ab23d17400ea9514ceaa77a6b5348b798b605dacd974edddfe344e
                                                            • Opcode Fuzzy Hash: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                            • Instruction Fuzzy Hash: C831D2B6200705AFD214DF59CC84E27F7AAFB88600F148A1EFA5987791C771F9008BA0
                                                            Function 100216F0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #825.MFC42(?,?), ref: 10021741
                                                            • #825.MFC42(?), ref: 1002179E
                                                            • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 100217B2
                                                            • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 100217D5
                                                            • #825.MFC42(00000000), ref: 100217E0
                                                              • Part of subcall function 10022A10: #825.MFC42(?,?,1012C5E0,?,1002173E,?), ref: 10022A32
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #825$Lockit@std@@$??0_??1_
                                                            • String ID:
                                                            • API String ID: 3320149174-0
                                                            • Opcode ID: e88cc035414a4eecdb1600c2d308aa21f44ccbb3d5e229f28068f4119bc2d584
                                                            • Instruction ID: b875ac76ea1580ddc704d85c89bd73b7fa86a24b272e51b3c4d0c49a450fd382
                                                            • Opcode Fuzzy Hash: e88cc035414a4eecdb1600c2d308aa21f44ccbb3d5e229f28068f4119bc2d584
                                                            • Instruction Fuzzy Hash: B0319C79604715AFC710DFA8E8C085AB3E5FB98650BA5881EE85AC3710EB34FC05CB92
                                                            Function 10012B00 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InternetOpen
                                                            • String ID: y$y
                                                            • API String ID: 2038078732-2085659379
                                                            • Opcode ID: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                            • Instruction ID: b3f128dd8a4f2f937591d2b39a566a4fd65ce5111e4adbe3f1b9da6999f925d3
                                                            • Opcode Fuzzy Hash: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                            • Instruction Fuzzy Hash: F0212C796082145BD200DB68BC95AAF77D9EBC4610F440439FD49D7341DBB5EA0982E7
                                                            Function 10011A20 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100988B8,000000FF,10011468,00000000,100114A3,00000000,00000000,00000000), ref: 10011A82
                                                            • #4278.MFC42(1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100988B8,000000FF,10011468,00000000,100114A3), ref: 10011A9E
                                                            • #6883.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100988B8,000000FF,10011468), ref: 10011AB2
                                                            • #800.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100988B8,000000FF,10011468), ref: 10011AC3
                                                            • #6662.MFC42(0000005C,00000001,?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100988B8), ref: 10011AD0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #6662$#4278#6883#800
                                                            • String ID:
                                                            • API String ID: 2113711092-0
                                                            • Opcode ID: ce5c2fd29044ecbc06f65e1a91b8daa4192fb269380a21920263f3a84fe5d33c
                                                            • Instruction ID: 88462a0fb01e46461e5e93089cd09140ffec7544d5d98727144cfa5e45c3ccaa
                                                            • Opcode Fuzzy Hash: ce5c2fd29044ecbc06f65e1a91b8daa4192fb269380a21920263f3a84fe5d33c
                                                            • Instruction Fuzzy Hash: 1011C3367016159BDB08DF299C45BAE7B95EF846B0F81072CF82A8B6C0DA34AC458691
                                                            Function 10020880 Relevance: 7.6, APIs: 5, Instructions: 69stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strchr.MSVCRT ref: 100208AD
                                                            • strchr.MSVCRT ref: 100208C7
                                                            • lstrlenA.KERNEL32(?,00000002,0000005C), ref: 100208D1
                                                            • #2919.MFC42(00000000,00000002,0000005C), ref: 100208F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strchr$#2919lstrlen
                                                            • String ID:
                                                            • API String ID: 1093553519-0
                                                            • Opcode ID: b5bf58f5361a2fc48a0ca4a2f8e67d2e2c0cf09dadb73c3a0aa1442321deaa8a
                                                            • Instruction ID: f2630845201680edcdc5376cd930815675a4f4c7c1067f795d086cb6423b05f7
                                                            • Opcode Fuzzy Hash: b5bf58f5361a2fc48a0ca4a2f8e67d2e2c0cf09dadb73c3a0aa1442321deaa8a
                                                            • Instruction Fuzzy Hash: 1101E1327056290BD214D9A8BC90A6FB7DDEBC55A2F46053FFC86E3242DA118D0593E1
                                                            Function 10009540 Relevance: 7.6, APIs: 5, Instructions: 66memoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNEL32(?,?,00000001,00000000,?,?,00000065,1000878E,00000001,00000001,?,00000001,00000001,00000001), ref: 1000956E
                                                            • LocalAlloc.KERNEL32(00000040,00019000,?,?,00000065,1000878E), ref: 10009583
                                                            • ReadFile.KERNEL32(?,00000009,00018FF7,?,00000000,?,?,00000065,1000878E), ref: 100095B0
                                                            • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095CD
                                                            • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095E7
                                                              • Part of subcall function 10009600: CloseHandle.KERNEL32(?,00000000,100095E2,?,?,00000065,1000878E), ref: 1000960F
                                                              • Part of subcall function 10009600: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000001,00000000,100095E2,?,?,00000065,1000878E), ref: 1000963C
                                                              • Part of subcall function 10009600: #825.MFC42(00000001,?,?,00000065,1000878E), ref: 10009643
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FileFree$#825AllocCloseD@2@@std@@D@std@@HandlePointerReadTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                            • String ID:
                                                            • API String ID: 1358099757-0
                                                            • Opcode ID: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                            • Instruction ID: c1002f4ed646788d97939a754a35c43ee484aff7721c1be338d8eb9f0dbbf468
                                                            • Opcode Fuzzy Hash: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                            • Instruction Fuzzy Hash: 911172B63007029BE310CF69DC84B97B7E9FB88361F148A29F655C7281C730E815CB65
                                                            Function 10016C50 Relevance: 7.6, APIs: 5, Instructions: 63windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10010B70: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098BA0,000000FF), ref: 10010B7D
                                                              • Part of subcall function 10010B70: GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                              • Part of subcall function 10010B70: Sleep.KERNEL32(00000096,?,?,?,?,?,10098BA0,000000FF), ref: 10010B97
                                                              • Part of subcall function 10017020: GetDeviceCaps.GDI32(?,00000076), ref: 10017050
                                                              • Part of subcall function 10017020: GetDeviceCaps.GDI32(?,00000075), ref: 10017063
                                                            • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 10016CA5
                                                            • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 10016CB8
                                                            • Sleep.KERNEL32(000000C8), ref: 10016CF5
                                                              • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                              • Part of subcall function 10016640: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098B91,000000FF), ref: 10016675
                                                              • Part of subcall function 10016640: CloseHandle.KERNEL32(?,?,?,?,?,?,10098B91,000000FF), ref: 10016682
                                                              • Part of subcall function 10016640: #823.MFC42(000001F0), ref: 100166B0
                                                              • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                            • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10016CD4
                                                            • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 10016CE7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                                                            • String ID:
                                                            • API String ID: 2254935227-0
                                                            • Opcode ID: 6d644747d747347ada057545b2c5bd3904661ad958c426eb4b58646bbe3eb1da
                                                            • Instruction ID: 124f61d06f0aa82b7e4eb5ce74a0cf7bfd62a41c35f15a228ca44d70155d6317
                                                            • Opcode Fuzzy Hash: 6d644747d747347ada057545b2c5bd3904661ad958c426eb4b58646bbe3eb1da
                                                            • Instruction Fuzzy Hash: 6711CE3538431969F960EB254C42FAA7686EF49B50F240129BB49AF2D3C9F0F8849564
                                                            Function 10022550 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #823.MFC42(00000018,?,?,?,?,100216D5,100216B5,?,?,100216B5), ref: 1002256E
                                                            • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100216B5), ref: 10022588
                                                            • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100216B5), ref: 100225BA
                                                            • #825.MFC42(00000000,?,?,?,?,?,100216B5), ref: 100225C5
                                                            • #823.MFC42(00000018,?,?,?,?,?,100216B5), ref: 100225D5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823Lockit@std@@$#825??0_??1_
                                                            • String ID:
                                                            • API String ID: 2469163743-0
                                                            • Opcode ID: 293eefa55d068d6eb77ace999f923fb139f4cf60fb2007507ff224257be5af72
                                                            • Instruction ID: 2d738ab6a29614126a0e2239eff10a846bf2e087d84f51bd9ae2d9d53814cbef
                                                            • Opcode Fuzzy Hash: 293eefa55d068d6eb77ace999f923fb139f4cf60fb2007507ff224257be5af72
                                                            • Instruction Fuzzy Hash: CA118BB1505355AFC300DF99D8C0A46FBE4FF99300B64806EE189C7622D771A945CB91
                                                            Function 1001A380 Relevance: 7.6, APIs: 5, Instructions: 52filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: fgets$fclosefopenstrncpy
                                                            • String ID:
                                                            • API String ID: 2591305919-0
                                                            • Opcode ID: 2c336051d344bac110efbf3179d435453d1b35f2fda9d5c94209dcac54b4e20b
                                                            • Instruction ID: 58674d1d38e1c6f682299e1a2e6c022f5c896cae8663e30cc07f0fb7f7fbaf74
                                                            • Opcode Fuzzy Hash: 2c336051d344bac110efbf3179d435453d1b35f2fda9d5c94209dcac54b4e20b
                                                            • Instruction Fuzzy Hash: D00124B5600225ABE301D768EC80FDB37CCEF84315F850425FA8896240EB79DA8482E6
                                                            Function 10024BA0 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WTSQuerySessionInformationW.WTSAPI32 ref: 10024BC4
                                                            • lstrcpyW.KERNEL32(?,00000000,00000000), ref: 10024BE4
                                                            • WTSFreeMemory.WTSAPI32(?), ref: 10024BEF
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 10024C28
                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 10024C3B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                                                            • String ID:
                                                            • API String ID: 2394411120-0
                                                            • Opcode ID: 5277be8dd577d740c05a1e5ccef5c402a29f2e67b91e7ab0604b5dc93cec9eb2
                                                            • Instruction ID: 5cd015df1855e7c7991e98bb4afb048c66cd32c6bca5291def4761208115c9a8
                                                            • Opcode Fuzzy Hash: 5277be8dd577d740c05a1e5ccef5c402a29f2e67b91e7ab0604b5dc93cec9eb2
                                                            • Instruction Fuzzy Hash: 25112179218341BBE711CB58CC55FEB73E8BBC8B14F444A1CF699962C0EA74A5098B62
                                                            Function 1001A420 Relevance: 7.6, APIs: 5, Instructions: 52filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: fgets$fclosefopenstrncpy
                                                            • String ID:
                                                            • API String ID: 2591305919-0
                                                            • Opcode ID: 1733028638a4d8685a296f1ab3f55d42003ad5c01d6d9721f060fefadd5d18f6
                                                            • Instruction ID: 3d228d105034ca97edad2ac48460f9fd01b970d87eafb7209fe73454bdd07433
                                                            • Opcode Fuzzy Hash: 1733028638a4d8685a296f1ab3f55d42003ad5c01d6d9721f060fefadd5d18f6
                                                            • Instruction Fuzzy Hash: 7301F2726002253BE311E32CED85BDB77DCFFC8315F954424FA8896244EBB9DD9486A2
                                                            Function 10011980 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #858.MFC42(-00000002,00000002,00000000,00000000,10098898,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119AB
                                                            • #6874.MFC42(0000002F,-00000002,00000002,00000000,00000000,10098898,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119B4
                                                            • #6874.MFC42(0000002D,0000002F,-00000002,00000002,00000000,00000000,10098898,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119C5
                                                            • #6874.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098898,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119D6
                                                            • #800.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098898,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #6874$#800#858
                                                            • String ID:
                                                            • API String ID: 833685189-0
                                                            • Opcode ID: fea9a2a37ba06160748e744efafcf0399f68b8361276d135f6feebd374086c49
                                                            • Instruction ID: 5bcc9bce6254f706e67fc1ad3af221580f36727df22788cb8fef8d11f14ac7f7
                                                            • Opcode Fuzzy Hash: fea9a2a37ba06160748e744efafcf0399f68b8361276d135f6feebd374086c49
                                                            • Instruction Fuzzy Hash: 3F01F97120478296D314EF14D955B9ABBD4EB54B60F00062EF1A5476E1CBB4ED068392
                                                            Function 10027370 Relevance: 7.5, APIs: 5, Instructions: 31serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,10028662), ref: 10027377
                                                            • OpenServiceA.ADVAPI32(00000000,?,00010010,?,00000065), ref: 10027390
                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000065), ref: 100273A7
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 100273AE
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 100273B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandleOpen$ManagerStart
                                                            • String ID:
                                                            • API String ID: 1485051382-0
                                                            • Opcode ID: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                            • Instruction ID: 8305c68acb1d99861e940ca6a77312e387bd37f4ede734be52bc70473c64f0be
                                                            • Opcode Fuzzy Hash: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                            • Instruction Fuzzy Hash: 3BE09B36246620BBF11167145CC5FAF2678FB89BD4F150205FA08562C0CB609C0145BD
                                                            Function 10005B80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: KERNEL32.dll$WideCharToMultiByte
                                                            • API String ID: 2574300362-2634761684
                                                            • Opcode ID: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                            • Instruction ID: 11a70ebfe6614348c4627575f714f8bac5bc37e03cfb6a5d127c6c7937c6bce2
                                                            • Opcode Fuzzy Hash: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                            • Instruction Fuzzy Hash: 2541257250421A8FDB18CE2CC8549AFBBD5FBC4354F154A2DF9A6D3280DA70AD0ACB91
                                                            Function 100108B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85sleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100108E8
                                                            • Sleep.KERNEL32(000004D2), ref: 1001098C
                                                              • Part of subcall function 10010790: CloseHandle.KERNEL32(00000000), ref: 10010893
                                                            • DeleteFileA.KERNEL32(?), ref: 1001094D
                                                              • Part of subcall function 10010790: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100107C2
                                                              • Part of subcall function 10010790: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10010837
                                                              • Part of subcall function 10010790: GetFileSize.KERNEL32(00000000,00000000), ref: 10010846
                                                              • Part of subcall function 10010790: #823.MFC42(00000000), ref: 1001084F
                                                              • Part of subcall function 10010790: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10010862
                                                              • Part of subcall function 10010790: #825.MFC42(00000000), ref: 1001088A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                                                            • String ID: .key
                                                            • API String ID: 3115437274-343438762
                                                            • Opcode ID: 11c6eee3c06c20dc47526a76305ae26badb3856d6c04fc6f4881ecdc8fa17ff1
                                                            • Instruction ID: 6c8f07c80318120aef5ae7d44ab656afb01d193eb1c0889538d79381634ba695
                                                            • Opcode Fuzzy Hash: 11c6eee3c06c20dc47526a76305ae26badb3856d6c04fc6f4881ecdc8fa17ff1
                                                            • Instruction Fuzzy Hash: 1E210775B046540BE719D634889076A7BC5FBC1330F58031AF6978B2C2CEF898888755
                                                            Function 10007850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetSpecialFolderPathA.SHELL32 ref: 10007877
                                                            • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100078ED
                                                            • CloseHandle.KERNEL32(00000000), ref: 10007917
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateFileFolderHandlePathSpecial
                                                            • String ID: p
                                                            • API String ID: 3113538180-2181537457
                                                            • Opcode ID: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                            • Instruction ID: fb9301c769810b0d049b01ddbf7940714647d0c15556b6550ef7852ede3c4a13
                                                            • Opcode Fuzzy Hash: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                            • Instruction Fuzzy Hash: CB210A716006041FE718CA389C46BEB76C5FBC4330F588B2DF96ACB2D1DAF489098750
                                                            Function 10001410 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10001425
                                                              • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                              • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                              • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                              • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                              • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                              • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: WINMM.dll$waveOutWrite
                                                            • API String ID: 2574300362-665518901
                                                            • Opcode ID: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                            • Instruction ID: 94ba89aa586d5954ea77ca1480e0960dd09743874461cbc46f4ab6b518109010
                                                            • Opcode Fuzzy Hash: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                            • Instruction Fuzzy Hash: C211A0762043048FEB08DF68D8C89A6BBE5FB88380B15855DFE468B346DB71EC01DB20
                                                            Function 10009D80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 10009DAA
                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009DC6
                                                            • SetFilePointer.KERNEL32 ref: 10009DE4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Pointer$Write
                                                            • String ID: p
                                                            • API String ID: 3847668363-2181537457
                                                            • Opcode ID: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                            • Instruction ID: 1a9338856e1de5b0d7c3f8fb7aa3c1ae0f192f66fa92f10234f7d2b8d6558fe2
                                                            • Opcode Fuzzy Hash: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                            • Instruction Fuzzy Hash: 811127B5608341ABE210DB28CC85F9BB7E9FBD8714F108A0CF99893280D674A9058BA1
                                                            Function 100048B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(00000001,?,100048DA,00000000), ref: 10001B98
                                                            • WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateCriticalEventInitializeSectionStartup
                                                            • String ID: a$m
                                                            • API String ID: 1327880603-1958708294
                                                            • Opcode ID: 4dcad2dc942f914c77835cedb8039d8e51b7455b9df88c4b0857cd2e16c1183b
                                                            • Instruction ID: 6478fd5e8aa5923a80b0e8d040213306e9542aabf3e28a78eea9c4f23bd3805e
                                                            • Opcode Fuzzy Hash: 4dcad2dc942f914c77835cedb8039d8e51b7455b9df88c4b0857cd2e16c1183b
                                                            • Instruction Fuzzy Hash: 6E115B741087809EE321DB28C856BD6BBE4BF59B54F448A5DE4EE476C1DBB96008CB23
                                                            Function 100252C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #823.MFC42(00000014,0036EE80,00000000,?,?,?,?,?,?,?,?,?,?,?,10028CB4,?), ref: 100252C7
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 100252EB
                                                            • wsprintfA.USER32 ref: 10025311
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823GlobalMemoryStatuswsprintf
                                                            • String ID: @
                                                            • API String ID: 1983843647-2766056989
                                                            • Opcode ID: 01927fa3e70b950854fa573699a0d90edf19893caae57ad470699afbd3ee20d8
                                                            • Instruction ID: afd8b77e9d84c411497db1a48a1d788e349c76036a8269b1a6d5ed9568d6f734
                                                            • Opcode Fuzzy Hash: 01927fa3e70b950854fa573699a0d90edf19893caae57ad470699afbd3ee20d8
                                                            • Instruction Fuzzy Hash: 04F0A7B96043106FE310A718DC45B9B7694FBC0340F444839F94997361D634ED1946B7
                                                            Function 10025E60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #823.MFC42(00000014,76DF0450,00000000,?,?,?,?,?,?,?,?,?,?,?,10028CD0,00000000), ref: 10025E67
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 10025E8B
                                                            • wsprintfA.USER32 ref: 10025EB1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823GlobalMemoryStatuswsprintf
                                                            • String ID: @
                                                            • API String ID: 1983843647-2766056989
                                                            • Opcode ID: 11020b86a8585d1776c2794b6a66d4b7a4d2a30e271a9d9edfc65a64f6760437
                                                            • Instruction ID: 5873419cec1e6a7407d03b23230daedc8f06aa453026ba4d996bc5fb170418da
                                                            • Opcode Fuzzy Hash: 11020b86a8585d1776c2794b6a66d4b7a4d2a30e271a9d9edfc65a64f6760437
                                                            • Instruction Fuzzy Hash: 15F0A7B96042106FE310A718DC45B9B7A94FBC0350F448839F94997361D534ED1946E7
                                                            Function 1002C690 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 1002C691
                                                            • GetThreadDesktop.USER32(00000000,?,1001761C), ref: 1002C698
                                                              • Part of subcall function 1002C0B0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BE79,00000000), ref: 1002C0CB
                                                              • Part of subcall function 1002C0B0: GetProcAddress.KERNEL32(00000000), ref: 1002C0D4
                                                            • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 1002C6C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Thread$AddressCurrentDesktopLibraryLoadMessagePostProc
                                                            • String ID: Winlogon
                                                            • API String ID: 133172028-744610081
                                                            • Opcode ID: c319d8a80b16ab5eef32d5fa1b0efe4b320c46552d8b00b901bb5a82d413d3da
                                                            • Instruction ID: 870250ad129784551b6d14aef9a56de9fd67cfbbceb2c73ca1f9efa575fbcd0f
                                                            • Opcode Fuzzy Hash: c319d8a80b16ab5eef32d5fa1b0efe4b320c46552d8b00b901bb5a82d413d3da
                                                            • Instruction Fuzzy Hash: B6E0CDB6F4167457F62163F87D4EFDA3208AF00745F8A0271F905A9182E6549D8181D6
                                                            Function 100109B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DD9E,?,100FA3E4,?), ref: 100109D0
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: CreateEventA$KERNEL32.dll
                                                            • API String ID: 2574300362-2476775342
                                                            • Opcode ID: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                            • Instruction ID: 81657b418f3b05921348bdbd49973478ffcbca97394684bddc953fa459c75907
                                                            • Opcode Fuzzy Hash: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                            • Instruction Fuzzy Hash: 6CE08C756403206BE360DFA89C49F867A98EF48701F04881EF349E7281CAB0A840CB68
                                                            Function 10010A10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1000F45B,00000000,00000000,1001DEF5), ref: 10010A23
                                                            • GetProcAddress.KERNEL32(00000000), ref: 10010A2A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: CloseHandle$KERNEL32.dll
                                                            • API String ID: 2574300362-2295661983
                                                            • Opcode ID: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                            • Instruction ID: cf30f3b007e41bfee70c41d9c59be6cb1b231e04fc18b526b816a338234f57c5
                                                            • Opcode Fuzzy Hash: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                            • Instruction Fuzzy Hash: F9C012B94112215FD724EFA4EC4C8D63A58FF44301348494DF55993211CF745840CBA0
                                                            Function 1002C150 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 1002C16A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 1002C171
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: KERNEL32.dll$lstrlenA
                                                            • API String ID: 2574300362-1796993502
                                                            • Opcode ID: f79f98b0e7185f153102906177beb1dde72539314a2d9ec00c0de4e7bdd88882
                                                            • Instruction ID: e89ced25be82d3fa2645bb0fc9131d8a270d934e98934bd75bfbcde96423d775
                                                            • Opcode Fuzzy Hash: f79f98b0e7185f153102906177beb1dde72539314a2d9ec00c0de4e7bdd88882
                                                            • Instruction Fuzzy Hash: 4DC09BF84012186FDB10EFA4DC8C9893558F7457023644544F50591115DB381040A625
                                                            Function 10003A30 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $u%04x
                                                            • API String ID: 0-2846719512
                                                            • Opcode ID: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                            • Instruction ID: 926f1c216a8361e60bc3445ae8a78ded31acc7b6cea92631c0d95b6b2ff4fbf9
                                                            • Opcode Fuzzy Hash: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                            • Instruction Fuzzy Hash: A8615D616083C64FF713CE289C4075BBBD9EF962D4F28C46DE9C6C724AE761854A8352
                                                            Function 10012190 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                            • #823.MFC42(00000000,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121F6
                                                              • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123A6
                                                              • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123B3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #540$#823#825
                                                            • String ID:
                                                            • API String ID: 3261958014-0
                                                            • Opcode ID: a494d4ab2f9a9c230b1088c26346ff3d82e9efe7bf054b2e53489296b78d8ade
                                                            • Instruction ID: d82dbfef2393fd23d455e75ca381cd772eca4e1e9adef292338cdcb689682686
                                                            • Opcode Fuzzy Hash: a494d4ab2f9a9c230b1088c26346ff3d82e9efe7bf054b2e53489296b78d8ade
                                                            • Instruction Fuzzy Hash: 5F41E4F6B002049BDB04DF58D88452AF795EFD4261B19C56EE909DF306DA32ECA5C7A0
                                                            Function 10016150 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #825.MFC42(00000000), ref: 10016211
                                                            • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10098B08,000000FF), ref: 10016221
                                                            • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10098B08,000000FF), ref: 100161BC
                                                              • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                            • #825.MFC42(?), ref: 100162A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823#825$Open
                                                            • String ID:
                                                            • API String ID: 2004829228-0
                                                            • Opcode ID: 5b9d0d3a8cadf82a791dd264c4b0ab2720157103bcf923aef07fd3d16dce3de7
                                                            • Instruction ID: 0df51b737bc767e269ae254d011b6ce00103d60cfb4e568bcf2dfe2abfe61423
                                                            • Opcode Fuzzy Hash: 5b9d0d3a8cadf82a791dd264c4b0ab2720157103bcf923aef07fd3d16dce3de7
                                                            • Instruction Fuzzy Hash: C6410275604A059BC708DE28CC91A6FB3D5EFC8611F98052DF9168B341DB36ED49C792
                                                            Function 10015DF0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #825.MFC42(00000000), ref: 10015EB1
                                                            • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10098AC8,000000FF), ref: 10015EC1
                                                            • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10098AC8,000000FF), ref: 10015E5C
                                                              • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                            • #825.MFC42(?), ref: 10015F49
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823#825$Open
                                                            • String ID:
                                                            • API String ID: 2004829228-0
                                                            • Opcode ID: 39d6c7e7d068b9df93601cb5341771170630650ff8edf8d2ab47ccc3c5a33d92
                                                            • Instruction ID: 40216077312398c646760e55a3001ad50ac4da7f66415f4761652e2a5a7228ae
                                                            • Opcode Fuzzy Hash: 39d6c7e7d068b9df93601cb5341771170630650ff8edf8d2ab47ccc3c5a33d92
                                                            • Instruction Fuzzy Hash: 33410071604605DBC308DE24C891A6BB3D5EBC8211F88052DF9568F341EB37EA4AC792
                                                            Function 10015C20 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #825.MFC42(00000000), ref: 10015CE3
                                                            • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098AA8), ref: 10015CF7
                                                            • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098AA8), ref: 10015C88
                                                              • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                            • #825.MFC42(00000000), ref: 10015D76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823#825$Open
                                                            • String ID:
                                                            • API String ID: 2004829228-0
                                                            • Opcode ID: c9460e099ca1f32bd503b1dd30a5c2885d0f3f75ef3cddeb8d297b3af592af19
                                                            • Instruction ID: f298e340f7b5fc4f96431068940765fdb531c782ea7b4808acfd1f1b0c262dd2
                                                            • Opcode Fuzzy Hash: c9460e099ca1f32bd503b1dd30a5c2885d0f3f75ef3cddeb8d297b3af592af19
                                                            • Instruction Fuzzy Hash: 7741EC35604645EBC708DE28D89166BB3E6FBC8611F88052DF9068B351DB36ED89CB92
                                                            Function 10002820 Relevance: 6.1, APIs: 4, Instructions: 112stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823$strstr
                                                            • String ID:
                                                            • API String ID: 3700887599-0
                                                            • Opcode ID: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                            • Instruction ID: 87f70141fd3bc8abd1ff3455cd7970780f8090ecbddafb6a4e32d4a10eb892bc
                                                            • Opcode Fuzzy Hash: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                            • Instruction Fuzzy Hash: 1121A03A2105180B871CC97DAC1162B76C2FBC9631B69432EFA2BC77D0DEA6DD058380
                                                            Function 10006D50 Relevance: 6.1, APIs: 4, Instructions: 106libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006D7E
                                                            • LoadLibraryA.KERNEL32(?), ref: 10006D9A
                                                              • Part of subcall function 100069B0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                              • Part of subcall function 100069B0: HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 10006E08
                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006E2F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                                                            • String ID:
                                                            • API String ID: 2932169029-0
                                                            • Opcode ID: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                            • Instruction ID: 24d0788afd7e564c21ce07679b2cd919d25d482a3edf121e110520330544f2d5
                                                            • Opcode Fuzzy Hash: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                            • Instruction Fuzzy Hash: 2C317E76B007069FE310CF29CC80A56B7E9FF493A4B26462AE919C7255EB31E815CB90
                                                            Function 10001D50 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ceil.MSVCRT ref: 10001D8C
                                                            • _ftol.MSVCRT ref: 10001D95
                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,1001B756,?,000003C0), ref: 10001DA9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual_ftolceil
                                                            • String ID:
                                                            • API String ID: 3317677364-0
                                                            • Opcode ID: 7bb63945c16ebcabfd3095c607ac8e54c2eda45ec53fd45f87d0112b66742170
                                                            • Instruction ID: 4bb3fe56bcfb68013574c4d0e8870444d358167fee8d7b87506156141d1ed8f4
                                                            • Opcode Fuzzy Hash: 7bb63945c16ebcabfd3095c607ac8e54c2eda45ec53fd45f87d0112b66742170
                                                            • Instruction Fuzzy Hash: 0F11E4357083049BE704DF28EC8275ABBE4FBC03A1F04853EFD498B385DA75A808CA65
                                                            Function 10001E20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _ftolceil
                                                            • String ID:
                                                            • API String ID: 2006273141-0
                                                            • Opcode ID: 66f8a0142a51849f4ccdc8bc195fe25ef11229eb8db603d2d04e566bf019eadd
                                                            • Instruction ID: f5e2dde3adadc459be453c842ad121fe74e338dbe498ffd332b9a5389a7b4a65
                                                            • Opcode Fuzzy Hash: 66f8a0142a51849f4ccdc8bc195fe25ef11229eb8db603d2d04e566bf019eadd
                                                            • Instruction Fuzzy Hash: FE11A2756483049BE704EF28EC8676FBBD1FB84791F04853DF9498B344DA35A818C666
                                                            Function 10015A40 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LocalSize.KERNEL32(00000000), ref: 10015AAE
                                                            • LocalFree.KERNEL32(00000000), ref: 10015ABA
                                                            • LocalSize.KERNEL32(00000000), ref: 10015AD5
                                                            • LocalFree.KERNEL32(00000000), ref: 10015AE1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeSize
                                                            • String ID:
                                                            • API String ID: 2726095061-0
                                                            • Opcode ID: ce48dbeb30c5cfa6b01c074e0f12464fc44b93c721c46581480db242971f300e
                                                            • Instruction ID: 7bd43b61a40807323c64ce15f3d4a6f34b2211c94d8ed46558afdaf6f7b2225f
                                                            • Opcode Fuzzy Hash: ce48dbeb30c5cfa6b01c074e0f12464fc44b93c721c46581480db242971f300e
                                                            • Instruction Fuzzy Hash: 5011EEB5204654DBC221DB24CC91BBFB398FF85251F880629F9415F281DF39EC8686AA
                                                            Function 10025330 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mbstowcs.MSVCRT ref: 10025367
                                                            • NetUserSetInfo.NETAPI32(00000000,?,000003F0,?,00000000,?,?,?), ref: 1002539E
                                                            • Sleep.KERNEL32(00000064,00000000,?,000003F0,?,00000000,?,?,?), ref: 100253C2
                                                              • Part of subcall function 10025810: LocalSize.KERNEL32(00000000), ref: 10025820
                                                              • Part of subcall function 10025810: LocalFree.KERNEL32(00000000,?,10025D10,00000001,?,00000000,00000001,?,?), ref: 10025830
                                                            • LocalFree.KERNEL32(?,?,?,?), ref: 100253D4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Free$InfoSizeSleepUsermbstowcs
                                                            • String ID:
                                                            • API String ID: 2733533-0
                                                            • Opcode ID: 482a626cfa010549614d68bd1b33ffee5ad3dca544cca02193e6bd015c8a97f8
                                                            • Instruction ID: ff081e2a325cf18f1e82f94578a92762ae2f67bd6958f52a8ecdac7d72ff89c6
                                                            • Opcode Fuzzy Hash: 482a626cfa010549614d68bd1b33ffee5ad3dca544cca02193e6bd015c8a97f8
                                                            • Instruction Fuzzy Hash: 4211E535218301ABE714CB28CC85FDB73D9AFD8705F048A2DF589922D1DBB4E5488652
                                                            Function 100049A0 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097DFC,000000FF,1001DF06), ref: 100049DC
                                                            • CloseHandle.KERNEL32(?), ref: 100049FF
                                                            • CloseHandle.KERNEL32(?), ref: 10004A08
                                                            • WSACleanup.WS2_32 ref: 10004A0A
                                                              • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                              • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                              • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                              • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                              • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                                            • String ID:
                                                            • API String ID: 136543108-0
                                                            • Opcode ID: 7f9247a3167598fc41cd8bfeea66c261fa550759e0767daeb0d0fea13d1ce447
                                                            • Instruction ID: d931dcca562f6ad295f48da32a531fe8a0c03633c442b34e05327d039451a5d4
                                                            • Opcode Fuzzy Hash: 7f9247a3167598fc41cd8bfeea66c261fa550759e0767daeb0d0fea13d1ce447
                                                            • Instruction Fuzzy Hash: CA11BF79008B41DFD314DF28C844BAAB7E8EF85620F044B1CF0AA432D1DBB864088B63
                                                            Function 10027200 Relevance: 6.0, APIs: 4, Instructions: 47processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 10027215
                                                            • Process32First.KERNEL32(00000000,?), ref: 10027222
                                                            • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002726B
                                                              • Part of subcall function 10027050: CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,?,00000074), ref: 10027077
                                                              • Part of subcall function 10027050: Module32First.KERNEL32(00000000,00000000), ref: 1002708C
                                                              • Part of subcall function 10027050: lstrcmpiA.KERNEL32(?,?), ref: 100270AB
                                                              • Part of subcall function 10027050: Module32Next.KERNEL32(00000000,00000000), ref: 100270B7
                                                              • Part of subcall function 10027050: lstrcmpiA.KERNEL32(?,?), ref: 100270C9
                                                              • Part of subcall function 10027050: CloseHandle.KERNEL32(00000000), ref: 100270D4
                                                            • Process32Next.KERNEL32(00000000,?), ref: 10027260
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateFirstHandleModule32NextProcess32SnapshotToolhelp32lstrcmpi
                                                            • String ID:
                                                            • API String ID: 1584622316-0
                                                            • Opcode ID: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                            • Instruction ID: dff03867e35d2db97486aa39089f032ab1f43595190ac571e76f809c0bcadac6
                                                            • Opcode Fuzzy Hash: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                            • Instruction Fuzzy Hash: 6FF0A4765042156AE350D660ED82FBB76EDFFC4790F854538F84886141EB29DD0882F2
                                                            Function 10011E20 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                            • #940.MFC42(?,?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                            • #535.MFC42(?,?,?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                            • #800.MFC42(?,?,?,?,?,1009893F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #535#537#800#940
                                                            • String ID:
                                                            • API String ID: 1382806170-0
                                                            • Opcode ID: 2bdabc0ba8d9ad00e54c9b4b55fb26e5c933865654f3c8cacf867a67278347d6
                                                            • Instruction ID: cf141a410a407b2165322d91c603e05e3dbbc286e04468749feca6f3729daccb
                                                            • Opcode Fuzzy Hash: 2bdabc0ba8d9ad00e54c9b4b55fb26e5c933865654f3c8cacf867a67278347d6
                                                            • Instruction Fuzzy Hash: 1301AD7510C7429FD304DF18C861B9BBBE0EB95760F40490DF895873A2C774E84ACB92
                                                            Function 100115C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #536#537#800#922
                                                            • String ID:
                                                            • API String ID: 1475696894-0
                                                            • Opcode ID: 75f5f5cd62e05f1f4e986e08fd33e38f9fd8bb2e77a36072ca446a4e725637b2
                                                            • Instruction ID: 4b2d785b6b40186a6016c2fded18de369b0c0b62594c0accb12bb7e6d2228a3f
                                                            • Opcode Fuzzy Hash: 75f5f5cd62e05f1f4e986e08fd33e38f9fd8bb2e77a36072ca446a4e725637b2
                                                            • Instruction Fuzzy Hash: 5901B5B6204650EFC304DF14D841B9AB7E4FB88B14F44891EF94997791C779ED05CB92
                                                            Function 10029870 Relevance: 6.0, APIs: 4, Instructions: 39sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000001,00000000,00000001,?,?,?,?,?,100293DE,00000001,?), ref: 10029891
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,100293DE,00000001,?), ref: 1002989C
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,100293DE,00000001,?), ref: 100298A3
                                                            • Sleep.KERNEL32(000000C8,?,?,?,?,100293DE,00000001,?), ref: 100298BA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseHandleOpenSleepTerminate
                                                            • String ID:
                                                            • API String ID: 2443981006-0
                                                            • Opcode ID: 09f1435324e2e28a2be26cf084b837d176a8d9ba6570339b410ab71b68ad896a
                                                            • Instruction ID: 6a0e0e9103eddf8222e272111fd84532d8d208ef1aa85f915b263614f35b8803
                                                            • Opcode Fuzzy Hash: 09f1435324e2e28a2be26cf084b837d176a8d9ba6570339b410ab71b68ad896a
                                                            • Instruction Fuzzy Hash: 26F0F6366003119BE200EB559C88F7FB7D9FBC5660F18452AFA4A93281CF70A8058B61
                                                            Function 1002CC70 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 1002CC7A
                                                            • htons.WS2_32 ref: 1002CCA2
                                                            • connect.WS2_32(00000000,?,00000010), ref: 1002CCB5
                                                            • closesocket.WS2_32(00000000), ref: 1002CCC1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: closesocketconnecthtonssocket
                                                            • String ID:
                                                            • API String ID: 3817148366-0
                                                            • Opcode ID: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                            • Instruction ID: e42b3a204bc3a213189579f6ffc45c147b0d7cc15c2a040da4ebba09f1038eda
                                                            • Opcode Fuzzy Hash: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                            • Instruction Fuzzy Hash: 01F0F0786143306BE300EB7C9C89ADB77E4FF84320FD48B49F5AC822E1E27485049786
                                                            Function 1002C430 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?), ref: 1002C44C
                                                            • #823.MFC42(00000100,756F1760,00000000,000000FF,00000005,?,?), ref: 1002C45B
                                                            • lstrcpyA.KERNEL32(00000000,?,?), ref: 1002C46B
                                                            • WTSFreeMemory.WTSAPI32(?), ref: 1002C476
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: #823FreeInformationMemoryQuerySessionlstrcpy
                                                            • String ID:
                                                            • API String ID: 3008764780-0
                                                            • Opcode ID: 6ab7e1b9ea490320edbe6b88fcac79ef2f08dba94ef0c24f69a3e29e45346611
                                                            • Instruction ID: ff6dd7aac0a2a65d5c9f0e391dd270bd110e8760720ab16e45756f77c0b31f43
                                                            • Opcode Fuzzy Hash: 6ab7e1b9ea490320edbe6b88fcac79ef2f08dba94ef0c24f69a3e29e45346611
                                                            • Instruction Fuzzy Hash: ADF082B96042117BD700EB78AC45E6B76D4EB84A11F844A28F848C6280F634ED08CBA2
                                                            Function 1000B570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32First.KERNEL32(?,00000128), ref: 1000B5B7
                                                            • Process32Next.KERNEL32(?,00000128), ref: 1000B5D5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$FirstNext
                                                            • String ID: ???
                                                            • API String ID: 1173892470-1053719742
                                                            • Opcode ID: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                            • Instruction ID: 0e2ca24e1619ea93ebbeed42ef944335cc2cf357fcb56a3ce927cb26a297de5a
                                                            • Opcode Fuzzy Hash: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                            • Instruction Fuzzy Hash: F5010032205A041BD728D939AC419AFB7D6EFC43A0F91462DF826C32C4DFB8ED08C691
                                                            Function 1000D870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(chrome.exe), ref: 1000D897
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • Sleep.KERNEL32(000003E8), ref: 1000D8A9
                                                              • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                              • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                              • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                              • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                              • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097DFC,000000FF,1001DF06), ref: 100049DC
                                                              • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                              • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                              • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                            • String ID: chrome.exe
                                                            • API String ID: 294463573-2619149582
                                                            • Opcode ID: bfaf171438e4a10b905bc930a6c12449e973504fb6ed73cf385744ccf9ab9be2
                                                            • Instruction ID: 2765f6f9c13068c6ae0d621aefe80bc8948290e7d9a445f11e729c62839d634f
                                                            • Opcode Fuzzy Hash: bfaf171438e4a10b905bc930a6c12449e973504fb6ed73cf385744ccf9ab9be2
                                                            • Instruction Fuzzy Hash: AA114CB94086C19FE324DB24D952BDFB7E0EB95750F404A1DE9A9432C1DF346A08CBA3
                                                            Function 1000D970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #537.MFC42(chrome.exe), ref: 1000D997
                                                              • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                              • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                              • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                              • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                              • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                              • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                              • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                              • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                              • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                            • Sleep.KERNEL32(000003E8), ref: 1000D9A9
                                                              • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                              • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                              • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                              • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                              • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097DFC,000000FF,1001DF06), ref: 100049DC
                                                              • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                              • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                              • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                            • String ID: chrome.exe
                                                            • API String ID: 294463573-2619149582
                                                            • Opcode ID: 35898382b2e21db00a7aea79c27743ddf4d27dac3750634a9823d263452ec648
                                                            • Instruction ID: 90324c4a69b7f45f53c4ded12146ad3c08b88121bcd79bb65e6a481be2c7671c
                                                            • Opcode Fuzzy Hash: 35898382b2e21db00a7aea79c27743ddf4d27dac3750634a9823d263452ec648
                                                            • Instruction Fuzzy Hash: 39116DB90082C09BE324DB24DA51BDFB7A0EB95710F404A1DA8A9422C1DF342A04CB63
                                                            Function 10001C80 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001C8E
                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001CA4
                                                            • memmove.MSVCRT(?,?,00000000,?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000), ref: 10001CF5
                                                            • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001D1B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Entermemmove
                                                            • String ID:
                                                            • API String ID: 72348100-0
                                                            • Opcode ID: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                            • Instruction ID: 50b30369da4871338d3e5076dbae6429fca2f6132d25b88ab6d76ff2db9ab769
                                                            • Opcode Fuzzy Hash: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                            • Instruction Fuzzy Hash: AE11BF3A3042154FAB08EF749C858EFB799FF94290704452EF907CB346DB71ED0886A0
                                                            Function 100089EE Relevance: 5.0, APIs: 4, Instructions: 50stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                            • String ID:
                                                            • API String ID: 3289936468-0
                                                            • Opcode ID: 27c7c640109cb190267034813618c0470bc2c07b24a54dbc2406d3815dab383b
                                                            • Instruction ID: 39ff1affce39ceb0553fd39635d7ba165a00caf2bfc378dc07de589adbc2d34f
                                                            • Opcode Fuzzy Hash: 27c7c640109cb190267034813618c0470bc2c07b24a54dbc2406d3815dab383b
                                                            • Instruction Fuzzy Hash: 6901C474C04655AFE711CF188C44BDABFE8FB0A6A0F040696E895A3605C7345E028BE1
                                                            Function 100069B0 Relevance: 5.0, APIs: 4, Instructions: 18memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                            • HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 100069D5
                                                            • HeapAlloc.KERNEL32(00000000), ref: 100069DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3793647436.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.3793618981.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793740675.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793866351.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793903383.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793934007.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.3793969832.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocProcess
                                                            • String ID:
                                                            • API String ID: 1617791916-0
                                                            • Opcode ID: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                            • Instruction ID: 47877cb6062bd81062e19e0104322f8483190e017e00c23344b6b727d1ead73d
                                                            • Opcode Fuzzy Hash: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                            • Instruction Fuzzy Hash: B6D04C75604212ABFE449BA8CD8DFAA7BADFB84745F058948F54DCA094C6709840DB31