Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1568681
MD5:75cdc74befd8c953ee2c022bd8366633
SHA1:141be71c0beb41ad6e955c0721429bd978f2332b
SHA256:fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
Tags:exeuser-jstrosch
Infos:

Detection

GhostRat, Mimikatz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables driver privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Spawns drivers
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • file.exe (PID: 3384 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 75CDC74BEFD8C953EE2C022BD8366633)
    • cmd.exe (PID: 3236 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3180 cmdline: ping -n 2 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • Gwogw.exe (PID: 616 cmdline: C:\Windows\SysWOW64\Gwogw.exe -auto MD5: 75CDC74BEFD8C953EE2C022BD8366633)
    • Gwogw.exe (PID: 1484 cmdline: C:\Windows\SysWOW64\Gwogw.exe -acsi MD5: 75CDC74BEFD8C953EE2C022BD8366633)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Windows\System32\drivers\QAssist.sysINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
  • 0xb630:$h1: Hid_State
  • 0xb650:$h2: Hid_StealthMode
  • 0xb670:$h3: Hid_HideFsDirs
  • 0xb690:$h4: Hid_HideFsFiles
  • 0xb6b0:$h5: Hid_HideRegKeys
  • 0xb6d0:$h6: Hid_HideRegValues
  • 0xb700:$h7: Hid_IgnoredImages
  • 0xb730:$h8: Hid_ProtectedImages
  • 0x1135a:$s1: FLTMGR.SYS
  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
SourceRuleDescriptionAuthorStrings
00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
    00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Gh0st_ee6de6bcIdentifies a variant of Gh0st Ratunknown
    • 0xe0e:$a1: :]%d-%d-%d %d:%d:%d
    • 0xbd4:$a2: [Pause Break]
    • 0x24bc4:$a3: f-secure.exe
    • 0x1214:$a4: Accept-Language: zh-cn
    • 0x12ad:$a4: Accept-Language: zh-cn
    • 0x13e8:$a4: Accept-Language: zh-cn
    • 0x152b:$a4: Accept-Language: zh-cn
    • 0x1780:$a4: Accept-Language: zh-cn
    00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
      00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Gh0st_ee6de6bcIdentifies a variant of Gh0st Ratunknown
      • 0xe0e:$a1: :]%d-%d-%d %d:%d:%d
      • 0xbd4:$a2: [Pause Break]
      • 0x24bc4:$a3: f-secure.exe
      • 0x1214:$a4: Accept-Language: zh-cn
      • 0x12ad:$a4: Accept-Language: zh-cn
      • 0x13e8:$a4: Accept-Language: zh-cn
      • 0x152b:$a4: Accept-Language: zh-cn
      • 0x1780:$a4: Accept-Language: zh-cn
      00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        Click to see the 7 entries
        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.52fa20.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x7b12:$h1: Hid_State
        • 0x7b26:$h2: Hid_StealthMode
        • 0x7b46:$h3: Hid_HideFsDirs
        • 0x7b64:$h4: Hid_HideFsFiles
        • 0x7b84:$h5: Hid_HideRegKeys
        • 0x7ba4:$h6: Hid_HideRegValues
        • 0x7bc8:$h7: Hid_IgnoredImages
        • 0x7bec:$h8: Hid_ProtectedImages
        • 0xc42e:$s1: FLTMGR.SYS
        • 0xc9aa:$s2: HAL.dll
        • 0x954e:$s3: \SystemRoot\System32\csrss.exe
        • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
        • 0x258:$s5: INIT
        • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
        2.2.Gwogw.exe.52fa20.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x7b12:$h1: Hid_State
        • 0x7b26:$h2: Hid_StealthMode
        • 0x7b46:$h3: Hid_HideFsDirs
        • 0x7b64:$h4: Hid_HideFsFiles
        • 0x7b84:$h5: Hid_HideRegKeys
        • 0x7ba4:$h6: Hid_HideRegValues
        • 0x7bc8:$h7: Hid_IgnoredImages
        • 0x7bec:$h8: Hid_ProtectedImages
        • 0xc42e:$s1: FLTMGR.SYS
        • 0xc9aa:$s2: HAL.dll
        • 0x954e:$s3: \SystemRoot\System32\csrss.exe
        • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
        • 0x258:$s5: INIT
        • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
        0.2.file.exe.100f69f0.5.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x7b12:$h1: Hid_State
        • 0x7b26:$h2: Hid_StealthMode
        • 0x7b46:$h3: Hid_HideFsDirs
        • 0x7b64:$h4: Hid_HideFsFiles
        • 0x7b84:$h5: Hid_HideRegKeys
        • 0x7ba4:$h6: Hid_HideRegValues
        • 0x7bc8:$h7: Hid_IgnoredImages
        • 0x7bec:$h8: Hid_ProtectedImages
        • 0xc42e:$s1: FLTMGR.SYS
        • 0xc9aa:$s2: HAL.dll
        • 0x954e:$s3: \SystemRoot\System32\csrss.exe
        • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
        • 0x258:$s5: INIT
        • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
        2.2.Gwogw.exe.100f69f0.4.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x7b12:$h1: Hid_State
        • 0x7b26:$h2: Hid_StealthMode
        • 0x7b46:$h3: Hid_HideFsDirs
        • 0x7b64:$h4: Hid_HideFsFiles
        • 0x7b84:$h5: Hid_HideRegKeys
        • 0x7ba4:$h6: Hid_HideRegValues
        • 0x7bc8:$h7: Hid_IgnoredImages
        • 0x7bec:$h8: Hid_ProtectedImages
        • 0xc42e:$s1: FLTMGR.SYS
        • 0xc9aa:$s2: HAL.dll
        • 0x954e:$s3: \SystemRoot\System32\csrss.exe
        • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
        • 0x258:$s5: INIT
        • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
        2.2.Gwogw.exe.10106038.5.unpackJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          Click to see the 71 entries
          No Sigma rule has matched
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: file.exeAvira: detected
          Source: C:\Windows\System32\drivers\QAssist.sysAvira: detection malicious, Label: RKIT/Agent.pwihj
          Source: C:\Windows\SysWOW64\Gwogw.exeAvira: detection malicious, Label: HEUR/AGEN.1346547
          Source: C:\Windows\SysWOW64\Gwogw.exeReversingLabs: Detection: 86%
          Source: C:\Windows\System32\drivers\QAssist.sysReversingLabs: Detection: 78%
          Source: file.exeReversingLabs: Detection: 86%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
          Source: C:\Windows\SysWOW64\Gwogw.exeJoe Sandbox ML: detected
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, QAssist.sys.4.dr
          Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: z:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: x:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: v:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: t:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: r:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: p:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: n:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: l:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: j:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: h:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: f:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: b:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: y:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: w:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: u:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: s:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: q:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: o:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: m:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: k:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: i:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: g:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: e:Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile opened: [:Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10020E60 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,0_2_10020E60
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10020E60 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,2_2_10020E60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00442010 FindFirstFileA,FindClose,FindClose,0_2_00442010
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004420D0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_004420D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045F330 FindFirstFileA,strstr,LocalSize,LocalReAlloc,FindNextFileA,FindClose,0_2_0045F330
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004415A0 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,0_2_004415A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441770 lstrlen,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00441770
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441C90 lstrlen,FindFirstFileA,FindNextFileA,FindClose,0_2_00441C90
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_100090A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_10026300
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10008570
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10008740
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008C60 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_10008C60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008FE0 FindFirstFileA,FindClose,FindClose,0_2_10008FE0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00442010 FindFirstFileA,FindClose,FindClose,2_2_00442010
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004420D0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,2_2_004420D0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0045F330 FindFirstFileA,strstr,LocalSize,LocalReAlloc,FindNextFileA,FindClose,2_2_0045F330
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004415A0 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,2_2_004415A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00441770 lstrlen,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00441770
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00441C90 lstrlen,FindFirstFileA,FindNextFileA,FindClose,2_2_00441C90
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,2_2_100090A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,2_2_10026300
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,2_2_10008570
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_10008740
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008C60 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,2_2_10008C60
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008FE0 FindFirstFileA,FindClose,FindClose,2_2_10008FE0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441370 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,GetVolumeInformationA,SHGetFileInfo,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_00441370
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_00462730
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then add dh, bl0_2_0044D8F0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then sal byte ptr [ebp+03h], 0000005Fh0_2_0043BF63
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_10029700
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then test byte ptr [1011BE34h], 00000008h0_2_100399F8
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm70_2_10039B70
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_00462730
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 4x nop then add dh, bl2_2_0044D8F0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 4x nop then sal byte ptr [ebp+03h], 0000005Fh2_2_0043BF63
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_10029700
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 4x nop then test byte ptr [1011BE34h], 00000008h2_2_100399F8
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm72_2_10039B70

          Networking

          barindex
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
          Source: global trafficTCP traffic: 192.168.2.6:49707 -> 202.181.25.108:8089
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458040 recv,0_2_00458040
          Source: global trafficDNS traffic detected: DNS query: facai7777777.ydns.eu
          Source: file.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://ptlogin2.qun.qq.com%s
          Source: file.exe, Gwogw.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
          Source: file.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://qun.qq.com%s
          Source: file.exe, Gwogw.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
          Source: file.exe, file.exe, 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2094584448.000000000056B000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.appspeed.com/
          Source: file.exe, 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000056B000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.appspeed.com/support
          Source: file.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
          Source: file.exe, Gwogw.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
          Source: file.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://ssl.ptlogin2.qq.com%s
          Source: file.exe, Gwogw.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
          Source: Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: <BackSpace>0_2_1000AAD0
          Source: C:\Users\user\Desktop\file.exeCode function: <Enter>0_2_1000AAD0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: <BackSpace>2_2_1000AAD0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: <Enter>2_2_1000AAD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D910 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_0044D910
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D8F0 GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_0044D8F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D910 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_0044D910
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100148E0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_100148E0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0044D8F0 GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,2_2_0044D8F0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0044D910 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,2_2_0044D910
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100148E0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,2_2_100148E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D980 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0044D980
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00443B00 Sleep,lstrlen,GetAsyncKeyState,lstrcat,lstrlen,lstrcat,lstrcat,0_2_00443B00

          E-Banking Fraud

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: malloc,SetEvent,GetUserNameA,_stricmp,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_stricmp,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000AE30
          Source: C:\Users\user\Desktop\file.exeCode function: malloc,SetEvent,GetUserNameA,_stricmp,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_stricmp,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000AE30
          Source: C:\Users\user\Desktop\file.exeCode function: malloc,SetEvent,GetUserNameA,_stricmp,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_stricmp,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000AE30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: malloc,SetEvent,GetUserNameA,_stricmp,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_stricmp,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe2_2_1000AE30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: malloc,SetEvent,GetUserNameA,_stricmp,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_stricmp,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe2_2_1000AE30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: malloc,SetEvent,GetUserNameA,_stricmp,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_stricmp,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe2_2_1000AE30

          System Summary

          barindex
          Source: 0.2.file.exe.52fa20.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.52fa20.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.100f69f0.5.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.100f69f0.4.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
          Source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Detects PCRat / Gh0st Author: ditekSHen
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Detects PCRat / Gh0st Author: ditekSHen
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects PCRat / Gh0st Author: ditekSHen
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects PCRat / Gh0st Author: ditekSHen
          Source: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: Process Memory Space: file.exe PID: 3384, type: MEMORYSTRMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: Process Memory Space: Gwogw.exe PID: 616, type: MEMORYSTRMatched rule: Identifies a variant of Gh0st Rat Author: unknown
          Source: C:\Windows\System32\drivers\QAssist.sys, type: DROPPEDMatched rule: Detects the Hidden public rootkit Author: ditekSHen
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004240A3 CallWindowProcA,NtdllDefWindowProc_A,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,0_2_004240A3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412239 CallWindowProcA,NtdllDefWindowProc_A,0_2_00412239
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004122C9 NtdllDefWindowProc_A,0_2_004122C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004505B0 OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,ExitProcess,NtdllDefWindowProc_A,0_2_004505B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416D7B SetPropA,GetPropA,NtdllDefWindowProc_A,0_2_00416D7B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416DCE GetPropA,CallWindowProcA,NtdllDefWindowProc_A,0_2_00416DCE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409610 CreateRectRgn,CreateRectRgn,GetClassInfoA,NtdllDefWindowProc_A,LoadCursorA,6D3A7600,0_2_00409610
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004056B0 NtdllDefWindowProc_A,0_2_004056B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405700 NtdllDefWindowProc_A,0_2_00405700
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004240A3 CallWindowProcA,NtdllDefWindowProc_A,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,2_2_004240A3
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00412239 CallWindowProcA,NtdllDefWindowProc_A,2_2_00412239
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004122C9 NtdllDefWindowProc_A,2_2_004122C9
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004505B0 OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,ExitProcess,NtdllDefWindowProc_A,2_2_004505B0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00416D7B SetPropA,GetPropA,NtdllDefWindowProc_A,2_2_00416D7B
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00416DCE GetPropA,CallWindowProcA,NtdllDefWindowProc_A,2_2_00416DCE
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00409610 CreateRectRgn,CreateRectRgn,GetClassInfoA,NtdllDefWindowProc_A,LoadCursorA,6D3A7600,2_2_00409610
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004056B0 NtdllDefWindowProc_A,2_2_004056B0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00405700 NtdllDefWindowProc_A,2_2_00405700
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004908F0: DeviceIoControl,GetLastError,0_2_004908F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044EA30 OpenSCManagerA,OpenServiceA,GetLastError,QueryServiceStatus,ControlService,DeleteService,Sleep,0_2_0044EA30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10018790 CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,Sleep,Sleep,CreateProcessAsUserA,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,2_2_10018790
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00447040 ExitWindowsEx,0_2_00447040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004455A0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_004455A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000E010 ExitWindowsEx,0_2_1000E010
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000C570 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000C570
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00447040 ExitWindowsEx,2_2_00447040
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004455A0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,2_2_004455A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1000E010 ExitWindowsEx,2_2_1000E010
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1000C570 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,2_2_1000C570
          Source: C:\Windows\SysWOW64\Gwogw.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SysWOW64\Gwogw.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SysWOW64\Gwogw.exe:Zone.Identifier:$DATAJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048E0100_2_0048E010
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CC0B00_2_004CC0B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004501100_2_00450110
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004901C00_2_004901C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C81D00_2_004C81D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048E4C00_2_0048E4C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C85000_2_004C8500
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044C7500_2_0044C750
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048C7700_2_0048C770
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CA9300_2_004CA930
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B69C00_2_004B69C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004589800_2_00458980
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6A500_2_004C6A50
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00442A200_2_00442A20
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B8C800_2_004B8C80
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C8E600_2_004C8E60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464FD00_2_00464FD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D0D00_2_0045D0D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004431D60_2_004431D6
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004431EC0_2_004431EC
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B31B00_2_004B31B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432440_2_00443244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432570_2_00443257
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044326A0_2_0044326A
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044327D0_2_0044327D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432020_2_00443202
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432180_2_00443218
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044322E0_2_0044322E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432900_2_00443290
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432A30_2_004432A3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432B60_2_004432B6
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B34600_2_004B3460
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CB4A00_2_004CB4A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C95000_2_004C9500
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048F5B00_2_0048F5B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B57E00_2_004B57E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048FB300_2_0048FB30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B7C400_2_004B7C40
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B9CF00_2_004B9CF0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AFD000_2_004AFD00
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ADEA00_2_004ADEA0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043BEB10_2_0043BEB1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B5F600_2_004B5F60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100930800_2_10093080
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100170E00_2_100170E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100571900_2_10057190
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1008F1A00_2_1008F1A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100372600_2_10037260
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100554900_2_10055490
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1008F4D00_2_1008F4D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100334E00_2_100334E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100137200_2_10013720
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100537400_2_10053740
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100919000_2_10091900
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001F9500_2_1001F950
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007D9900_2_1007D990
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007B9A00_2_1007B9A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100099F00_2_100099F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1008DA200_2_1008DA20
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10037AE00_2_10037AE0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007FC500_2_1007FC50
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1008FE300_2_1008FE30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1002BFA00_2_1002BFA0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100240A00_2_100240A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007A1800_2_1007A180
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007A4300_2_1007A430
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100924700_2_10092470
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100904D00_2_100904D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100565800_2_10056580
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007C7B00_2_1007C7B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100368E00_2_100368E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10032AC00_2_10032AC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10039B500_2_10039B50
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10056B000_2_10056B00
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007EC100_2_1007EC10
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10080CC00_2_10080CC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10076CD00_2_10076CD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10030D670_2_10030D67
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10002DC00_2_10002DC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10074E700_2_10074E70
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10039B700_2_10039B70
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1007CF300_2_1007CF30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10054FE00_2_10054FE0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0048E0102_2_0048E010
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004CC0B02_2_004CC0B0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004501102_2_00450110
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004901C02_2_004901C0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004C81D02_2_004C81D0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0048E4C02_2_0048E4C0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004C85002_2_004C8500
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0044C7502_2_0044C750
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0048C7702_2_0048C770
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004CA9302_2_004CA930
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B69C02_2_004B69C0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004589802_2_00458980
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004C6A502_2_004C6A50
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00442A202_2_00442A20
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B8C802_2_004B8C80
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004C8E602_2_004C8E60
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00464FD02_2_00464FD0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0045D0D02_2_0045D0D0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004431D62_2_004431D6
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004431EC2_2_004431EC
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B31B02_2_004B31B0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432442_2_00443244
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432572_2_00443257
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0044326A2_2_0044326A
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0044327D2_2_0044327D
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432022_2_00443202
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432182_2_00443218
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0044322E2_2_0044322E
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432902_2_00443290
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432A32_2_004432A3
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004432B62_2_004432B6
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B34602_2_004B3460
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004CB4A02_2_004CB4A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004C95002_2_004C9500
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0048F5B02_2_0048F5B0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B57E02_2_004B57E0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0048FB302_2_0048FB30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B7C402_2_004B7C40
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B9CF02_2_004B9CF0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004AFD002_2_004AFD00
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004ADEA02_2_004ADEA0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0043BEB12_2_0043BEB1
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004B5F602_2_004B5F60
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100930802_2_10093080
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100170E02_2_100170E0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100571902_2_10057190
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1008F1A02_2_1008F1A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100372602_2_10037260
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100554902_2_10055490
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1008F4D02_2_1008F4D0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100334E02_2_100334E0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100137202_2_10013720
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100537402_2_10053740
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100919002_2_10091900
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1001F9502_2_1001F950
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007D9902_2_1007D990
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007B9A02_2_1007B9A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100099F02_2_100099F0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1008DA202_2_1008DA20
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10037AE02_2_10037AE0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007FC502_2_1007FC50
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1008FE302_2_1008FE30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1002BFA02_2_1002BFA0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100240A02_2_100240A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007A1802_2_1007A180
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007A4302_2_1007A430
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100924702_2_10092470
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100904D02_2_100904D0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100565802_2_10056580
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007C7B02_2_1007C7B0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100368E02_2_100368E0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10032AC02_2_10032AC0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10039B502_2_10039B50
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10056B002_2_10056B00
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007EC102_2_1007EC10
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10080CC02_2_10080CC0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10076CD02_2_10076CD0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10030D672_2_10030D67
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10002DC02_2_10002DC0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10074E702_2_10074E70
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10039B702_2_10039B70
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1007CF302_2_1007CF30
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10054FE02_2_10054FE0
          Source: Joe Sandbox ViewDropped File: C:\Windows\System32\drivers\QAssist.sys 6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0042E744 appears 94 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 100174F0 appears 33 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0042E1C0 appears 84 times
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: String function: 0042E744 appears 94 times
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: String function: 100174F0 appears 33 times
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: String function: 0042E1C0 appears 84 times
          Source: file.exeStatic PE information: Resource name: None type: COM executable for DOS
          Source: Gwogw.exe.0.drStatic PE information: Resource name: None type: COM executable for DOS
          Source: file.exe, 00000000.00000000.2091513325.0000000000583000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCLedShowDemo.EXED vs file.exe
          Source: file.exe, 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCLedShowDemo.EXED vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameCLedShowDemo.EXED vs file.exe
          Source: C:\Windows\SysWOW64\Gwogw.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\QAssistJump to behavior
          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 0.2.file.exe.52fa20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.52fa20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.100f69f0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.100f69f0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
          Source: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: Process Memory Space: file.exe PID: 3384, type: MEMORYSTRMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: Process Memory Space: Gwogw.exe PID: 616, type: MEMORYSTRMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
          Source: C:\Windows\System32\drivers\QAssist.sys, type: DROPPEDMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
          Source: file.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9942340913778878
          Source: Gwogw.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9942340913778878
          Source: QAssist.sys.4.drBinary string: \Device\QAssist\DosDevices\QAssist
          Source: QAssist.sys.4.drBinary string: \Device\
          Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@9/4@1/2
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450520 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_00450520
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D950 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_0045D950
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100174F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_100174F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10024920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_10024920
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00450520 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,2_2_00450520
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0045D950 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,2_2_0045D950
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100174F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,2_2_100174F0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10024920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,2_2_10024920
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D0D0 GetVersionExA,sprintf,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,FindWindowA,GetWindowTextA,GetWindow,GetClassNameA,GetTickCount,sprintf,GetDiskFreeSpaceExA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,atoi,strstr,GetSystemDirectoryA,lstrcat,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,wsprintfA,0_2_0045D0D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E060 CreateToolhelp32Snapshot,LocalAlloc,Process32First,OpenProcess,GetPriorityClass,OpenProcessToken,malloc,LookupAccountSidA,free,CloseHandle,GetProcessMemoryInfo,GetModuleFileNameExA,GetWindowsDirectoryA,LocalSize,LocalReAlloc,CloseHandle,Process32Next,LocalReAlloc,CloseHandle,0_2_0045E060
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F370 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0044F370
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411741 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_00411741
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452090 GetVersionExA,GetModuleFileNameA,sprintf,Sleep,GetCurrentProcessId,Sleep,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Sleep,TerminateProcess,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,ExitProcess,0_2_00452090
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1001B930 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,StartServiceCtrlDispatcherA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,2_2_1001B930
          Source: C:\Windows\SysWOW64\Gwogw.exeMutant created: \Sessions\1\BaseNamedObjects\facai7777777.ydns.eu:8089:Gwogwo Hxpgx
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: unknownProcess created: C:\Windows\SysWOW64\Gwogw.exe C:\Windows\SysWOW64\Gwogw.exe -auto
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nul
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess created: C:\Windows\SysWOW64\Gwogw.exe C:\Windows\SysWOW64\Gwogw.exe -acsi
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nulJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess created: C:\Windows\SysWOW64\Gwogw.exe C:\Windows\SysWOW64\Gwogw.exe -acsiJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1Jump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mfc42.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp60.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: mfc42.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvcp60.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: mfc42.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvcp60.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
          Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, QAssist.sys.4.dr
          Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A030 LoadLibraryA,GetProcAddress,0_2_0043A030
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E5B0 push eax; ret 0_2_0042E5DE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E744 push eax; ret 0_2_0042E762
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0042E5B0 push eax; ret 2_2_0042E5DE
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0042E744 push eax; ret 2_2_0042E762
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Persistence and Installation Behavior

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000C570
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE02_2_1000C570
          Source: C:\Windows\SysWOW64\Gwogw.exeExecutable created and started: C:\Windows\SysWOW64\Gwogw.exeJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10021440 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,0_2_10021440
          Source: C:\Windows\SysWOW64\Gwogw.exeFile created: C:\Windows\System32\drivers\QAssist.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SysWOW64\Gwogw.exeJump to dropped file
          Source: C:\Windows\SysWOW64\Gwogw.exeFile created: C:\Windows\System32\drivers\QAssist.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SysWOW64\Gwogw.exeJump to dropped file

          Boot Survival

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000C570
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE02_2_1000C570
          Source: C:\Windows\SysWOW64\Gwogw.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssistJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452090 GetVersionExA,GetModuleFileNameA,sprintf,Sleep,GetCurrentProcessId,Sleep,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Sleep,TerminateProcess,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,ExitProcess,0_2_00452090

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nul
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nulJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416605 GetSystemMenu,CreatePopupMenu,IsZoomed,IsIconic,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,IsIconic,AppendMenuA,IsZoomed,AppendMenuA,AppendMenuA,AppendMenuA,GetWindowLongA,AppendMenuA,AppendMenuA,GetCursorPos,DestroyMenu,0_2_00416605
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416605 GetSystemMenu,CreatePopupMenu,IsZoomed,IsIconic,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,IsIconic,AppendMenuA,IsZoomed,AppendMenuA,AppendMenuA,AppendMenuA,GetWindowLongA,AppendMenuA,AppendMenuA,GetCursorPos,DestroyMenu,0_2_00416605
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412C50 IsIconic,0_2_00412C50
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403CA0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00403CA0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00416605 GetSystemMenu,CreatePopupMenu,IsZoomed,IsIconic,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,IsIconic,AppendMenuA,IsZoomed,AppendMenuA,AppendMenuA,AppendMenuA,GetWindowLongA,AppendMenuA,AppendMenuA,GetCursorPos,DestroyMenu,2_2_00416605
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00416605 GetSystemMenu,CreatePopupMenu,IsZoomed,IsIconic,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,IsIconic,AppendMenuA,IsZoomed,AppendMenuA,AppendMenuA,AppendMenuA,GetWindowLongA,AppendMenuA,AppendMenuA,GetCursorPos,DestroyMenu,2_2_00416605
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00412C50 IsIconic,2_2_00412C50
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00403CA0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,2_2_00403CA0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000C4C0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000C4C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,0_2_10001140
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001A4A00_2_1001A4A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1001A4A02_2_1001A4A0
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-61921
          Source: C:\Windows\SysWOW64\Gwogw.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,0_2_10015B90
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,2_2_10015B90
          Source: C:\Windows\SysWOW64\Gwogw.exeWindow / User API: threadDelayed 7602Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeDropped PE file which has not been started: C:\Windows\System32\drivers\QAssist.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-62035
          Source: C:\Users\user\Desktop\file.exeAPI coverage: 1.3 %
          Source: C:\Windows\SysWOW64\Gwogw.exeAPI coverage: 1.0 %
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001A4A00_2_1001A4A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1001A4A02_2_1001A4A0
          Source: C:\Windows\SysWOW64\Gwogw.exe TID: 6892Thread sleep count: 328 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exe TID: 6892Thread sleep time: -19680000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exe TID: 6836Thread sleep count: 76 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exe TID: 6836Thread sleep count: 7602 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exe TID: 6836Thread sleep time: -1520400s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\Gwogw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00442010 FindFirstFileA,FindClose,FindClose,0_2_00442010
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004420D0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_004420D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045F330 FindFirstFileA,strstr,LocalSize,LocalReAlloc,FindNextFileA,FindClose,0_2_0045F330
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004415A0 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,0_2_004415A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441770 lstrlen,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00441770
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441C90 lstrlen,FindFirstFileA,FindNextFileA,FindClose,0_2_00441C90
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_100090A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_10026300
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10008570
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10008740
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008C60 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_10008C60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10008FE0 FindFirstFileA,FindClose,FindClose,0_2_10008FE0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00442010 FindFirstFileA,FindClose,FindClose,2_2_00442010
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004420D0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,2_2_004420D0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_0045F330 FindFirstFileA,strstr,LocalSize,LocalReAlloc,FindNextFileA,FindClose,2_2_0045F330
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004415A0 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,2_2_004415A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00441770 lstrlen,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00441770
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_00441C90 lstrlen,FindFirstFileA,FindNextFileA,FindClose,2_2_00441C90
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,2_2_100090A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,2_2_10026300
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,2_2_10008570
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_10008740
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008C60 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,2_2_10008C60
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_10008FE0 FindFirstFileA,FindClose,FindClose,2_2_10008FE0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441370 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,GetVolumeInformationA,SHGetFileInfo,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_00441370
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450110 GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetLastInputInfo,0_2_00450110
          Source: C:\Windows\SysWOW64\Gwogw.exeThread delayed: delay time: 60000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-62114
          Source: C:\Windows\SysWOW64\Gwogw.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\Gwogw.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D2CA BlockInput,BlockInput,0_2_0044D2CA
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A030 LoadLibraryA,GetProcAddress,0_2_0043A030
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00490600 GetFullPathNameW,GetProcessHeap,HeapFree,0_2_00490600

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000C680
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000C680
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,2_2_1000C680
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,2_2_1000C680
          Source: C:\Users\user\Desktop\file.exeCode function: CreateToolhelp32Snapshot,Process32First,_stricmp,OpenProcess,TerminateProcess,_stricmp,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe0_2_1000CDD0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: CreateToolhelp32Snapshot,Process32First,_stricmp,OpenProcess,TerminateProcess,_stricmp,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe2_2_1000CDD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D680 _ftol,_ftol,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,0_2_0044D680
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10014650 mouse_event,GetDeviceCaps,_ftol,GetDeviceCaps,_ftol,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,mouse_event,mouse_event,0_2_10014650
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nulJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00454960 GetCurrentThreadId,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,OpenSCManagerA,OpenServiceA,StartServiceA,ExitProcess,sprintf,ExitProcess,GetModuleFileNameA,Sleep,ExitProcess,0_2_00454960
          Source: file.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: file.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Progman
          Source: Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Shell_TrayWndProgman%s.exerunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255BITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00477190 cpuid 0_2_00477190
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B370 GetWindowLongA,PostQuitMessage,SetWindowLongA,GetModuleHandleA,LoadIconA,SetClassLongA,GetDlgItemTextA,GetDlgItem,SetFocus,GetLocalTime,sprintf,SetWindowTextA,SetDlgItemTextA,SetFocus,0_2_0043B370
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452620 strncpy,GetUserNameA,_strcmpi,lstrcpy,CloseHandle,0_2_00452620
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452090 GetVersionExA,GetModuleFileNameA,sprintf,Sleep,GetCurrentProcessId,Sleep,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Sleep,TerminateProcess,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,ExitProcess,0_2_00452090

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10022310 OpenServiceA 00000000,sharedaccess,000F01FF0_2_10022310
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: acs.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: vsserv.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: avcenter.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: kxetray.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: avp.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: cfp.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: KSafeTray.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: rtvscan.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: 360tray.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: ashDisp.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: TMBMSRV.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: avgwdsvc.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: AYAgent.aye
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: QUHLPSVC.EXE
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: RavMonD.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Mcshield.exe
          Source: file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: K7TSecurity.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.10106038.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.53f068.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.53f068.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.10106038.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.10106038.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.53f068.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.10106038.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.52fa20.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.100f69f0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.53f068.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.100f69f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.52fa20.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 3384, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Gwogw.exe PID: 616, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 0.2.file.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Gwogw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004580F0 socket,bind,getsockname,inet_addr,0_2_004580F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004584A0 WSAStartup,socket,htons,bind,listen,CreateThread,Sleep,CloseHandle,0_2_004584A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001F0C0 socket,bind,getsockname,inet_addr,0_2_1001F0C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1001F470 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,0_2_1001F470
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004580F0 socket,bind,getsockname,inet_addr,2_2_004580F0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_004584A0 WSAStartup,socket,htons,bind,listen,CreateThread,Sleep,CloseHandle,2_2_004584A0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1001F0C0 socket,bind,getsockname,inet_addr,2_2_1001F0C0
          Source: C:\Windows\SysWOW64\Gwogw.exeCode function: 2_2_1001F470 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,2_2_1001F470
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts
          12
          Native API
          2
          LSASS Driver
          2
          LSASS Driver
          11
          Disable or Modify Tools
          111
          Input Capture
          1
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomains1
          Replication Through Removable Media
          12
          Service Execution
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Deobfuscate/Decode Files or Information
          LSASS Memory11
          Peripheral Device Discovery
          Remote Desktop Protocol111
          Input Capture
          1
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Create Account
          1
          Valid Accounts
          31
          Obfuscated Files or Information
          Security Account Manager1
          Account Discovery
          SMB/Windows Admin Shares3
          Clipboard Data
          1
          Non-Standard Port
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron1
          Valid Accounts
          11
          Access Token Manipulation
          11
          Software Packing
          NTDS1
          System Service Discovery
          Distributed Component Object ModelInput Capture1
          Non-Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchd132
          Windows Service
          132
          Windows Service
          1
          DLL Side-Loading
          LSA Secrets2
          File and Directory Discovery
          SSHKeylogging1
          Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
          Bootkit
          23
          Process Injection
          1
          File Deletion
          Cached Domain Credentials16
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
          Masquerading
          DCSync1
          Network Share Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Valid Accounts
          Proc Filesystem23
          Security Software Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Virtualization/Sandbox Evasion
          /etc/passwd and /etc/shadow11
          Virtualization/Sandbox Evasion
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
          Access Token Manipulation
          Network Sniffing13
          Process Discovery
          Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd23
          Process Injection
          Input Capture11
          Application Window Discovery
          Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
          Bootkit
          Keylogging1
          System Owner/User Discovery
          Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
          Indicator Removal
          GUI Input Capture1
          Remote System Discovery
          Replication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
          Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration JobFileless StorageWeb Portal Capture1
          System Network Configuration Discovery
          Component Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568681 Sample: file.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 34 facai7777777.ydns.eu 2->34 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 6 other signatures 2->44 8 file.exe 1 2 2->8         started        12 Gwogw.exe 2->12         started        signatures3 process4 file5 28 C:\Windows\SysWOW64behaviorgraphwogw.exe, PE32 8->28 dropped 30 C:\Windows\...behaviorgraphwogw.exe:Zone.Identifier, ASCII 8->30 dropped 46 Found evasive API chain (may stop execution after checking mutex) 8->46 48 Self deletion via cmd or bat file 8->48 50 Contains functionality to automate explorer (e.g. start an application) 8->50 60 5 other signatures 8->60 14 cmd.exe 1 8->14         started        52 Antivirus detection for dropped file 12->52 54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 58 Drops executables to the windows directory (C:\Windows) and starts them 12->58 17 Gwogw.exe 14 1 12->17         started        signatures6 process7 dnsIp8 62 Uses ping.exe to sleep 14->62 64 Uses ping.exe to check the status of other devices and networks 14->64 21 PING.EXE 1 14->21         started        24 conhost.exe 14->24         started        32 facai7777777.ydns.eu 202.181.25.108, 49707, 49708, 49709 CLOUDIE-AS-APCloudieLimitedHK Hong Kong 17->32 26 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->26 dropped 66 Sample is not signed and drops a device driver 17->66 file9 signatures10 process11 dnsIp12 36 127.0.0.1 unknown unknown 21->36

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          file.exe87%ReversingLabsWin32.Trojan.Strictor
          file.exe100%AviraHEUR/AGEN.1346547
          file.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Windows\System32\drivers\QAssist.sys100%AviraRKIT/Agent.pwihj
          C:\Windows\SysWOW64\Gwogw.exe100%AviraHEUR/AGEN.1346547
          C:\Windows\SysWOW64\Gwogw.exe100%Joe Sandbox ML
          C:\Windows\SysWOW64\Gwogw.exe87%ReversingLabsWin32.Trojan.Strictor
          C:\Windows\System32\drivers\QAssist.sys79%ReversingLabsWin64.Backdoor.Farfli
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://www.appspeed.com/support0%Avira URL Cloudsafe
          http://www.appspeed.com/0%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          facai7777777.ydns.eu
          202.181.25.108
          truefalse
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            https://ssl.ptlogin2.qq.com%sfile.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpfalse
              high
              http://www.appspeed.com/file.exe, file.exe, 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2094584448.000000000056B000.00000040.00000001.01000000.00000004.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.appspeed.com/supportfile.exe, 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000056B000.00000040.00000001.01000000.00000004.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://localhost.ptlogin2.qq.com:4301%sAccept-Language:file.exe, Gwogw.exefalse
                high
                https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpfalse
                  high
                  https://ssl.ptlogin2.qq.com%sAccept-Language:file.exe, Gwogw.exefalse
                    high
                    http://ptlogin2.qun.qq.com%sfile.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpfalse
                      high
                      http://ptlogin2.qun.qq.com%sAccept-Language:file.exe, Gwogw.exefalse
                        high
                        http://qun.qq.com%sfile.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpfalse
                          high
                          https://localhost.ptlogin2.qq.com:4301%sfile.exe, file.exe, 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Gwogw.exe, Gwogw.exe, 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Gwogw.exe, 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmpfalse
                            high
                            http://qun.qq.com%sAccept-Language:file.exe, Gwogw.exefalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              202.181.25.108
                              facai7777777.ydns.euHong Kong
                              55933CLOUDIE-AS-APCloudieLimitedHKfalse
                              IP
                              127.0.0.1
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1568681
                              Start date and time:2024-12-04 20:18:13 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 9m 7s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:9
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.bank.troj.spyw.evad.winEXE@9/4@1/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 96%
                              • Number of executed functions: 21
                              • Number of non-executed functions: 270
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption
                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe
                              TimeTypeDescription
                              14:19:02API Interceptor5701969x Sleep call for process: Gwogw.exe modified
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              202.181.25.108file.exeGet hashmaliciousUnknownBrowse
                                No context
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDIE-AS-APCloudieLimitedHKfile.exeGet hashmaliciousUnknownBrowse
                                • 202.181.25.108
                                la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                • 45.192.33.233
                                botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                • 122.10.88.94
                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 144.48.249.121
                                la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                • 103.118.226.120
                                bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                • 191.96.235.60
                                bot.arm5.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                • 191.96.235.60
                                bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                • 191.96.235.60
                                bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                • 191.96.235.60
                                bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                • 191.96.235.60
                                No context
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Windows\System32\drivers\QAssist.systROeAyXq2X.exeGet hashmaliciousMimikatz, RunningRATBrowse
                                  AlpPMjLtyv.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                    file.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                      bkofkll.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                        9mGtakdkw3.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                          gJ857x1s05.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                            LisectAVT_2403002A_160.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRAT, XRedBrowse
                                              LisectAVT_2403002A_4.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                                LisectAVT_2403002A_4.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                                  dPs664opQr.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
                                                    Process:C:\Users\user\Desktop\file.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                    Category:dropped
                                                    Size (bytes):626176
                                                    Entropy (8bit):7.957146812929295
                                                    Encrypted:false
                                                    SSDEEP:12288:nFpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQ:nFmShDrngEUkDaiJfpSaoNRpMCe8CM8T
                                                    MD5:75CDC74BEFD8C953EE2C022BD8366633
                                                    SHA1:141BE71C0BEB41AD6E955C0721429BD978F2332B
                                                    SHA-256:FDA844B16B91A38417AF25D13BD0992C3344DE12EBCD0283732A3E0A6E91811D
                                                    SHA-512:057F241E0215C481ACB436F6D88E7CBC6EB7B509A6FB63BFF993E39F0B64291FDDFF8867FD81A1115AC9B7FFE402CF45D4092DE34435A997A4CCD3431FEFDCCC
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 87%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..;M.R;M.R;M.R@Q.R:M.R.B.R3M.RTR.R:M.R.Q.R8M.RTR.R0M.RTR.R?M.R.k.R9M.R;M.R.L.R.k.R8M.R=n.R?M.R=n.RmM.R.R.R0M.R.K.R:M.RRich;M.R................PE..L....>b..................... .......%.......0....@..........................P...............................................>.......0..............................................................................................................UPX0....................................UPX1.............x..................@....rsrc.... ...0.......|..............@..............................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....
                                                    Process:C:\Users\user\Desktop\file.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:[ZoneTransfer]....ZoneId=0
                                                    Process:C:\Windows\SysWOW64\Gwogw.exe
                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):77896
                                                    Entropy (8bit):6.14724588578885
                                                    Encrypted:false
                                                    SSDEEP:1536:svHIPCv5eT9OrLPC5VwHrhpTrkt5Ad53vE1qXn9Jm6Y:svHIPmn/rHrhpTrkt52E1qXpY
                                                    MD5:4E34C068E764AD0FF0CB58BC4F143197
                                                    SHA1:1A392A469FC8C65D80055C1A7AAEE27BF5EBE7C4
                                                    SHA-256:6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
                                                    SHA-512:DCEA6D76452B1AC9E3C1FED7463FE873B4DD4603EC67A4E204C27BA2C1EA79415508C3044223626F0AE499A9B7A3D6FB283F0978B5E20A58E959C9440376E98B
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: INDICATOR_TOOL_RTK_HiddenRootKit, Description: Detects the Hidden public rootkit, Source: C:\Windows\System32\drivers\QAssist.sys, Author: ditekSHen
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                    Joe Sandbox View:
                                                    • Filename: tROeAyXq2X.exe, Detection: malicious, Browse
                                                    • Filename: AlpPMjLtyv.exe, Detection: malicious, Browse
                                                    • Filename: file.exe, Detection: malicious, Browse
                                                    • Filename: bkofkll.exe, Detection: malicious, Browse
                                                    • Filename: 9mGtakdkw3.exe, Detection: malicious, Browse
                                                    • Filename: gJ857x1s05.exe, Detection: malicious, Browse
                                                    • Filename: LisectAVT_2403002A_160.exe, Detection: malicious, Browse
                                                    • Filename: LisectAVT_2403002A_4.exe, Detection: malicious, Browse
                                                    • Filename: LisectAVT_2403002A_4.exe, Detection: malicious, Browse
                                                    • Filename: dPs664opQr.exe, Detection: malicious, Browse
                                                    Reputation:moderate, very likely benign file
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.|\$./\$./\$./U\6/]$./U\ /]$./..{/X$./..x/]$./U\&/Y$./\$./.$./.U/V$./.k/]$./Rich\$./........................PE..d....E\.........."..................@.........@.............................`...............................................................@..<............0..........H....P...... ................................................................................text............................... ..h.rdata..............................@..H.data...0.... ......................@....pdata.......0......................@..HINIT.........@...................... ..b.reloc.......P......................@..B................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\SysWOW64\PING.EXE
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):331
                                                    Entropy (8bit):4.92149009030101
                                                    Encrypted:false
                                                    SSDEEP:6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
                                                    MD5:2E512EE24AAB186D09E9A1F9B72A0569
                                                    SHA1:C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
                                                    SHA-256:DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
                                                    SHA-512:6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
                                                    Malicious:false
                                                    Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..
                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                    Entropy (8bit):7.957146812929295
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.66%
                                                    • UPX compressed Win32 Executable (30571/9) 0.30%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:file.exe
                                                    File size:626'176 bytes
                                                    MD5:75cdc74befd8c953ee2c022bd8366633
                                                    SHA1:141be71c0beb41ad6e955c0721429bd978f2332b
                                                    SHA256:fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
                                                    SHA512:057f241e0215c481acb436f6d88e7cbc6eb7b509a6fb63bff993e39f0b64291fddff8867fd81a1115ac9b7ffe402cf45d4092de34435a997a4ccd3431fefdccc
                                                    SSDEEP:12288:nFpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQ:nFmShDrngEUkDaiJfpSaoNRpMCe8CM8T
                                                    TLSH:F6D423BEAA8C52A7D48EC87CD21608D3951781192E9BC3ECDE79426F6FB853C191F443
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..;M.R;M.R;M.R@Q.R:M.R.B.R3M.RTR.R:M.R.Q.R8M.RTR.R0M.RTR.R?M.R.k.R9M.R;M.R.L.R.k.R8M.R=n.R?M.R=n.RmM.R.R.R0M.R.K.R:M.RRich;M.
                                                    Icon Hash:27129289d1d3c6e6
                                                    Entrypoint:0x5825c0
                                                    Entrypoint Section:UPX1
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:
                                                    Time Stamp:0x623EBFC3 [Sat Mar 26 07:24:51 2022 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:42eb1dc2f01a922b7f152420aa351e96
                                                    Instruction
                                                    pushad
                                                    mov esi, 004EB000h
                                                    lea edi, dword ptr [esi-000EA000h]
                                                    push edi
                                                    jmp 00007FD17D10EF0Dh
                                                    nop
                                                    mov al, byte ptr [esi]
                                                    inc esi
                                                    mov byte ptr [edi], al
                                                    inc edi
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    jc 00007FD17D10EEEFh
                                                    mov eax, 00000001h
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    adc eax, eax
                                                    add ebx, ebx
                                                    jnc 00007FD17D10EF0Dh
                                                    jne 00007FD17D10EF2Ah
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    jc 00007FD17D10EF21h
                                                    dec eax
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    adc eax, eax
                                                    jmp 00007FD17D10EED6h
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    adc ecx, ecx
                                                    jmp 00007FD17D10EF54h
                                                    xor ecx, ecx
                                                    sub eax, 03h
                                                    jc 00007FD17D10EF13h
                                                    shl eax, 08h
                                                    mov al, byte ptr [esi]
                                                    inc esi
                                                    xor eax, FFFFFFFFh
                                                    je 00007FD17D10EF77h
                                                    sar eax, 1
                                                    mov ebp, eax
                                                    jmp 00007FD17D10EF0Dh
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    jc 00007FD17D10EECEh
                                                    inc ecx
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    jc 00007FD17D10EEC0h
                                                    add ebx, ebx
                                                    jne 00007FD17D10EF09h
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    adc ecx, ecx
                                                    add ebx, ebx
                                                    jnc 00007FD17D10EEF1h
                                                    jne 00007FD17D10EF0Bh
                                                    mov ebx, dword ptr [esi]
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    jnc 00007FD17D10EEE6h
                                                    add ecx, 02h
                                                    cmp ebp, FFFFFB00h
                                                    adc ecx, 02h
                                                    lea edx, dword ptr [edi+ebp]
                                                    cmp ebp, FFFFFFFCh
                                                    jbe 00007FD17D10EF10h
                                                    mov al, byte ptr [edx]
                                                    Programming Language:
                                                    • [C++] VS98 (6.0) SP6 build 8804
                                                    • [C++] VS98 (6.0) build 8168
                                                    • [EXP] VC++ 6.0 SP5 build 8804
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x183ee40x1ac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1830000xee4.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    UPX00x10000xea0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    UPX10xeb0000x980000x978000f28105def1625a3d10b7f8f01f260e8False0.9942340913778878data7.96283139695918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x1830000x20000x12000e2d88410d9d825fc36e309e840d4aaaFalse0.4622395833333333data4.428871923345829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x1833140x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152ChineseChina0.5762635379061372
                                                    RT_ICON0x17dbd00x2e8dataChineseChina1.0147849462365592
                                                    RT_ICON0x17ded00x2e8dataChineseChina1.0147849462365592
                                                    RT_ICON0x17e1d00x8a8dataChineseChina1.0049638989169676
                                                    RT_DIALOG0x17ea900xeedataChineseChina1.046218487394958
                                                    RT_DIALOG0x17eb800x6d4dataChineseChina1.0062929061784898
                                                    RT_STRING0x17f5f00x4cPGP Secret Sub-key -ChineseChina1.144736842105263
                                                    RT_GROUP_ICON0x183bc00x14dataChineseChina1.15
                                                    RT_GROUP_ICON0x17deb80x14dataChineseChina1.4
                                                    RT_GROUP_ICON0x17e1b80x14dataChineseChina1.45
                                                    RT_GROUP_ICON0x17ea780x14dataChineseChina1.4
                                                    RT_VERSION0x183bd80x30cdataChineseChina0.4782051282051282
                                                    None0x17f5680x82COM executable for DOSChineseChina1.0846153846153845
                                                    DLLImport
                                                    COMCTL32.dllImageList_Draw
                                                    GDI32.dllArc
                                                    KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                    MFC42.DLL
                                                    MSVCP60.dll??0_Lockit@std@@QAE@XZ
                                                    MSVCRT.dllsin
                                                    USER32.dllGetDC
                                                    Language of compilation systemCountry where language is spokenMap
                                                    ChineseChina
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 4, 2024 20:19:03.712018013 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:03.835254908 CET808949707202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:03.835398912 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:04.283252001 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:04.409935951 CET808949707202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:04.823290110 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:04.943762064 CET808949707202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:05.497795105 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:05.626509905 CET808949707202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:06.123467922 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:06.244199038 CET808949707202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:06.747754097 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:06.856956005 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:06.858390093 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:06.868015051 CET808949707202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:06.868084908 CET497078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:06.978135109 CET808949708202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:06.978326082 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:07.281971931 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:07.401896000 CET808949708202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:07.826189041 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:07.946012020 CET808949708202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:08.450864077 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:08.573353052 CET808949708202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:09.076132059 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:09.207217932 CET808949708202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:09.701277971 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:09.810028076 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:09.811611891 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:09.821016073 CET808949708202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:09.821078062 CET497088089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:09.935988903 CET808949709202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:09.936081886 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:10.209657907 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:10.330348015 CET808949709202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:10.823419094 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:10.943461895 CET808949709202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:11.451133966 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:11.575582981 CET808949709202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:12.076076984 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:12.196031094 CET808949709202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:12.701109886 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:12.810014009 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:12.812005997 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:12.824656963 CET808949709202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:12.824840069 CET497098089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:12.931791067 CET808949711202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:12.932054996 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:13.216836929 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:13.337352037 CET808949711202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:13.752990007 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:13.873950005 CET808949711202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:14.372891903 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:14.494815111 CET808949711202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:15.013566017 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:15.135255098 CET808949711202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:15.638545990 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:15.747607946 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:15.749811888 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:15.758449078 CET808949711202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:15.758524895 CET497118089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:15.876202106 CET808949713202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:15.876296997 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:16.596976042 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:16.835947990 CET808949713202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:17.133594990 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:17.253518105 CET808949713202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:17.764106035 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:17.888672113 CET808949713202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:18.388997078 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:18.510550976 CET808949713202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:19.072696924 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:19.192388058 CET808949713202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:19.260840893 CET497138089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:19.262339115 CET497198089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:19.382194996 CET808949719202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:19.382286072 CET497198089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:19.803263903 CET497198089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:19.923063040 CET808949719202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:20.216430902 CET497198089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:20.217583895 CET497208089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:20.337378979 CET808949720202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:20.339186907 CET497208089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:23.232832909 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:23.352742910 CET808949735202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:23.354398012 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:23.854348898 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:23.975420952 CET808949735202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:24.361689091 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:24.484699011 CET808949735202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:25.001332998 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:25.121150970 CET808949735202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:25.623390913 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:25.744770050 CET808949735202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:26.248090982 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:26.356981993 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:26.368442059 CET808949735202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:26.368498087 CET497358089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:29.374087095 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:29.569931984 CET808949748202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:29.570023060 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:29.882838011 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:30.002789974 CET808949748202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:30.393217087 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:30.518322945 CET808949748202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:31.015067101 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:31.134946108 CET808949748202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:31.673007965 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:31.793016911 CET808949748202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:32.358880997 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:32.466417074 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:32.481504917 CET808949748202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:32.481553078 CET497488089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:35.482804060 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:35.603669882 CET808949762202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:35.603815079 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:35.923120975 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:36.043219090 CET808949762202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:36.441037893 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:36.565172911 CET808949762202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:37.060710907 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:37.180648088 CET808949762202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:37.701386929 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:37.821078062 CET808949762202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:38.326493979 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:38.435064077 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:38.449495077 CET808949762202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:38.449726105 CET497628089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:41.451699972 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:41.571477890 CET808949763202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:41.571594954 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:41.909609079 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:42.030320883 CET808949763202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:42.425304890 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:42.545583010 CET808949763202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:43.048088074 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:43.168082952 CET808949763202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:43.671051979 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:43.790780067 CET808949763202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:44.300136089 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:44.403763056 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:44.544162989 CET808949763202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:44.544255018 CET497638089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:47.420593977 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:47.540380955 CET808949764202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:47.540504932 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:47.834217072 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:47.954020023 CET808949764202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:48.346229076 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:48.469902992 CET808949764202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:48.967123985 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:49.087197065 CET808949764202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:49.592521906 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:49.716439962 CET808949764202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:50.313869953 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:50.419667006 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:50.433729887 CET808949764202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:50.433782101 CET497648089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:53.438826084 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:53.558722019 CET808949766202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:53.559087992 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:53.921849012 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:54.041692972 CET808949766202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:54.440918922 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:54.561094046 CET808949766202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:55.061943054 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:55.181791067 CET808949766202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:55.686659098 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:55.807368994 CET808949766202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:56.311906099 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:56.419640064 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:56.432460070 CET808949766202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:56.432586908 CET497668089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:59.436021090 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:59.558456898 CET808949767202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:19:59.558590889 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:59.827169895 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:19:59.946985960 CET808949767202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:00.346463919 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:00.466289997 CET808949767202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:00.967155933 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:01.086884975 CET808949767202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:01.604072094 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:01.724330902 CET808949767202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:02.250021935 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:02.356981993 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:02.369853020 CET808949767202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:02.369906902 CET497678089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:05.373622894 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:05.493745089 CET808949770202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:05.494039059 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:05.781699896 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:05.901555061 CET808949770202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:06.299824953 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:06.419641972 CET808949770202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:06.921343088 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:07.041161060 CET808949770202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:07.546550035 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:07.666269064 CET808949770202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:08.171153069 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:08.283617020 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:08.291521072 CET808949770202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:08.291676998 CET497708089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:11.295723915 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:11.416320086 CET808949772202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:11.416400909 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:11.712658882 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:11.835577965 CET808949772202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:12.223611116 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:12.346390009 CET808949772202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:12.843210936 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:12.965641975 CET808949772202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:13.468452930 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:13.591696978 CET808949772202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:14.093286037 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:14.200618982 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:14.214148045 CET808949772202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:14.214200020 CET497728089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:17.217536926 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:17.341085911 CET808949773202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:17.341223001 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:18.023974895 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:18.143838882 CET808949773202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:18.537432909 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:18.662210941 CET808949773202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:19.155879021 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:19.275748014 CET808949773202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:19.780968904 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:19.904098034 CET808949773202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:20.406359911 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:20.513184071 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:20.528354883 CET808949773202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:20.528398037 CET497738089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:23.530241013 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:23.650907040 CET808949774202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:23.651056051 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:24.464143991 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:24.584172964 CET808949774202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:24.975872993 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:25.095818996 CET808949774202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:25.609085083 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:25.729127884 CET808949774202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:26.237166882 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:26.363862038 CET808949774202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:26.859405041 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:26.967422962 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:26.979511023 CET808949774202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:26.979561090 CET497748089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:29.983510017 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:30.582252979 CET808949775202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:30.583244085 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:31.576848984 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:31.696599960 CET808949775202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:32.175223112 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:32.295319080 CET808949775202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:32.797585011 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:32.917788982 CET808949775202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:33.421885967 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:33.546308994 CET808949775202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:34.103148937 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:34.258594990 CET808949775202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:34.387346029 CET497758089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:37.436691999 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:37.556539059 CET808949777202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:37.557233095 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:38.128777981 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:38.335611105 CET808949777202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:38.651349068 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:38.771955013 CET808949777202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:39.339246988 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:39.459214926 CET808949777202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:39.969022036 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:40.088879108 CET808949777202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:40.593858004 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:40.700783014 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:40.713691950 CET808949777202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:40.713758945 CET497778089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:43.717408895 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:43.837316990 CET808949778202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:43.841262102 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:44.346143007 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:44.466116905 CET808949778202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:45.062167883 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:45.182707071 CET808949778202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:45.689260960 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:45.849900007 CET808949778202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:46.311662912 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:46.431349039 CET808949778202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:46.940579891 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:47.044359922 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:47.061295986 CET808949778202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:47.061410904 CET497788089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:50.070307016 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:50.190273046 CET808949779202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:50.190349102 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:51.213186026 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:51.334666014 CET808949779202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:51.725595951 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:51.845463991 CET808949779202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:52.359329939 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:52.479145050 CET808949779202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:52.984507084 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:53.104295969 CET808949779202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:53.609540939 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:53.716361046 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:54.002368927 CET808949779202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:54.002509117 CET497798089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:56.733655930 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:56.879199028 CET808949780202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:56.879487991 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:57.392983913 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:57.518660069 CET808949780202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:57.915579081 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:58.035871029 CET808949780202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:58.547044992 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:58.668596029 CET808949780202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:59.172646046 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:59.292453051 CET808949780202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:59.797111034 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:59.903850079 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:20:59.917247057 CET808949780202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:20:59.917303085 CET497808089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:02.921061039 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:03.117491961 CET808949781202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:03.117650986 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:04.234544039 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:04.354527950 CET808949781202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:04.755858898 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:04.876142025 CET808949781202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:05.375215054 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:05.497977972 CET808949781202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:06.009023905 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:06.130914927 CET808949781202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:06.671886921 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:06.779011011 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:06.792414904 CET808949781202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:06.793312073 CET497818089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:09.795978069 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:09.916836977 CET808949783202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:09.917217970 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:10.473161936 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:10.922734976 CET808949783202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:10.989643097 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:11.110393047 CET808949783202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:11.609451056 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:11.732362986 CET808949783202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:12.234425068 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:12.355345011 CET808949783202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:12.859543085 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:12.966269016 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:12.979360104 CET808949783202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:12.983396053 CET497838089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:15.983393908 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:16.103897095 CET808949784202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:16.104038954 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:16.680566072 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:16.800324917 CET808949784202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:17.204401016 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:17.328511953 CET808949784202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:17.860107899 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:17.983967066 CET808949784202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:18.498615026 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:18.618447065 CET808949784202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:19.123986959 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:19.231965065 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:19.243815899 CET808949784202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:19.243892908 CET497848089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:22.257528067 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:22.377640963 CET808949785202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:22.377723932 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:22.923748016 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:23.044244051 CET808949785202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:23.442753077 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:23.562921047 CET808949785202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:24.061197042 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:24.181669950 CET808949785202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:24.686244011 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:24.806488991 CET808949785202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:25.310931921 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:25.419621944 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:25.433260918 CET808949785202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:25.435339928 CET497858089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:28.436629057 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:28.556507111 CET808949786202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:28.556607962 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:28.812254906 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:28.932965994 CET808949786202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:29.326370955 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:29.446283102 CET808949786202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:29.950994015 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:30.072838068 CET808949786202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:30.576174021 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:30.696291924 CET808949786202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:31.201155901 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:31.310220003 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:31.326663971 CET808949786202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:31.326734066 CET497868089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:34.327438116 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:34.448060989 CET808949787202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:34.448354006 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:34.763828993 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:34.885230064 CET808949787202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:35.279153109 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:35.398973942 CET808949787202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:35.904407024 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:36.040661097 CET808949787202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:36.529151917 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:36.649061918 CET808949787202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:37.154048920 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:37.263482094 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:37.274063110 CET808949787202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:37.276892900 CET497878089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:40.279716969 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:40.399564981 CET808949788202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:40.401238918 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:40.672379017 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:40.792438984 CET808949788202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:41.185364008 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:41.306711912 CET808949788202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:41.810429096 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:42.065982103 CET808949788202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:42.435343027 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:42.629527092 CET808949788202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:43.099622011 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:43.201093912 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:43.219322920 CET808949788202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:43.219393969 CET497888089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:46.217521906 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:46.338085890 CET808949790202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:46.338167906 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:46.592561960 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:46.713417053 CET808949790202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:47.363374949 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:47.483483076 CET808949790202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:47.982362986 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:48.102312088 CET808949790202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:48.607562065 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:48.728712082 CET808949790202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:49.232975960 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:49.342279911 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:49.358640909 CET808949790202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:49.358779907 CET497908089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:52.358144045 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:52.479222059 CET808949791202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:52.479448080 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:52.924607038 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:53.045581102 CET808949791202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:53.435646057 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:53.555422068 CET808949791202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:54.060307980 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:54.180843115 CET808949791202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:54.685575962 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:54.806776047 CET808949791202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:55.341795921 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:55.450855017 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:55.461661100 CET808949791202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:55.461714029 CET497918089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:58.467797041 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:58.587634087 CET808949792202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:58.591727972 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:58.883693933 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:59.003599882 CET808949792202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:21:59.440638065 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:21:59.560425997 CET808949792202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:00.123222113 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:00.243983984 CET808949792202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:00.748131990 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:00.869369984 CET808949792202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:01.373394012 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:01.482371092 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:01.493323088 CET808949792202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:01.493527889 CET497928089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:04.499327898 CET497938089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:04.619544983 CET808949793202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:04.619648933 CET497938089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:04.740212917 CET808949793202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:04.743258953 CET497938089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:04.743458033 CET497938089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:07.905565977 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:08.025669098 CET808949794202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:08.025739908 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:08.321860075 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:08.444557905 CET808949794202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:08.825987101 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:08.945830107 CET808949794202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:09.451225042 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:09.571654081 CET808949794202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:10.076004028 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:10.196507931 CET808949794202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:10.700984001 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:10.810038090 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:10.820753098 CET808949794202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:10.820813894 CET497948089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:13.828478098 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:13.948297977 CET808949795202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:13.948400974 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:14.220104933 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:14.340912104 CET808949795202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:14.732325077 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:14.852379084 CET808949795202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:15.357213974 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:15.477752924 CET808949795202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:15.983874083 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:16.104054928 CET808949795202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:16.857415915 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:16.966945887 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:16.977041006 CET808949795202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:16.977104902 CET497958089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:19.983484983 CET497968089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:20.104011059 CET808949796202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:20.104089022 CET497968089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:20.224433899 CET808949796202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:20.224541903 CET497968089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:20.224670887 CET497968089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:23.436744928 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:23.557699919 CET808949797202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:23.557797909 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:23.845208883 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:23.965435982 CET808949797202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:24.357410908 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:24.489386082 CET808949797202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:25.078469038 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:25.201121092 CET808949797202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:25.717012882 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:25.837604046 CET808949797202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:26.341609001 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:26.450685978 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:26.461761951 CET808949797202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:26.461811066 CET497978089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:29.467652082 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:29.589907885 CET808949798202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:29.593187094 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:29.850752115 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:29.971832037 CET808949798202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:30.357486010 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:30.479720116 CET808949798202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:30.982214928 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:31.102371931 CET808949798202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:31.607346058 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:31.727025986 CET808949798202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:32.232347012 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:32.341283083 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:32.352312088 CET808949798202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:32.354015112 CET497988089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:35.358154058 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:35.483057976 CET808949800202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:35.483136892 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:35.740497112 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:35.860816002 CET808949800202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:36.248100042 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:36.367983103 CET808949800202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:36.873528004 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:37.012557983 CET808949800202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:37.497899055 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:37.619319916 CET808949800202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:38.122910976 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:38.231944084 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:38.244360924 CET808949800202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:38.244425058 CET498008089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:41.249075890 CET498018089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:41.368813992 CET808949801202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:41.373272896 CET498018089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:41.493175983 CET808949801202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:41.497265100 CET498018089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:41.497440100 CET498018089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:44.686660051 CET498028089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:44.955486059 CET808949802202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:44.955651045 CET498028089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:45.076175928 CET808949802202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:45.076361895 CET498028089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:45.076591015 CET498028089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:48.203722000 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:48.323746920 CET808949803202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:48.325253010 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:48.840704918 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:48.960391998 CET808949803202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:49.341757059 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:49.461513042 CET808949803202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:49.966701031 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:50.087747097 CET808949803202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:50.591543913 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:50.711532116 CET808949803202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:51.490813017 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:51.591778040 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:51.610580921 CET808949803202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:51.611231089 CET498038089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:54.608433008 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:54.728755951 CET808949804202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:54.728832960 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:54.987929106 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:55.111285925 CET808949804202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:55.498017073 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:55.624017000 CET808949804202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:56.123033047 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:56.242850065 CET808949804202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:56.747936964 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:56.867667913 CET808949804202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:57.372952938 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:57.481955051 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:22:57.492768049 CET808949804202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:22:57.493227959 CET498048089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:00.503076077 CET498058089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:00.628962994 CET808949805202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:23:00.629055023 CET498058089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:00.751823902 CET808949805202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:23:00.752039909 CET498058089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:00.752470970 CET498058089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:03.889904022 CET498068089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:04.009653091 CET808949806202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:23:04.009798050 CET498068089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:04.130557060 CET808949806202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:23:04.130616903 CET498068089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:04.130911112 CET498068089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:07.342499971 CET498078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:07.462486982 CET808949807202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:23:07.463419914 CET498078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:07.583781004 CET808949807202.181.25.108192.168.2.6
                                                    Dec 4, 2024 20:23:07.585244894 CET498078089192.168.2.6202.181.25.108
                                                    Dec 4, 2024 20:23:07.585397005 CET498078089192.168.2.6202.181.25.108
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 4, 2024 20:19:03.477992058 CET5286253192.168.2.61.1.1.1
                                                    Dec 4, 2024 20:19:03.708614111 CET53528621.1.1.1192.168.2.6
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 4, 2024 20:19:03.477992058 CET192.168.2.61.1.1.10x2b36Standard query (0)facai7777777.ydns.euA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 4, 2024 20:19:03.708614111 CET1.1.1.1192.168.2.60x2b36No error (0)facai7777777.ydns.eu202.181.25.108A (IP address)IN (0x0001)false

                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:14:19:01
                                                    Start date:04/12/2024
                                                    Path:C:\Users\user\Desktop\file.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                    Imagebase:0x400000
                                                    File size:626'176 bytes
                                                    MD5 hash:75CDC74BEFD8C953EE2C022BD8366633
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:2
                                                    Start time:14:19:01
                                                    Start date:04/12/2024
                                                    Path:C:\Windows\SysWOW64\Gwogw.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\Gwogw.exe -auto
                                                    Imagebase:0x400000
                                                    File size:626'176 bytes
                                                    MD5 hash:75CDC74BEFD8C953EE2C022BD8366633
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000002.00000002.2095303733.00000000100F5000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000002.00000002.2094584448.000000000051F000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 87%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:3
                                                    Start time:14:19:02
                                                    Start date:04/12/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\file.exe > nul
                                                    Imagebase:0x1c0000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:4
                                                    Start time:14:19:02
                                                    Start date:04/12/2024
                                                    Path:C:\Windows\SysWOW64\Gwogw.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\Gwogw.exe -acsi
                                                    Imagebase:0x400000
                                                    File size:626'176 bytes
                                                    MD5 hash:75CDC74BEFD8C953EE2C022BD8366633
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    Target ID:5
                                                    Start time:14:19:02
                                                    Start date:04/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:6
                                                    Start time:14:19:02
                                                    Start date:04/12/2024
                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:ping -n 2 127.0.0.1
                                                    Imagebase:0x140000
                                                    File size:18'944 bytes
                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:0.8%
                                                      Dynamic/Decrypted Code Coverage:59.9%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:274
                                                      Total number of Limit Nodes:15
                                                      execution_graph 61898 1001b930 12 API calls 61974 100174c0 GetModuleHandleA 61898->61974 61900 1001bb36 61901 100174c0 3 API calls 61900->61901 61902 1001bbb8 61901->61902 61903 100174c0 3 API calls 61902->61903 61904 1001bc29 61903->61904 61905 100174c0 3 API calls 61904->61905 61906 1001bd4d 61905->61906 61907 100174c0 3 API calls 61906->61907 61908 1001beae 61907->61908 61909 100174c0 3 API calls 61908->61909 61910 1001bfdb 61909->61910 61911 100174c0 3 API calls 61910->61911 61912 1001c089 61911->61912 61913 100174c0 3 API calls 61912->61913 61914 1001c123 61913->61914 61915 100174c0 3 API calls 61914->61915 61916 1001c16d 61915->61916 61917 100174c0 3 API calls 61916->61917 61918 1001c1f3 61917->61918 61919 100174c0 3 API calls 61918->61919 61920 1001c29e GetCurrentThreadId PostThreadMessageA 61919->61920 61921 1001c2b9 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 61920->61921 61923 1001c3a2 GetLastError 61921->61923 61925 1001c3b3 61921->61925 61924 1001c7e8 61923->61924 61923->61925 61926 1001c7c3 61925->61926 61927 1001c41c 61925->61927 61930 1001ade0 14 API calls 61926->61930 61928 1001c428 strstr 61927->61928 61929 1001c57d 61927->61929 61931 1001c455 61928->61931 61932 1001c444 Sleep 61928->61932 61929->61924 61934 1001ade0 14 API calls 61929->61934 61933 1001c7d4 Sleep 61930->61933 61978 1001c800 OpenSCManagerA 61931->61978 62046 1001b8f0 24 API calls 61932->62046 62061 1001b8f0 24 API calls 61933->62061 61938 1001c59c 61934->61938 61938->61924 61945 1001c5d5 sprintf 61938->61945 61940 1001c45f 61942 1001c4f3 sprintf 61940->61942 61943 1001c46a 61940->61943 61983 1001ade0 sprintf GetLocalTime sprintf 61942->61983 61948 1001c48f OpenSCManagerA 61943->61948 61962 1001c4e2 Sleep 61943->61962 61950 1001c63e 61945->61950 61952 1001c4a2 OpenServiceA 61948->61952 61948->61962 61954 1001c7b2 Sleep 61950->61954 61955 1001c647 GetModuleFileNameA sprintf 61950->61955 61951 1001c56e 62023 1001b3d0 61951->62023 61957 1001c4bc StartServiceA 61952->61957 61958 1001c4df CloseServiceHandle 61952->61958 62060 1001b8f0 24 API calls 61954->62060 61966 1001c6f9 Sleep 61955->61966 61959 1001c4ca CloseServiceHandle CloseServiceHandle 61957->61959 61960 1001c4dd CloseServiceHandle 61957->61960 61958->61962 61964 1001b3d0 16 API calls 61959->61964 61960->61958 62047 1001b8f0 24 API calls 61962->62047 61963 1001c576 ExitProcess 61967 1001c4d6 ExitProcess 61964->61967 61968 1001c74f 61966->61968 62048 1001b170 61968->62048 61971 1001c7a6 61972 1001b3d0 16 API calls 61971->61972 61973 1001c7ab ExitProcess 61972->61973 61975 100174d0 LoadLibraryA 61974->61975 61976 100174db GetProcAddress 61974->61976 61975->61976 61977 100174e9 61975->61977 61976->61900 61977->61900 61979 1001c813 61978->61979 61980 1001c815 OpenServiceA 61978->61980 61979->61940 61981 1001c835 CloseServiceHandle CloseServiceHandle 61980->61981 61982 1001c82a CloseServiceHandle 61980->61982 61981->61940 61982->61940 62062 10012640 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 61983->62062 61986 1001c850 61987 100174c0 3 API calls 61986->61987 61988 1001c8e0 61987->61988 61989 100174c0 3 API calls 61988->61989 61990 1001c938 61989->61990 61991 100174c0 3 API calls 61990->61991 61992 1001c9b6 61991->61992 61993 100174c0 3 API calls 61992->61993 61994 1001c9fe 61993->61994 61995 100174c0 3 API calls 61994->61995 61996 1001ca9d 61995->61996 61997 100174c0 3 API calls 61996->61997 61998 1001cb4a 61997->61998 61999 100174c0 3 API calls 61998->61999 62000 1001cbf7 61999->62000 62001 100174c0 3 API calls 62000->62001 62002 1001cc65 62001->62002 62003 100174c0 3 API calls 62002->62003 62004 1001cd0e 62003->62004 62005 100174c0 3 API calls 62004->62005 62006 1001cd84 62005->62006 62007 100174c0 3 API calls 62006->62007 62008 1001ce1b GetModuleFileNameA _strnicmp 62007->62008 62009 1001cec7 Sleep 62008->62009 62010 1001ce76 62008->62010 62085 1000e700 62009->62085 62078 1001afb0 62010->62078 62015 1001b170 4 API calls 62016 1001ce91 62015->62016 62019 1001ceb6 SetFileAttributesA 62016->62019 62017 1001cf5a 62018 1001cfd2 62017->62018 62020 1001cfd4 GetLastError 62017->62020 62021 1001cf97 UnlockServiceDatabase 62017->62021 62018->61951 62019->62009 62020->62018 62021->62018 62024 100174c0 3 API calls 62023->62024 62025 1001b4c1 62024->62025 62026 100174c0 3 API calls 62025->62026 62027 1001b548 62026->62027 62028 100174c0 3 API calls 62027->62028 62029 1001b5ad 62028->62029 62030 100174c0 3 API calls 62029->62030 62031 1001b628 62030->62031 62032 100174c0 3 API calls 62031->62032 62033 1001b686 62032->62033 62034 100174c0 3 API calls 62033->62034 62035 1001b6da GetModuleFileNameA 62034->62035 62036 1001b8d5 62035->62036 62037 1001b6fc GetShortPathNameA 62035->62037 62036->61963 62037->62036 62038 1001b71b GetEnvironmentVariableA 62037->62038 62038->62036 62039 1001b73b SetFileAttributesA 62038->62039 62040 1001b74c 62039->62040 62040->62040 62041 1001b75e GetCurrentProcess SetPriorityClass GetCurrentThread SetThreadPriority 62040->62041 62042 1001b88d 62041->62042 62043 1001b891 SetPriorityClass SetThreadPriority ResumeThread 62042->62043 62044 1001b8c3 GetCurrentProcess 62042->62044 62043->61963 62045 1001b8ca GetCurrentThread 62044->62045 62045->62036 62046->61932 62047->61962 62049 1001b3c0 sprintf 62048->62049 62050 1001b188 62048->62050 62049->61971 62051 100174c0 3 API calls 62050->62051 62052 1001b213 62051->62052 62053 100174c0 3 API calls 62052->62053 62054 1001b26c 62053->62054 62055 100174c0 3 API calls 62054->62055 62056 1001b2b6 62055->62056 62057 100174c0 3 API calls 62056->62057 62059 1001b2f9 62057->62059 62058 1001b3b9 CloseHandle 62058->62049 62059->62049 62059->62058 62060->61954 62061->61933 62063 100126e2 62062->62063 62064 100127c9 62062->62064 62066 100127a3 62063->62066 62067 100126e9 62063->62067 62068 1001277b 62063->62068 62069 1001270c RegOpenKeyExA 62063->62069 62077 100127f4 RegCloseKey RegCloseKey 62064->62077 62066->62064 62075 100127bb RegDeleteValueA 62066->62075 62067->62064 62067->62069 62068->62064 62074 10012793 RegDeleteKeyA 62068->62074 62069->62064 62070 10012728 62069->62070 62070->62064 62072 10012759 RegSetValueExA 62070->62072 62073 10012738 62070->62073 62071 100127e0 62071->61986 62072->62064 62073->62064 62076 10012741 RegSetValueExA 62073->62076 62074->62064 62075->62064 62076->62064 62077->62071 62079 100174c0 3 API calls 62078->62079 62080 1001b054 62079->62080 62081 100174c0 3 API calls 62080->62081 62083 1001b0f8 62081->62083 62082 1001b161 CopyFileA 62082->62015 62083->62082 62084 1001b147 PathFileExistsA 62083->62084 62084->62083 62086 1000e70b GetVersionExA 62085->62086 62086->62017 62087 42e5e6 __set_app_type __p__fmode __p__commode 62088 42e655 62087->62088 62089 42e669 62088->62089 62090 42e65d __setusermatherr 62088->62090 62099 42e7ac _controlfp 62089->62099 62090->62089 62092 42e66e _initterm __getmainargs _initterm 62093 42e6c2 GetStartupInfoA 62092->62093 62095 42e6f6 GetModuleHandleA 62093->62095 62100 402980 62095->62100 62099->62092 62103 402910 62100->62103 62104 402927 62103->62104 62115 401e20 _CxxThrowException _CxxThrowException 62104->62115 62106 402931 62112 402952 exit _XcptFilter 62106->62112 62118 401c40 _CxxThrowException 62106->62118 62108 402945 62109 40294c 62108->62109 62111 402959 62108->62111 62119 401ae0 _CxxThrowException _CxxThrowException 62109->62119 62120 401ae0 _CxxThrowException _CxxThrowException 62111->62120 62114 402975 ExitProcess 62116 401eae VirtualAlloc 62115->62116 62117 401e8f 62115->62117 62116->62106 62117->62106 62118->62108 62119->62112 62120->62114 62121 402756 62122 40267a 62121->62122 62123 402686 _CxxThrowException 62122->62123 62126 402777 62122->62126 62124 4026c8 _CxxThrowException GetProcAddress 62123->62124 62125 4026ad GetProcAddress 62123->62125 62127 413fb7 62128 413fc1 ctype 62127->62128 62168 414bac 62128->62168 62132 413ff5 62133 414018 RtlInitializeCriticalSection 62132->62133 62174 4190c7 9 API calls ctype 62132->62174 62136 41403c strlen 62133->62136 62137 414056 62136->62137 62138 414088 strlen 62137->62138 62139 4140a2 62138->62139 62140 4140d4 strlen 62139->62140 62141 4140ee 62140->62141 62142 414120 strlen 62141->62142 62143 41413a 62142->62143 62144 41416c strlen 62143->62144 62145 414186 62144->62145 62146 4141b8 strlen 62145->62146 62147 4141d2 62146->62147 62148 414204 strlen 62147->62148 62149 41421e 62148->62149 62150 414250 strlen 62149->62150 62151 41426a 62150->62151 62152 41429c strlen 62151->62152 62153 4142b6 62152->62153 62154 4142e8 strlen 62153->62154 62155 414302 62154->62155 62156 414334 strlen 62155->62156 62157 41434e 62156->62157 62158 414380 strlen 62157->62158 62159 41439a 62158->62159 62160 4143cc strlen 62159->62160 62161 4143e6 62160->62161 62162 414418 strlen 62161->62162 62163 414432 62162->62163 62164 414464 strlen 62163->62164 62165 41447e 62164->62165 62166 4144b0 strlen 62165->62166 62167 4144c7 62166->62167 62175 413c7a 62168->62175 62170 413fdf 62171 414c23 62170->62171 62179 41504f 62171->62179 62173 414c43 62173->62132 62174->62133 62176 42e232 62175->62176 62177 413c8b 6E7D92A0 62176->62177 62178 413cae 62177->62178 62178->62170 62180 42e232 62179->62180 62181 415060 6E7D92A0 62180->62181 62182 415083 62181->62182 62182->62173 62183 401f78 _CxxThrowException VirtualAlloc 62184 41538a 62185 41538f 62184->62185 62188 42e57c _onexit __dllonexit 62185->62188 62187 4153a8 62188->62187 62189 40212b 62194 402540 62189->62194 62191 40213b _CxxThrowException 62202 4023a0 62191->62202 62193 402163 62195 402583 IsBadReadPtr 62194->62195 62196 40278f 62194->62196 62195->62196 62197 40259b 62195->62197 62196->62191 62197->62196 62198 4025a6 LoadLibraryA 62197->62198 62198->62196 62199 4025bb _CxxThrowException 62198->62199 62209 401a30 _CxxThrowException GetProcessHeap RtlReAllocateHeap GetProcessHeap RtlAllocateHeap 62199->62209 62201 4025ee 62201->62191 62207 4023da 62202->62207 62203 402521 62203->62193 62204 40240f _CxxThrowException VirtualFree 62204->62193 62205 402470 _CxxThrowException 62208 402496 62205->62208 62206 4024ca _CxxThrowException VirtualProtect 62206->62193 62207->62203 62207->62204 62207->62205 62207->62206 62208->62193 62209->62201 62210 40208f _CxxThrowException 62213 402200 62210->62213 62212 4020bc 62214 402253 62213->62214 62215 402387 62213->62215 62216 4022ba _CxxThrowException VirtualAlloc 62214->62216 62217 40225d _CxxThrowException 62214->62217 62215->62212 62216->62212 62218 402283 VirtualAlloc 62217->62218 62219 4022b4 62217->62219 62218->62219 62219->62212

                                                      Control-flow Graph

                                                      APIs
                                                      • #823.MFC42(00000849), ref: 1001B93F
                                                      • lstrcpyA.KERNEL32(facai7777777.ydns.eu,00000000), ref: 1001B966
                                                      • lstrcpyA.KERNEL32(1011933C,0000012C), ref: 1001B974
                                                      • lstrcpyA.KERNEL32(6gkIBfkS+qY=,00000260), ref: 1001B982
                                                      • lstrcpyA.KERNEL32(tdC2pg==,00000292), ref: 1001B990
                                                      • lstrcpyA.KERNEL32(Gwogwo Hxpgx,000002B2), ref: 1001B99E
                                                      • lstrcpyA.KERNEL32(Dtldtl Dumdumdu Mevmevme Vnfv,00000316), ref: 1001B9AC
                                                      • lstrcpyA.KERNEL32(Jbrjarja Skbsjbsjb Tkcskcs Ldtlctlc Umd,00000396), ref: 1001B9BA
                                                      • lstrcpyA.KERNEL32(4dc4196b5e701ca70204bacb05351f42,00000496), ref: 1001B9C8
                                                      • lstrcpyA.KERNEL32(C:\Windows\System32,000005A8), ref: 1001B9D6
                                                      • lstrcpyA.KERNEL32(Gwogw.exe,0000060C), ref: 1001B9E4
                                                      • lstrcpyA.KERNEL32(10119858,00000648), ref: 1001B9F2
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • GetCurrentThreadId.KERNEL32 ref: 1001C2AE
                                                      • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001C2B5
                                                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001C2D3
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001C2E7
                                                      • GetCommandLineA.KERNEL32 ref: 1001C311
                                                      • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001C393
                                                      • GetLastError.KERNEL32 ref: 1001C3A2
                                                      • strstr.MSVCRT ref: 1001C437
                                                      • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001C44C
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001C496
                                                      • OpenServiceA.ADVAPI32(00000000,Gwogwo Hxpgx,00000010), ref: 1001C4AA
                                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001C4BF
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4CC
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4CF
                                                      • ExitProcess.KERNEL32 ref: 1001C4D7
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4DD
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4E0
                                                      • ExitProcess.KERNEL32 ref: 1001C577
                                                      • sprintf.MSVCRT ref: 1001C542
                                                        • Part of subcall function 1001ADE0: sprintf.MSVCRT ref: 1001AE64
                                                        • Part of subcall function 1001ADE0: GetLocalTime.KERNEL32(?,C:\Windows\System32,00000000,0000005C), ref: 1001AE6E
                                                        • Part of subcall function 1001ADE0: sprintf.MSVCRT ref: 1001AF37
                                                      • Sleep.KERNEL32(00000032), ref: 1001C4EA
                                                        • Part of subcall function 1001B8F0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,76230F00,1001C7E6,?,?,?,?,?,?,?), ref: 1001B90F
                                                        • Part of subcall function 1001B8F0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,76230F00,1001C7E6,?,?,?,?,?,?,?), ref: 1001B916
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$HandleService$Close$sprintf$DescriptorExitOpenProcessSecuritySleepThread$#823AddressCommandCreateCurrentDaclErrorInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                                                      • String ID: -acsi$%$%$%$%$%$%$.$.$2$2$2$2$3$3$4dc4196b5e701ca70204bacb05351f42$6gkIBfkS+qY=$A$A$A$A$A$A$A$A$A$A$A$A$C$C$C:\Windows\System32$D$D$D$D$D$Dtldtl Dumdumdu Mevmevme Vnfv$E$E$E$E$F$F$F$F$G$G$G$G$Global\$Gwogw.exe$Gwogwo Hxpgx$I$I$Jbrjarja Skbsjbsjb Tkcskcs Ldtlctlc Umd$K$L$L$M$N$P$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$b$c$c$c$c$c$d$d$d$f$facai7777777.ydns.eu$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$o$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$tdC2pg==$u$u$u$v$v$v$x$y
                                                      • API String ID: 3275504268-3299725973
                                                      • Opcode ID: 503f56dd72a0c8a3df4a9527f030af99ff345cade637ec78b7372c87602c9a60
                                                      • Instruction ID: 4729a06a843d4a853779523488982e29edf389ca73e8cd5225b1597df72c3c7d
                                                      • Opcode Fuzzy Hash: 503f56dd72a0c8a3df4a9527f030af99ff345cade637ec78b7372c87602c9a60
                                                      • Instruction Fuzzy Hash: A982E57050C3C0DEE332C7288858BDBBFD59BA6708F48499DE5CC4A292D7BA5648C767

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001CE4B
                                                      • _strnicmp.MSVCRT ref: 1001CE69
                                                      • CopyFileA.KERNEL32(00000000,?,00000000), ref: 1001CE89
                                                      • SetFileAttributesA.KERNELBASE(?,00000007,00000000,?), ref: 1001CEC4
                                                      • Sleep.KERNELBASE(00000032), ref: 1001CEC9
                                                      • GetVersionExA.KERNEL32(00000094,00000000, -auto), ref: 1001CF38
                                                      • UnlockServiceDatabase.ADVAPI32(00000000), ref: 1001CFC1
                                                      • GetLastError.KERNEL32 ref: 1001CFD4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Module$AddressAttributesCopyDatabaseErrorHandleLastLibraryLoadNameProcServiceSleepUnlockVersion_strnicmp
                                                      • String ID: -auto$.$2$2$3$A$A$A$A$A$A$A$A$ADVAPI32.dll$C$C$C$C$Chang$Chang$Clos$CopyFil$D$D$H$Jbrjarja Skbsjbsjb Tkcskcs Ldtlctlc Umd$K$L$LockS$M$N$O$O$R$S$S$S$S$S$S$SitbsCFAK$StartS$UnlockS$a$a$a$a$a$a$a$a$a$a$b$b$b$c$c$c$c$c$c$c$c$d$d$f$f$g$g$g$i$i$i$i$i$i$i$i$i$i$i$l$l$l$n$n$n$n$n$n$o$o$p$p$r$r$r$r$r$r$r$r$r$r$r$s$s$s$t$t$t$t$t$u$v$v$v$v$v$v$v$v
                                                      • API String ID: 4004796254-3932788928
                                                      • Opcode ID: 41b448118872cf4df2018b4792d5c3518493019a34d40c417a0b123badb124cb
                                                      • Instruction ID: 4802eeb0dfbe738a5f4dcde43ed63972d96c482d6f1e9d276882437cb30f2c40
                                                      • Opcode Fuzzy Hash: 41b448118872cf4df2018b4792d5c3518493019a34d40c417a0b123badb124cb
                                                      • Instruction Fuzzy Hash: 2842CD61C093D8D9EB22C768C8487DDBFB55B26704F0841D9D18C7B282D7BA1B98CB76

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001B6EE
                                                      • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 1001B711
                                                      • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001B72D
                                                      • SetFileAttributesA.KERNELBASE(?,00000080), ref: 1001B748
                                                      • GetCurrentProcess.KERNEL32 ref: 1001B849
                                                      • SetPriorityClass.KERNELBASE(00000000), ref: 1001B84C
                                                      • GetCurrentThread.KERNEL32 ref: 1001B850
                                                      • SetThreadPriority.KERNELBASE(00000000), ref: 1001B85E
                                                      • SetPriorityClass.KERNELBASE(?,00000040), ref: 1001B89B
                                                      • SetThreadPriority.KERNELBASE(?,000000F1), ref: 1001B8A7
                                                      • ResumeThread.KERNELBASE(?), ref: 1001B8B1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: PriorityThread$ClassCurrentFileModuleName$AddressAttributesEnvironmentHandleLibraryLoadPathProcProcessResumeShortVariable
                                                      • String ID: > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                                                      • API String ID: 3480704365-781074451
                                                      • Opcode ID: 329a94c1e572e74aebc65122b7594ba6b706aed9e1d612365e75d7971ce457ce
                                                      • Instruction ID: 77738a481cd3c4f24fd6555acfc2c99f2e744f9c495b87a6833c212d371d7524
                                                      • Opcode Fuzzy Hash: 329a94c1e572e74aebc65122b7594ba6b706aed9e1d612365e75d7971ce457ce
                                                      • Instruction Fuzzy Hash: A0E1192150C7C0C9E322C6788848B9BFFD56BE2748F08499DE1D88B292D7FA9548C777

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 160 1001afb0-1001b12d call 100174c0 * 2 call 1000e730 167 1001b161-1001b16b 160->167 168 1001b12f-1001b133 160->168 169 1001b135-1001b150 call 1000e6b0 PathFileExistsA 168->169 170 1001b15c-1001b15f 168->170 169->170 173 1001b152-1001b157 169->173 170->167 170->168 173->170
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • PathFileExistsA.KERNELBASE(00000000,?,?,00000000,?), ref: 1001B14C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressExistsFileHandleLibraryLoadModulePathProc
                                                      • String ID: .$.$2$3$A$A$A$C$D$E$E$E$F$H$I$K$L$L$N$R$S$W$a$c$d$d$e$e$e$e$h$i$i$i$o$t$t$t$t$x$y
                                                      • API String ID: 1765864004-1881745975
                                                      • Opcode ID: 436c4d23455f82f41a04e37c438138b1eae2ebab51aea2d57e0ce95fb02d506e
                                                      • Instruction ID: 046268b75d8f78fc0c96c06f073ecb20ce0c88ef1cfc24b9e7c28d8443e39428
                                                      • Opcode Fuzzy Hash: 436c4d23455f82f41a04e37c438138b1eae2ebab51aea2d57e0ce95fb02d506e
                                                      • Instruction Fuzzy Hash: 0F51F46100C3C0DDE342C6A8948874BFFD55BA6748F48198DF2C85A282C6FA8648C77B

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strlen$CriticalInitializeSection
                                                      • String ID: AfxControlBar42$AfxControlBar42d$AfxControlBar42s$AfxControlBar42sd$Button$CheckBox$ComboBox$Edit$GroupBox$ListBox$RICHEDIT$Radio$ScrollBar$Static$SysHeader32$SysIPAddress32$SysListView32$SysTabControl32$SysTreeView32$ToolbarWindow32$msctls_progress32$msctls_statusbar32$msctls_trackbar32$msctls_updown32
                                                      • API String ID: 2255945060-367951124
                                                      • Opcode ID: b87b338db5ab673f7befd019e904e5285036f30d67ba2a29bdde4d0279ead741
                                                      • Instruction ID: 00c98e55d0c483bded8c1c3ce031353021d97a86c52803634a0d96673c457a76
                                                      • Opcode Fuzzy Hash: b87b338db5ab673f7befd019e904e5285036f30d67ba2a29bdde4d0279ead741
                                                      • Instruction Fuzzy Hash: 57224E75D41149EFCB01EBE9D8589EDBFB8FF69304F04805AE862B32A1DA741608CB75

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 300 1001ade0-1001afa0 sprintf GetLocalTime sprintf call 10012640
                                                      APIs
                                                      • sprintf.MSVCRT ref: 1001AE64
                                                      • GetLocalTime.KERNEL32(?,C:\Windows\System32,00000000,0000005C), ref: 1001AE6E
                                                      • sprintf.MSVCRT ref: 1001AF37
                                                        • Part of subcall function 10012640: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000052,?,75C25200), ref: 100126B0
                                                        • Part of subcall function 10012640: GetProcAddress.KERNEL32(00000000), ref: 100126B9
                                                        • Part of subcall function 10012640: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 100126C7
                                                        • Part of subcall function 10012640: GetProcAddress.KERNEL32(00000000), ref: 100126CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProcsprintf$LocalTime
                                                      • String ID: $-$-$.$.$.$4$:$C:\Windows\System32$E$M$M$T$T$Y$\$a$c$e$e$e$i$k$l$m$r$t
                                                      • API String ID: 2604304044-3095597531
                                                      • Opcode ID: 7cb713d820791786441dba3693f361c45ceaed92fbda2c82666f99e8d3bb9d2b
                                                      • Instruction ID: d4881655038f562d2b84cdb29e23f6decd8bb3f1685fa715dee65007e2aec028
                                                      • Opcode Fuzzy Hash: 7cb713d820791786441dba3693f361c45ceaed92fbda2c82666f99e8d3bb9d2b
                                                      • Instruction Fuzzy Hash: A851392200D7C0EDE352C628C88479FBFE55FE6208F48199DF2D45B282C6AA964CC767

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 303 10012640-100126dc LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 304 100126e2 303->304 305 100127d4-100127f3 call 100127f4 303->305 307 100127a3-100127b9 304->307 308 100126e9-10012706 304->308 309 1001277b-10012791 304->309 310 1001270c-10012722 RegOpenKeyExA 304->310 307->305 320 100127bb-100127c3 RegDeleteValueA 307->320 308->305 308->310 309->305 319 10012793-100127a1 RegDeleteKeyA 309->319 310->305 311 10012728-1001272d 310->311 311->305 314 10012733-10012736 311->314 317 10012759-10012779 RegSetValueExA 314->317 318 10012738-1001273b 314->318 321 100127c9-100127cb 317->321 318->305 322 10012741-10012757 RegSetValueExA 318->322 319->321 320->321 321->305 323 100127cd 321->323 322->321 323->305
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ADVAPI32.dll,00000052,?,75C25200), ref: 100126B0
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100126B9
                                                      • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 100126C7
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100126CA
                                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,0002001F,?), ref: 1001271E
                                                      • RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,ExA,?), ref: 10012751
                                                      • RegSetValueExA.KERNELBASE(?,?,00000000,?,?), ref: 10012773
                                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 1001279B
                                                      • RegDeleteValueA.ADVAPI32(?,?), ref: 100127C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Value$AddressDeleteLibraryLoadProc$Open
                                                      • String ID: A$ADVAPI32.dll$C$E$ExA$K$R$RegOpenKeyExA$a$g$r$t$x$y
                                                      • API String ID: 873986947-3011049038
                                                      • Opcode ID: 77534a93ddec386df72c1b7c9f78f243ce87496364d24cf933bc3a61290b0745
                                                      • Instruction ID: b96986457da0ffe49213d20747a76f6beefbe8ccc0a3bc17253899883c9551e7
                                                      • Opcode Fuzzy Hash: 77534a93ddec386df72c1b7c9f78f243ce87496364d24cf933bc3a61290b0745
                                                      • Instruction Fuzzy Hash: 79518FB5908289EBDB04DBA9CC44EEFBBB9EF99750F148109FA14A7281C7749D44CB70

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 324 42e5e6-42e65b __set_app_type __p__fmode __p__commode call 42e7be 327 42e669-42e6c0 call 42e7ac _initterm __getmainargs _initterm 324->327 328 42e65d-42e668 __setusermatherr 324->328 331 42e6c2-42e6ca 327->331 332 42e6fc-42e6ff 327->332 328->327 333 42e6d0-42e6d3 331->333 334 42e6cc-42e6ce 331->334 335 42e701-42e705 332->335 336 42e6d9-42e6dd 332->336 333->336 337 42e6d5-42e6d6 333->337 334->331 334->333 335->332 338 42e6e3-42e6f4 GetStartupInfoA 336->338 339 42e6df-42e6e1 336->339 337->336 340 42e6f6-42e6fa 338->340 341 42e707-42e709 338->341 339->337 339->338 342 42e70a-42e715 GetModuleHandleA call 402980 340->342 341->342 344 42e71a-42e737 exit _XcptFilter 342->344
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                      • String ID:
                                                      • API String ID: 801014965-0
                                                      • Opcode ID: 3b01bb61390a7f068aac1e390ad55644e5b8f96522d8c10f0419a85f34143723
                                                      • Instruction ID: 831573811de066e66468c9828c555310251336dfc76f34df2fc453a3a56cd33d
                                                      • Opcode Fuzzy Hash: 3b01bb61390a7f068aac1e390ad55644e5b8f96522d8c10f0419a85f34143723
                                                      • Instruction Fuzzy Hash: 5E41D475A00314AFDB209FA5EC45AAA7FB8FB59710FA0152FF486973A1D7784840DF18

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 345 4023a0-4023d7 346 4023da-4023ea 345->346 347 4023f0-40240d 346->347 348 402521-402531 346->348 349 402447-40245c 347->349 350 40240f-402446 _CxxThrowException VirtualFree 347->350 351 402466-40246e 349->351 352 40245e-402463 349->352 353 402470-402494 _CxxThrowException 351->353 354 4024c8 351->354 352->351 355 402496-4024a6 353->355 356 4024a7-4024a9 353->356 357 4024ca-402504 _CxxThrowException VirtualProtect 354->357 358 40250c-40251c 354->358 359 4024b6-4024bb 356->359 360 4024ab-4024b3 356->360 358->346 360->359
                                                      APIs
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402426
                                                      • VirtualFree.KERNELBASE(?,?,00004000,?,00433FF0), ref: 0040243B
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402487
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrow$FreeVirtual
                                                      • String ID: K
                                                      • API String ID: 3998351626-856455061
                                                      • Opcode ID: 3715c76d354021c84da80a0e236b7f17a3717ceceeadc29b2d97deebac014df3
                                                      • Instruction ID: 708ea4e40b6f5593efabd32f380eb32f7d0a98514096900dbb32eccae7919db9
                                                      • Opcode Fuzzy Hash: 3715c76d354021c84da80a0e236b7f17a3717ceceeadc29b2d97deebac014df3
                                                      • Instruction Fuzzy Hash: 20415DB4A002099FDB04CF98D995BAEB7F4FB8C704F508169E505BB391D7B8E941CBA4

                                                      Control-flow Graph

                                                      APIs
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,1001C45F,Gwogwo Hxpgx,?,?,?,?,?,?,?,?), ref: 1001C807
                                                      • OpenServiceA.ADVAPI32(00000000,?,00020000,?,?,?,?,?,?,?,?), ref: 1001C820
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 1001C82B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: OpenService$CloseHandleManager
                                                      • String ID: C:\Windows\System32
                                                      • API String ID: 4136619037-1441273298
                                                      • Opcode ID: eea1aced03f63d53cb26b01f7481a1c7ad30fdb102424cd1360a599640cb637d
                                                      • Instruction ID: 89dad568626105033b8be56fbba20cb3873e5265ca27385a4adced4ebad23dbb
                                                      • Opcode Fuzzy Hash: eea1aced03f63d53cb26b01f7481a1c7ad30fdb102424cd1360a599640cb637d
                                                      • Instruction Fuzzy Hash: D3E0923625423167E2217769BCC9FCB6798DF90B51F174111FA00DA150C674D88249A0

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 366 402200-40224d 367 402253-40225b 366->367 368 402387-402397 366->368 369 4022ba-4022fb _CxxThrowException VirtualAlloc 367->369 370 40225d-402281 _CxxThrowException 367->370 371 402283-4022b2 VirtualAlloc 370->371 372 4022b4-4022b9 370->372 371->372
                                                      APIs
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402274
                                                      • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,00433FF0), ref: 00402297
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 004022D1
                                                      • VirtualAlloc.KERNELBASE(?,?,00001000,00000004,?,00433FF0), ref: 004022ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocExceptionThrowVirtual
                                                      • String ID: 6$C
                                                      • API String ID: 3425318283-3248140732
                                                      • Opcode ID: 9113aa268865baca619c056de8582441db3b31ab3d398adf5188c19f80793f19
                                                      • Instruction ID: aad3e45907c2a664e8b1c4f2789cc695d6cfd1b226352eed6aedc63c0127d8ab
                                                      • Opcode Fuzzy Hash: 9113aa268865baca619c056de8582441db3b31ab3d398adf5188c19f80793f19
                                                      • Instruction Fuzzy Hash: 723190B1A002099FCB04CF98C995BAEB7F5FB8C714F54806DE505AB381D7799D41CB94

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 373 40266e-402680 375 402686-4026ab _CxxThrowException 373->375 376 402777-40277c 373->376 377 4026c8-402703 _CxxThrowException GetProcAddress 375->377 378 4026ad-4026c7 GetProcAddress 375->378 379 40277e-402787 376->379 380 40278f-4027a1 376->380 379->380
                                                      APIs
                                                      • _CxxThrowException.MSVCRT ref: 00402699
                                                      • GetProcAddress.KERNEL32(?,?), ref: 004026B7
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 004026DC
                                                      • GetProcAddress.KERNELBASE(?,-00000002), ref: 004026F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressExceptionProcThrow
                                                      • String ID: B
                                                      • API String ID: 1650999230-1255198513
                                                      • Opcode ID: 4f30eb7ed5eba9d3cb1322a34b15fe36a787efa1ee8778cc759e6656455dc699
                                                      • Instruction ID: c072cb752d8a49b0e2eb75cb325df67642e689e35765de24614f9fb31094a121
                                                      • Opcode Fuzzy Hash: 4f30eb7ed5eba9d3cb1322a34b15fe36a787efa1ee8778cc759e6656455dc699
                                                      • Instruction Fuzzy Hash: A8214AB5A11209DFCB00CF98D945BAEB7B5FF48310F644569E804B7390D779AD01CB68

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 381 401e20-401e8d _CxxThrowException * 2 382 401eae-401ecb VirtualAlloc 381->382 383 401e8f-401e94 381->383
                                                      APIs
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401E58
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401E7F
                                                      • VirtualAlloc.KERNELBASE(?,?,00002000,00000004,?,00433FF0,?,00433FF0), ref: 00401EBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrow$AllocVirtual
                                                      • String ID: ?
                                                      • API String ID: 4101260073-1684325040
                                                      • Opcode ID: a0bc85927d1f3f8975393880a6b9e4762a9a9ce7bfefe0768754d87b8181cee5
                                                      • Instruction ID: df0520f19b711d36b70f3a22692e0632b33185e0b7c69020f9ddf3b614ab0de0
                                                      • Opcode Fuzzy Hash: a0bc85927d1f3f8975393880a6b9e4762a9a9ce7bfefe0768754d87b8181cee5
                                                      • Instruction Fuzzy Hash: AC0161B4A00245AFDB00DF89CC45BAE7BB8EB48714F504169F514A73D5C3BC9A00CBA8

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 384 402540-40257d 385 402583-402595 IsBadReadPtr 384->385 386 40278f-4027a1 384->386 385->386 387 40259b-4025a0 385->387 387->386 388 4025a6-4025b5 LoadLibraryA 387->388 388->386 389 4025bb-4025f9 _CxxThrowException call 401a30 388->389
                                                      APIs
                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040258D
                                                      • LoadLibraryA.KERNELBASE(?,?,00000014), ref: 004025A9
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 004025D2
                                                        • Part of subcall function 00401A30: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401A68
                                                        • Part of subcall function 00401A30: GetProcessHeap.KERNEL32(00000000,?,?,?,00433FF0), ref: 00401A7B
                                                        • Part of subcall function 00401A30: RtlReAllocateHeap.NTDLL(00000000), ref: 00401A82
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionHeapThrow$AllocateLibraryLoadProcessRead
                                                      • String ID:
                                                      • API String ID: 2326399642-0
                                                      • Opcode ID: ac05da26f77c22fb4808dd9bb5dd4cf22b9ca82674480c2919fab97b64cde803
                                                      • Instruction ID: 37f21ad5bce61c12dd3da3664f8bdff5104442cf76c4d88ec9cd0358858a0c3f
                                                      • Opcode Fuzzy Hash: ac05da26f77c22fb4808dd9bb5dd4cf22b9ca82674480c2919fab97b64cde803
                                                      • Instruction Fuzzy Hash: A3219071A006199FCB10DF95C944B9EBBF8FF48724F54862AE819A7790D378A900CBD4

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 392 402505 393 40250c-40251c 392->393 395 4023f0-40240d 393->395 396 402521-402531 393->396 397 402447-40245c 395->397 398 40240f-402446 _CxxThrowException VirtualFree 395->398 399 402466-40246e 397->399 400 40245e-402463 397->400 401 402470-402494 _CxxThrowException 399->401 402 4024c8 399->402 400->399 403 402496-4024a6 401->403 404 4024a7-4024a9 401->404 402->393 405 4024ca-402504 _CxxThrowException VirtualProtect 402->405 406 4024b6-4024bb 404->406 407 4024ab-4024b3 404->407 407->406
                                                      APIs
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402426
                                                      • VirtualFree.KERNELBASE(?,?,00004000,?,00433FF0), ref: 0040243B
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402487
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrow$FreeVirtual
                                                      • String ID: K
                                                      • API String ID: 3998351626-856455061
                                                      • Opcode ID: e6258c4037700921decb4fef216053c88ac1b3fa07dd7148181146b3a2518f48
                                                      • Instruction ID: d10db3db62904dcbefce90fd84f6612e54e27c0527396cf1ee7e04b33e006028
                                                      • Opcode Fuzzy Hash: e6258c4037700921decb4fef216053c88ac1b3fa07dd7148181146b3a2518f48
                                                      • Instruction Fuzzy Hash: 70015E71A016059BCB04CF94DA99A9EB3F1FB8C300F658258E505BB3D5D3B89D41CB58
                                                      APIs
                                                        • Part of subcall function 00401E20: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401E58
                                                        • Part of subcall function 00401E20: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401E7F
                                                        • Part of subcall function 00401C40: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401C90
                                                      • ExitProcess.KERNEL32 ref: 0040297A
                                                        • Part of subcall function 00401AE0: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401B23
                                                        • Part of subcall function 00401AE0: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00401B49
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrow$ExitProcess
                                                      • String ID: facai7777777.ydns.eu
                                                      • API String ID: 2148667458-341305268
                                                      • Opcode ID: ffa862409b5ac389f78c145be06a9823bca1f66ab7ae3c99e3c02bd47aa8f95b
                                                      • Instruction ID: dade8d63e8c797dbf485ceffae5814304898e4df764bbc86db5da62167c75b3f
                                                      • Opcode Fuzzy Hash: ffa862409b5ac389f78c145be06a9823bca1f66ab7ae3c99e3c02bd47aa8f95b
                                                      • Instruction Fuzzy Hash: 07F0AEB674030153F60031B56E87B7F165C9750399F041436FD59661C3E9FD881442FA
                                                      APIs
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402426
                                                      • VirtualFree.KERNELBASE(?,?,00004000,?,00433FF0), ref: 0040243B
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 004024E1
                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,00433FF0), ref: 004024F9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrowVirtual$FreeProtect
                                                      • String ID:
                                                      • API String ID: 821192002-0
                                                      • Opcode ID: 1b290832201d10b221f5e68adb0d3fda576c5b5c6469b0f2a7367977b48eecb3
                                                      • Instruction ID: 83f841d19bca34cd1e3d56a199f6be6398d2cba82b5f7e911ead1574a83926e6
                                                      • Opcode Fuzzy Hash: 1b290832201d10b221f5e68adb0d3fda576c5b5c6469b0f2a7367977b48eecb3
                                                      • Instruction Fuzzy Hash: F6F01CB4900206AFCB00CF94C988EAEB7B4AB4C310F508259F520A3390D3789901CF28
                                                      APIs
                                                      • _CxxThrowException.MSVCRT ref: 004020A6
                                                        • Part of subcall function 00402200: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402274
                                                        • Part of subcall function 00402200: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,00433FF0), ref: 00402297
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrow$AllocVirtual
                                                      • String ID: H
                                                      • API String ID: 4101260073-2852464175
                                                      • Opcode ID: f0594565140f910f9687b93b2fa17bc5accf5cb6e1ac5f827886efc01fd6fd8e
                                                      • Instruction ID: a768531fe93d99fe9d6cc1dadbf3ce441c10c58697eacb079d2619b7a1741d6b
                                                      • Opcode Fuzzy Hash: f0594565140f910f9687b93b2fa17bc5accf5cb6e1ac5f827886efc01fd6fd8e
                                                      • Instruction Fuzzy Hash: DCD012F8D10109AFDB00DFC4C88AA9EBB78EF88304F508019F504A7385D7BCA9459768
                                                      APIs
                                                      • RegCloseKey.ADVAPI32(?,100127E0), ref: 100127FE
                                                      • RegCloseKey.ADVAPI32(?), ref: 10012804
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 5037355289842a879d909204d8e235da43b60b1652dc9f4149da4c16f053cc26
                                                      • Instruction ID: 03969ba57757726cb8eb669cb116290a9a0a36e733efc5404f112d144901f945
                                                      • Opcode Fuzzy Hash: 5037355289842a879d909204d8e235da43b60b1652dc9f4149da4c16f053cc26
                                                      • Instruction Fuzzy Hash: 6CB09276D21028ABCF00EBA8EC8088E7BB9AF8C6407218142B904A3124C630AD418FD0
                                                      APIs
                                                      • _CxxThrowException.MSVCRT ref: 00401F8F
                                                      • VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 00401FA6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocExceptionThrowVirtual
                                                      • String ID:
                                                      • API String ID: 3425318283-0
                                                      • Opcode ID: 9b6e0bda867468a99790ebd4577de388cdcb608d6ab7713dcf9552cde6141cd4
                                                      • Instruction ID: 0e93c14c14012d522b9df52bc154573d7348e2a227f92bec943366c84e3b27a9
                                                      • Opcode Fuzzy Hash: 9b6e0bda867468a99790ebd4577de388cdcb608d6ab7713dcf9552cde6141cd4
                                                      • Instruction Fuzzy Hash: E8E0ECB4A51205AFDB00DBC0D999F9EB771AB88705F508159B6006B294D7B869419B14
                                                      APIs
                                                        • Part of subcall function 00402540: IsBadReadPtr.KERNEL32(?,00000014), ref: 0040258D
                                                        • Part of subcall function 00402540: LoadLibraryA.KERNELBASE(?,?,00000014), ref: 004025A9
                                                        • Part of subcall function 00402540: _CxxThrowException.MSVCRT(?,00433FF0), ref: 004025D2
                                                      • _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402155
                                                        • Part of subcall function 004023A0: _CxxThrowException.MSVCRT(?,00433FF0), ref: 00402426
                                                        • Part of subcall function 004023A0: VirtualFree.KERNELBASE(?,?,00004000,?,00433FF0), ref: 0040243B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094364938.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2094348261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094364938.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094549498.0000000000582000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094565279.0000000000583000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionThrow$FreeLibraryLoadReadVirtual
                                                      • String ID:
                                                      • API String ID: 2623247387-0
                                                      • Opcode ID: e21b50290a27d96abc811f8233c3d11c683ce773cc61e13a0fc473bb0faa7caa
                                                      • Instruction ID: 3a82440007b512ff92be7b0c831a0c4acf767f0f40fc828738bec38690f777eb
                                                      • Opcode Fuzzy Hash: e21b50290a27d96abc811f8233c3d11c683ce773cc61e13a0fc473bb0faa7caa
                                                      • Instruction Fuzzy Hash: 17E086F4D00205A7DB00EFE0D90AA9E77309B00318FA08129B511773C5D77D9B089795
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • malloc.MSVCRT ref: 1000B2AD
                                                      • SetEvent.KERNEL32(?,00000000,?,00000001,?), ref: 1000B2CE
                                                      • GetUserNameA.ADVAPI32 ref: 1000B2EF
                                                      • _stricmp.MSVCRT(?,SYSTEM), ref: 1000B302
                                                      • Sleep.KERNEL32(00000064,?,?,?), ref: 1000B321
                                                      • sprintf.MSVCRT ref: 1000B37F
                                                      • sprintf.MSVCRT ref: 1000B3E7
                                                      • sprintf.MSVCRT ref: 1000B442
                                                      • free.MSVCRT ref: 1000B477
                                                      • strstr.MSVCRT ref: 1000B4E4
                                                      • strstr.MSVCRT ref: 1000B4FA
                                                      • lstrcatA.KERNEL32(?,100F54AC,?,?,?,?,?,?,?,?,?,?), ref: 1000B516
                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B525
                                                      • lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 1000B52F
                                                      • _stricmp.MSVCRT ref: 1000B580
                                                      • free.MSVCRT ref: 1000B5A2
                                                      • free.MSVCRT ref: 1000B5CE
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 1000B61E
                                                      • free.MSVCRT ref: 1000B629
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 1000B64D
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 1000B657
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 1000B662
                                                      • free.MSVCRT ref: 1000B669
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handlefree$Close$sprintf$_stricmplstrcatstrstr$AddressEventLibraryLoadModuleNameProcSleepUserlstrcpymalloc
                                                      • String ID: "%1$%s\shell\open\command$%s_Classes\%s\shell\open\command$.$.$.23I$2$2$2$3$3$3$A$A$A$A$A$A$A$Applications\iexplore.exe$C$C$C$D$D$E$E$I$I$I$K$K$KKlR$L$P$P$P$Q$R$S$S$S$S$SYSTEM$T$T$T$U$U$V$V$W$W$a$a$c$d$d$d$g$http$k$l$l$l$l$l$l$l$n$n$n$n$o$o$o$o$o$o$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$t$u$u$u$x$y$y$y$y
                                                      • API String ID: 3446875266-3039882876
                                                      • Opcode ID: 082eaf7526481b414ad097e718aee89b3ad02fb1ec2d6aed9c7ad1ce3e7240a1
                                                      • Instruction ID: 0faacbec1c7fdd0b20a5b88dd0f6c083d86ee491b8c06e7646e8cc3a6edf0604
                                                      • Opcode Fuzzy Hash: 082eaf7526481b414ad097e718aee89b3ad02fb1ec2d6aed9c7ad1ce3e7240a1
                                                      • Instruction Fuzzy Hash: EB224D7050C3C0DAE331C7688848B9BBFD5ABA2349F08495DE6C857292D7BA9648C777
                                                      APIs
                                                      • LocalAlloc.KERNEL32(00000040,00000400), ref: 10009A01
                                                      • LoadLibraryA.KERNEL32 ref: 10009A19
                                                      • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 10009A31
                                                      • GetProcAddress.KERNEL32(00000000,AllocateAndGetUdpExTableFromStack), ref: 10009A3B
                                                      • GetProcAddress.KERNEL32(00000000,InternalGetTcpTable2), ref: 10009A57
                                                      • GetProcessHeap.KERNEL32(00000001), ref: 10009A6C
                                                      • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000A10B
                                                      • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000A12C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHeapProcProcess$AllocLibraryLoadLocal
                                                      • String ID: %s:%u$*.*.*.*:*$AllocateAndGetTcpExTableFromStack$AllocateAndGetUdpExTableFromStack$InternalGetTcpTable2$InternalGetUdpTableWithOwnerPid$[TCP]$[UDP]$iphlpapi.dll$#v
                                                      • API String ID: 370057222-2045130857
                                                      • Opcode ID: 59f6fd4ba0227e589886d9a697b92b0c9ff23af91a0887ca4d9a19091bd6cc7b
                                                      • Instruction ID: 6cc274d2e0c42cbf31b34a6d2c2a09125c12879bb88dc124f1317fa833a6a5c1
                                                      • Opcode Fuzzy Hash: 59f6fd4ba0227e589886d9a697b92b0c9ff23af91a0887ca4d9a19091bd6cc7b
                                                      • Instruction Fuzzy Hash: C882F4315093559BD324DF24C850AAFBBE5FFC9B44F948A1CEA8693301DB35E909CB92
                                                      APIs
                                                      • GetVersionExA.KERNEL32(?), ref: 100240D3
                                                      • sprintf.MSVCRT ref: 1002418D
                                                      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,00000000), ref: 100241D2
                                                      • RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,?,?,?), ref: 1002421A
                                                      • RegCloseKey.ADVAPI32(?), ref: 10024248
                                                      • FindWindowA.USER32(?,00000000), ref: 100242AE
                                                      • GetWindowTextA.USER32(00000000,?,00000104), ref: 100242E7
                                                      • GetWindow.USER32(00000000,00000002), ref: 100243A3
                                                      • GetClassNameA.USER32(00000000,?,00000104), ref: 100243B9
                                                      • GetTickCount.KERNEL32 ref: 100243C7
                                                      • sprintf.MSVCRT ref: 100243FE
                                                        • Part of subcall function 100259E0: WTSQuerySessionInformationA.WTSAPI32 ref: 10025A04
                                                        • Part of subcall function 100259E0: WTSFreeMemory.WTSAPI32(?,?), ref: 10025A28
                                                        • Part of subcall function 10020B60: #823.MFC42(00000014,?,00000000), ref: 10020B67
                                                        • Part of subcall function 10020B60: GlobalMemoryStatusEx.KERNEL32(?), ref: 10020B8B
                                                        • Part of subcall function 10020B60: wsprintfA.USER32 ref: 10020BAE
                                                      • atol.MSVCRT ref: 1002441E
                                                      • #825.MFC42(00000000,?,?,?,00000000), ref: 10024427
                                                        • Part of subcall function 100216F0: #823.MFC42(00000014,75BE0450,00000000), ref: 100216F7
                                                        • Part of subcall function 100216F0: GlobalMemoryStatusEx.KERNEL32(?), ref: 1002171B
                                                        • Part of subcall function 100216F0: wsprintfA.USER32 ref: 1002173E
                                                      • atol.MSVCRT ref: 10024434
                                                      • #825.MFC42(00000000,?,?,?,00000000), ref: 1002443D
                                                      • GetDriveTypeA.KERNEL32 ref: 10024472
                                                      • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 1002448D
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?), ref: 100244F1
                                                      • OpenServiceA.ADVAPI32(00000000,TermService,000F01FF,?,?,?), ref: 10024512
                                                      • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?), ref: 10024531
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 10024542
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 10024545
                                                      • wsprintfA.USER32 ref: 1002480B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseMemoryOpenQueryStatusWindowwsprintf$#823#825FreeGlobalHandleatolsprintf$ClassCountDiskDriveFindInformationManagerNameSessionSpaceTextTickTypeValueVersion
                                                      • String ID: 2000$2003$2008$2008R2$2012$C$C$CTXOPConntion_Class$E$HARDWARE\DESCRIPTION\System\CentralProcessor\0$M$OpenSCManager Error!$OpenService Error!$P$ProcessorNameString$QueryServiceStatus Error!$RDP-Tcp$SYSTEM\CurrentControlSet\Control\Terminal Server$SeDebugPrivilege$ServiceDll$T$T$TermService$Vista$Win XP$Windows %s SP%d$Y$\$\$\$\$\$\termsrv_t.dll$c$c$fDenyTSConnections$i$i$l$m$m$n$n$o$o$s$s$termsrv_t$u$v$v
                                                      • API String ID: 3552166250-473206856
                                                      • Opcode ID: 5a14d067872a67fd92b694e55db92e67272a86a625e3d2023d32f7fac927fa6c
                                                      • Instruction ID: 755189534b6c207bdf3233148af058f0a0cd25c3fe8b8245a38e4b9e8ef9bf03
                                                      • Opcode Fuzzy Hash: 5a14d067872a67fd92b694e55db92e67272a86a625e3d2023d32f7fac927fa6c
                                                      • Instruction Fuzzy Hash: F212E23110C7C09BE325CB649C84BEBBBE5EBD1304F85496DF9849B282DBB59948C763
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • LocalAlloc.KERNEL32(00000040,00000104), ref: 10015BC0
                                                      • OpenSCManagerA.ADVAPI32 ref: 10015BD7
                                                      • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 10015C03
                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 10015C0C
                                                      • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 10015C2E
                                                      • OpenServiceA.ADVAPI32(00000000,?,00000001), ref: 10015C54
                                                      • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?), ref: 10015C7A
                                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 10015C87
                                                      • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 10015C9B
                                                      • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10015CB5
                                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 10015CC2
                                                      • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10015CDA
                                                      • lstrcatA.KERNEL32(?,100F69D4), ref: 10015D3B
                                                      • lstrcatA.KERNEL32(?,100F69CC), ref: 10015D66
                                                      • lstrlenA.KERNEL32(00000040), ref: 10015D75
                                                      • lstrlenA.KERNEL32(?), ref: 10015D7D
                                                      • lstrlenA.KERNEL32 ref: 10015D88
                                                      • lstrlenA.KERNEL32(?), ref: 10015D94
                                                      • lstrlenA.KERNEL32(?), ref: 10015D9D
                                                      • lstrlenA.KERNEL32(?), ref: 10015DA5
                                                      • LocalSize.KERNEL32(?), ref: 10015DB7
                                                      • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10015DC9
                                                      • lstrlenA.KERNEL32(?), ref: 10015DD7
                                                      • lstrlenA.KERNEL32(?), ref: 10015DE1
                                                      • lstrlenA.KERNEL32(?), ref: 10015E0A
                                                      • lstrlenA.KERNEL32(00000000), ref: 10015E1F
                                                      • lstrlenA.KERNEL32 ref: 10015E28
                                                      • lstrlenA.KERNEL32(00000000), ref: 10015E53
                                                      • lstrlenA.KERNEL32 ref: 10015E64
                                                      • lstrlenA.KERNEL32(00000000), ref: 10015E6D
                                                      • lstrlenA.KERNEL32(00000001), ref: 10015E93
                                                      • lstrlenA.KERNEL32(?), ref: 10015EA2
                                                      • lstrlenA.KERNEL32(?), ref: 10015EC4
                                                      • lstrlenA.KERNEL32(?), ref: 10015EDA
                                                      • lstrlenA.KERNEL32(?), ref: 10015F02
                                                      • lstrlenA.KERNEL32(?), ref: 10015F14
                                                      • lstrlenA.KERNEL32(?), ref: 10015F1E
                                                      • lstrlenA.KERNEL32(?), ref: 10015F42
                                                      • LocalFree.KERNEL32(?), ref: 10015F57
                                                      • LocalFree.KERNEL32(00000000), ref: 10015F5A
                                                      • CloseServiceHandle.ADVAPI32(?), ref: 10015F61
                                                      • LocalFree.KERNEL32(00000000), ref: 10015F94
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10015F9B
                                                      • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10015FA9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$Local$Service$Alloc$Query$FreeOpen$CloseConfigConfig2EnumHandleProcessServicesStatuslstrcat$CurrentManagerSizeToken
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 19575313-2896544425
                                                      • Opcode ID: a95b8db7125a884e7ddde596b790a298f5bbf677db0589560202084599c0c9ec
                                                      • Instruction ID: 5cc1c4b5f99fdee89c97a101d726894c1e730cbdec6765234d61eb6a8c5d3bfa
                                                      • Opcode Fuzzy Hash: a95b8db7125a884e7ddde596b790a298f5bbf677db0589560202084599c0c9ec
                                                      • Instruction Fuzzy Hash: 82D17C75204306AFD714DF64CC84AABB7EAFFC8700F54891DFA85A7250DB74E9098B92
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001168
                                                      • LoadLibraryA.KERNEL32 ref: 100011B4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001203
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001214
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001227
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                                                      • #825.MFC42(?), ref: 100012C4
                                                      • #825.MFC42(00000000,?), ref: 100012CC
                                                      • #825.MFC42(?,00000000,?), ref: 100012D5
                                                      • #825.MFC42(?,?,00000000,?), ref: 100012DE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$#825
                                                      • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                      • API String ID: 345516743-2415744366
                                                      • Opcode ID: c000df12d25c6f53a7b11585f0796f77ff8d4ca47dc4d8261024f874ab2dc61b
                                                      • Instruction ID: ee08c086a63c9b71c05a681bfea59521c0724e463f90de67ab2405d2b34fdba8
                                                      • Opcode Fuzzy Hash: c000df12d25c6f53a7b11585f0796f77ff8d4ca47dc4d8261024f874ab2dc61b
                                                      • Instruction Fuzzy Hash: 2B517175904384ABCB10EF748C88E9B7FA8EF98351F450D49FB849B346DA36D905CBA1
                                                      APIs
                                                      • SetEvent.KERNEL32(?), ref: 1000C68C
                                                      • FindWindowA.USER32(Progman,00000000), ref: 1000C6C3
                                                      • ShowWindow.USER32(00000000,00000000), ref: 1000C6CC
                                                      • FindWindowA.USER32(Progman,00000000), ref: 1000C6E2
                                                      • ShowWindow.USER32(00000000,00000005), ref: 1000C6EB
                                                      • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1000C707
                                                      • ShowWindow.USER32(00000000,00000000), ref: 1000C712
                                                      • FindWindowA.USER32(Button,100F5F48), ref: 1000C71E
                                                      • ShowWindow.USER32(00000000,00000000), ref: 1000C723
                                                      • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1000C73B
                                                      • ShowWindow.USER32(00000000,00000005), ref: 1000C746
                                                      • FindWindowA.USER32(Button,100F5F48), ref: 1000C752
                                                      • ShowWindow.USER32(00000000,00000005), ref: 1000C757
                                                      • FindWindowA.USER32(00000000,00000000), ref: 1000C772
                                                      • SendMessageA.USER32(00000000), ref: 1000C779
                                                      • FindWindowA.USER32(00000000,00000000), ref: 1000C798
                                                      • SendMessageA.USER32(00000000), ref: 1000C79F
                                                      • mciSendStringA.WINMM(set cdaudio door open,00000000,00000000,00000000), ref: 1000C7B9
                                                      • mciSendStringA.WINMM(set cdaudio door closed wait,00000000,00000000,00000000), ref: 1000C7D3
                                                      • Beep.KERNEL32(000003E8,0000001E), ref: 1000C7F6
                                                      • Sleep.KERNEL32(00000064), ref: 1000C7FA
                                                      • GetForegroundWindow.USER32 ref: 1000C80F
                                                      • GetWindowRect.USER32(00000000,?), ref: 1000C837
                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 1000C85E
                                                      • Sleep.KERNEL32(00000028), ref: 1000C862
                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 1000C87F
                                                      • Sleep.KERNEL32(00000028), ref: 1000C883
                                                      • Beep.KERNEL32(00000FFF,0000000A), ref: 1000C88C
                                                      • SwapMouseButton.USER32(00000001), ref: 1000C8A5
                                                      • SwapMouseButton.USER32(00000000), ref: 1000C8B6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$Find$Show$Send$Sleep$BeepButtonMessageMouseMoveStringSwap$EventForegroundRect
                                                      • String ID: Button$Progman$Shell_TrayWnd$set cdaudio door closed wait$set cdaudio door open
                                                      • API String ID: 2556331450-1413032928
                                                      • Opcode ID: 709870fc80e0e8e69c93ac51de8ce754abde7dbd27f32ff7a8b968b812ad5dd2
                                                      • Instruction ID: c886d6d3add34ece47e187ad78ed35b021b35e69a0d648dc262f7d43e9efa9fc
                                                      • Opcode Fuzzy Hash: 709870fc80e0e8e69c93ac51de8ce754abde7dbd27f32ff7a8b968b812ad5dd2
                                                      • Instruction Fuzzy Hash: 7851147A7803247BF220E758DC8AFDA7714EBC4732F208136FF05A61D0D67564098AB9
                                                      APIs
                                                      • GetVersionExA.KERNEL32 ref: 1001711C
                                                        • Part of subcall function 100168E0: LoadLibraryW.KERNEL32(ntdll.dll,?,00001F99,1001713F,?,?,?), ref: 100168E9
                                                        • Part of subcall function 100168E0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                                                        • Part of subcall function 100168E0: FreeLibrary.KERNEL32(00000000), ref: 10016922
                                                        • Part of subcall function 10016720: lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F99,762323A0), ref: 100167A7
                                                        • Part of subcall function 10016720: gethostname.WS2_32(?,?), ref: 100167AF
                                                        • Part of subcall function 10016720: lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F99,762323A0), ref: 100167B6
                                                      • getsockname.WS2_32(?), ref: 10017186
                                                      • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 100171F3
                                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 10017214
                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001725D
                                                      • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10017278
                                                      • GetTickCount.KERNEL32 ref: 1001730B
                                                      • wsprintfA.USER32 ref: 1001732C
                                                      • wsprintfA.USER32 ref: 10017349
                                                      • wsprintfA.USER32 ref: 10017363
                                                      • wsprintfA.USER32 ref: 1001738A
                                                      • free.MSVCRT ref: 100173B8
                                                      • free.MSVCRT ref: 1001742E
                                                      • lstrcpyA.KERNEL32(?,00000000,?,?,00000100), ref: 10017447
                                                      • GetLastInputInfo.USER32(?), ref: 10017461
                                                      • GetTickCount.KERNEL32 ref: 10017467
                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 1001748D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wsprintf$CountFreeInfoLibraryTickfreelstrcpylstrlen$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersiongethostnamegetsockname
                                                      • String ID: %$6gkIBfkS+qY=$@$D$Gwogwo Hxpgx$a$d$e$f$f$l$t$u
                                                      • API String ID: 3120897193-2348891111
                                                      • Opcode ID: a9b92a96c4369d6e81ffcbae9037dc32718a10426265270617612408bdc0e9d6
                                                      • Instruction ID: d62cdfb082d1a75627d98523c0125e9ce58e088c9f404048c39b39b746d53e56
                                                      • Opcode Fuzzy Hash: a9b92a96c4369d6e81ffcbae9037dc32718a10426265270617612408bdc0e9d6
                                                      • Instruction Fuzzy Hash: C3A19BB55083859FE325CB64CC80BDBBBE9EFC9304F044A1DF58987241EB75A509CB62
                                                      APIs
                                                      • wsprintfA.USER32 ref: 1001A4DE
                                                      • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 1001A4F3
                                                      • GetLastError.KERNEL32 ref: 1001A4FF
                                                      • ReleaseMutex.KERNEL32(00000000), ref: 1001A50D
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001A514
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001A53C
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001A55D
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001A575
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001A590
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001A5AB
                                                      • Sleep.KERNEL32(00000BB8), ref: 1001A5F0
                                                      • lstrcpyA.KERNEL32(?,facai7777777.ydns.eu), ref: 1001A613
                                                      • GetTickCount.KERNEL32 ref: 1001A65F
                                                      • GetTickCount.KERNEL32 ref: 1001A683
                                                      • GetTickCount.KERNEL32 ref: 1001A6BD
                                                      • GetTickCount.KERNEL32 ref: 1001A701
                                                      • GetTickCount.KERNEL32 ref: 1001A71F
                                                      • Sleep.KERNEL32(00000064,?,00000001), ref: 1001A73B
                                                      • GetTickCount.KERNEL32 ref: 1001A75F
                                                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 1001A76D
                                                      • Sleep.KERNEL32(00000190), ref: 1001A77A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCountHandleTick$Sleep$Mutex$CreateErrorLastObjectReleaseSingleWaitlstrcpywsprintf
                                                      • String ID: %s:%d:%s$Gwogwo Hxpgx$e$facai7777777.ydns.eu$tdC2pg==
                                                      • API String ID: 3027695092-2604993532
                                                      • Opcode ID: 9d7150f100be0c02902ae68ed44c96dc3e8a283a0e1769531764386ec7ca12b7
                                                      • Instruction ID: dc56ed8e96a0a473f3ceccd143fbb57c5463b5468fdcf1a8512feb3f7a12ec6f
                                                      • Opcode Fuzzy Hash: 9d7150f100be0c02902ae68ed44c96dc3e8a283a0e1769531764386ec7ca12b7
                                                      • Instruction Fuzzy Hash: 7A91E575508381AAE330DB74CC89FDB7BE9EB96750F00091CF5489B192EB75A688C662
                                                      APIs
                                                      • lstrlenA.KERNEL32(?,?,?,?,00000065), ref: 10008C9B
                                                      • wsprintfA.USER32 ref: 10008CFD
                                                      • FindFirstFileA.KERNEL32(?,?,?,?,?,00000065), ref: 10008D0F
                                                      • wsprintfA.USER32 ref: 10008D6D
                                                      • wsprintfA.USER32 ref: 10008D9C
                                                      • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10008DCF
                                                      • #823.MFC42(00000018,?,00000001), ref: 10008E15
                                                      • #825.MFC42(?), ref: 10008E79
                                                      • FindNextFileA.KERNEL32(?,?), ref: 10008EA8
                                                      • FindClose.KERNEL32(?), ref: 10008EBB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Findwsprintf$File$#823#825CloseD@2@@std@@D@std@@FirstGrow@?$basic_string@NextU?$char_traits@V?$allocator@lstrlen
                                                      • String ID: %$%$%$%$%$.$.$s$s$s$s$s
                                                      • API String ID: 2977506440-2213182201
                                                      • Opcode ID: 8a4bc720b6aa8b36e0a69a18f062275ee39bbc410dff553ecfc0254acb272fa9
                                                      • Instruction ID: b3e0b9d6cc64d1ef771d695792dc3d17925a3ed2be099a21861268a268b04b69
                                                      • Opcode Fuzzy Hash: 8a4bc720b6aa8b36e0a69a18f062275ee39bbc410dff553ecfc0254acb272fa9
                                                      • Instruction Fuzzy Hash: DB716E7140C3809FE310CF28C884A9BBBE4FBD9344F448A6DF5D957291DB75AA09CB66
                                                      APIs
                                                      • lstrcatA.KERNEL32(00000000,?), ref: 10026356
                                                      • lstrcatA.KERNEL32(00000000,\*.*), ref: 10026365
                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 10026381
                                                      • strstr.MSVCRT ref: 1002642E
                                                      • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,10125614,?,00000104,?), ref: 1002647E
                                                      • lstrlenA.KERNEL32(00000000), ref: 10026488
                                                      • lstrlenA.KERNEL32(?), ref: 10026491
                                                      • LocalSize.KERNEL32(?), ref: 100264A7
                                                      • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 100264C0
                                                      • lstrlenA.KERNEL32(?), ref: 100264D0
                                                      • lstrlenA.KERNEL32(?), ref: 100264FA
                                                      • lstrlenA.KERNEL32(00000000), ref: 10026514
                                                      • lstrlenA.KERNEL32(00000000), ref: 10026544
                                                      • FindNextFileA.KERNEL32(?,?), ref: 10026560
                                                      • FindClose.KERNEL32(?), ref: 1002656F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                                                      • String ID: .$.url$InternetShortcut$URL$\*.*
                                                      • API String ID: 3365753205-65308377
                                                      • Opcode ID: 6fe7781855e7051b680883f4bac82d6d3a317ac5f84533cd35bbfe081694e390
                                                      • Instruction ID: 87e1bb42a69771b972d38f98c6adb2aa95a4d86102d5fa0a37b1bfd3e987af2e
                                                      • Opcode Fuzzy Hash: 6fe7781855e7051b680883f4bac82d6d3a317ac5f84533cd35bbfe081694e390
                                                      • Instruction Fuzzy Hash: 556138711047549FD328CB38CC84AEBBBE9FBC9301F508A2DEA4697254EB35A909CB41
                                                      APIs
                                                        • Part of subcall function 10027CC0: GetCurrentThreadId.KERNEL32 ref: 10027CD2
                                                        • Part of subcall function 10027CC0: GetThreadDesktop.USER32(00000000), ref: 10027CD9
                                                        • Part of subcall function 10027CC0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10027D0C
                                                        • Part of subcall function 10027CC0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 10027D17
                                                        • Part of subcall function 10027CC0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10027D3E
                                                        • Part of subcall function 10027CC0: lstrcmpiA.KERNEL32(?,?), ref: 10027D4D
                                                        • Part of subcall function 10027CC0: SetThreadDesktop.USER32(00000000), ref: 10027D58
                                                        • Part of subcall function 10027CC0: CloseDesktop.USER32(00000000), ref: 10027D70
                                                        • Part of subcall function 10027CC0: CloseDesktop.USER32(00000000), ref: 10027D73
                                                      • GetDeviceCaps.GDI32(?,00000076), ref: 1001469F
                                                      • _ftol.MSVCRT ref: 100146B7
                                                      • GetDeviceCaps.GDI32(?,00000075), ref: 100146C7
                                                      • _ftol.MSVCRT ref: 100146DF
                                                      • MapVirtualKeyA.USER32(?,00000000), ref: 10014738
                                                      • keybd_event.USER32(?,00000000), ref: 10014743
                                                      • MapVirtualKeyA.USER32(?,00000000), ref: 10014755
                                                      • keybd_event.USER32(00000000,00000000), ref: 10014760
                                                      • MapVirtualKeyA.USER32(?,00000000), ref: 10014789
                                                      • keybd_event.USER32(?,00000000), ref: 10014794
                                                      • MapVirtualKeyA.USER32(?,00000000), ref: 100147A6
                                                      • keybd_event.USER32(?,00000000), ref: 100147B1
                                                      • mouse_event.USER32(00008006,00000000,00000000,00000000,00000000), ref: 10014808
                                                      • mouse_event.USER32(00008006,00000000,00000000,00000000,00000000), ref: 100148A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Desktop$Virtualkeybd_event$Thread$CapsCloseDeviceInformationObjectUser_ftolmouse_event$CurrentInputOpenlstrcmpi
                                                      • String ID: Fs
                                                      • API String ID: 155679656-3114537292
                                                      • Opcode ID: b35ef54b6048c289d2f3728692a894843c00b48f20be30021ec7376e9369996f
                                                      • Instruction ID: f08f1c6231b75a2d8fdc7810d46143b97d517c61a25559a5b22ab7eb5df22c5a
                                                      • Opcode Fuzzy Hash: b35ef54b6048c289d2f3728692a894843c00b48f20be30021ec7376e9369996f
                                                      • Instruction Fuzzy Hash: 0651AB346883907AF670CA558C8AF9F7B98EB46B90F328515F645AE0E0CEF0E5C4C765
                                                      APIs
                                                      • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 10008766
                                                      • wsprintfA.USER32 ref: 100087BC
                                                      • FindFirstFileA.KERNEL32(?,?,100F5484,?,00000000,00000065), ref: 100087CE
                                                      • wsprintfA.USER32 ref: 10008830
                                                      • wsprintfA.USER32 ref: 1000885C
                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 10008876
                                                      • DeleteFileA.KERNEL32(?), ref: 10008884
                                                      • FindNextFileA.KERNEL32(?,?), ref: 10008894
                                                      • FindClose.KERNEL32(?), ref: 100088A7
                                                      • RemoveDirectoryA.KERNEL32(?), ref: 100088AE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                                                      • String ID: %$%$%$%$%$.$.
                                                      • API String ID: 1639472542-2249276185
                                                      • Opcode ID: d9e64f9345b0402f6918c17be90c718ca4e22ae175219570850045d08e44636b
                                                      • Instruction ID: 21311e50925f34d8e1f6941ef68614689c34f6300e3c1fb60ec4bdd6fcbace88
                                                      • Opcode Fuzzy Hash: d9e64f9345b0402f6918c17be90c718ca4e22ae175219570850045d08e44636b
                                                      • Instruction Fuzzy Hash: 50418D7100C3819AE310CB64DC48AEBBBE8ABDA344F588A5DF9C843241DA75D608C76B
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _errno$closesocketrecvsend$Sleepselect
                                                      • String ID:
                                                      • API String ID: 1718823125-0
                                                      • Opcode ID: f2ce5e0bab4b520705654094b141cde67bf1d65fd861e3d7dc0a19c123bc787c
                                                      • Instruction ID: 75aa76801bf746524f599a67776039b48bb6b9db9d51d51097a73c2c3d234f7b
                                                      • Opcode Fuzzy Hash: f2ce5e0bab4b520705654094b141cde67bf1d65fd861e3d7dc0a19c123bc787c
                                                      • Instruction Fuzzy Hash: C7B122316047559BE724DF24D8946BFB3EAFFD8300F41492CEA469B240DB74EA45CBA2
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10020EB1
                                                      • wcstombs.MSVCRT ref: 10020EF2
                                                      • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10020F0E
                                                      • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10020F2A
                                                      • LocalAlloc.KERNEL32(00000040,00000400,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10020F4B
                                                      • lstrlenA.KERNEL32(101267C8), ref: 10020FBB
                                                      • lstrlenA.KERNEL32(101267C8), ref: 10020FDC
                                                      • lstrlenA.KERNEL32(?), ref: 10020FEF
                                                      • lstrlenA.KERNEL32(?), ref: 10021011
                                                      • lstrlenA.KERNEL32(?), ref: 10021024
                                                      • lstrlenA.KERNEL32(?), ref: 10021042
                                                      • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 10021076
                                                        • Part of subcall function 100174F0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10017532
                                                        • Part of subcall function 100174F0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001754A
                                                        • Part of subcall function 100174F0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 10017550
                                                        • Part of subcall function 100174F0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001755F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$AllocBufferFreeLocalProcessToken$AdjustCloseCurrentEnumErrorHandleLastLookupOpenPrivilegePrivilegesUserValuewcstombs
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2919970077-2896544425
                                                      • Opcode ID: ad0da1509068e8aa9a54ad664cd5d512d395047490eee76c1452398f18daff12
                                                      • Instruction ID: f734b887138c33fb7cb3e9bca632fe752cf8eb22d09a6333b39cf64523cf5069
                                                      • Opcode Fuzzy Hash: ad0da1509068e8aa9a54ad664cd5d512d395047490eee76c1452398f18daff12
                                                      • Instruction Fuzzy Hash: 8B51C0716043459FC314CF18EC81AAFB7E5FBC8704F500A2DF995A7281DB75A90A8B92
                                                      APIs
                                                      • Sleep.KERNEL32(0000000A), ref: 1000AB22
                                                      • lstrlenA.KERNEL32(?), ref: 1000AB2D
                                                      • GetKeyState.USER32(00000010), ref: 1000AB77
                                                      • GetAsyncKeyState.USER32(0000000D), ref: 1000AB83
                                                      • GetKeyState.USER32(00000014), ref: 1000AB8F
                                                      • GetKeyState.USER32(00000014), ref: 1000ABB7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: State$AsyncSleeplstrlen
                                                      • String ID: <BackSpace>$<Enter>
                                                      • API String ID: 43598291-3792472884
                                                      • Opcode ID: d1378e246c641731ab7291b1ffd03a61b4a41fbf246efc5fb40d668432e8d685
                                                      • Instruction ID: 64bd0e668ec24cb705bcd9ff538fb5a2b415b15cf64c82be3b74d26111a7e741
                                                      • Opcode Fuzzy Hash: d1378e246c641731ab7291b1ffd03a61b4a41fbf246efc5fb40d668432e8d685
                                                      • Instruction Fuzzy Hash: 0351E1755083569BF710DF20CC84BAB73AAEB82384F120B29ED5186159DB72E5C9C763
                                                      APIs
                                                      • CreateFileA.KERNEL32 ref: 1000C5D2
                                                      • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000C605
                                                      • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000C619
                                                      • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000C634
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000C637
                                                      • Sleep.KERNEL32(000007D0), ref: 1000C642
                                                      • GetVersion.KERNEL32 ref: 1000C648
                                                      • ExitWindowsEx.USER32(00000006,00000000), ref: 1000C668
                                                      • ExitProcess.KERNEL32 ref: 1000C670
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                                                      • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                                                      • API String ID: 554375110-3993181469
                                                      • Opcode ID: ec22cffec440fbac7ee8039e5b82bcb5052ab0dcdaea311913a5ae636d515fbd
                                                      • Instruction ID: 205b70589b789033467f2a3b0af619853c481c55584e71c3bc365793bb5a12d1
                                                      • Opcode Fuzzy Hash: ec22cffec440fbac7ee8039e5b82bcb5052ab0dcdaea311913a5ae636d515fbd
                                                      • Instruction Fuzzy Hash: 4821F2353847657BF630EB24CC4AFDA3B90AB84B11F204B18FB65BA0D0D6A07604875A
                                                      APIs
                                                      • lstrlenA.KERNEL32(?,?,?,00000065), ref: 1000859A
                                                      • wsprintfA.USER32 ref: 100085EA
                                                      • FindFirstFileA.KERNEL32(?,?,?,100F5484,?,00000065), ref: 10008600
                                                      • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10008636
                                                      • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10008664
                                                      • lstrlenA.KERNEL32(?,?,00000065), ref: 100086A3
                                                      • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 100086F6
                                                      • LocalFree.KERNEL32(00000000,?,00000065), ref: 10008712
                                                      • FindClose.KERNEL32(?,?,00000065), ref: 1000871D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                                                      • String ID: .$h
                                                      • API String ID: 4283800025-2131999284
                                                      • Opcode ID: b6a7e83d22f7991ca3024222d3095c0377de5e009c4a1f7f1239e70007da91b5
                                                      • Instruction ID: 9e9fa09597343c3d33f58066edf1bc9ac54451ce5a7623f6020eb3d89927d9eb
                                                      • Opcode Fuzzy Hash: b6a7e83d22f7991ca3024222d3095c0377de5e009c4a1f7f1239e70007da91b5
                                                      • Instruction Fuzzy Hash: 755106756083848FD310CF68CC84B9BBBE4FBD9345F548A2CF98497341D6799A09CB66
                                                      APIs
                                                      • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 100137CC
                                                      • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001399C
                                                      • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003), ref: 10013B2C
                                                        • Part of subcall function 10012F70: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10013058
                                                      • #825.MFC42(00000000), ref: 10013B81
                                                      • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003), ref: 10013B91
                                                      • #825.MFC42(?), ref: 10013C19
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823$#825$Open
                                                      • String ID:
                                                      • API String ID: 2779812387-0
                                                      • Opcode ID: 564811c81090fafd9c88047a90e8582f58457f7036380442e5ba9a3557740b09
                                                      • Instruction ID: 6770e2bfe27b35aec20c0b657e72e1cff44af21098f06d03b8ebb5f60cd9b73f
                                                      • Opcode Fuzzy Hash: 564811c81090fafd9c88047a90e8582f58457f7036380442e5ba9a3557740b09
                                                      • Instruction Fuzzy Hash: 25D120B56046059BC308DF28D89166FB3D6FFC8610F84853DF9468B381DB35EA8AC792
                                                      APIs
                                                      • lstrlenA.KERNEL32(00000000), ref: 10021469
                                                      • lstrlenA.KERNEL32(00000000), ref: 10021479
                                                      • lstrlenA.KERNEL32(00000000), ref: 10021480
                                                        • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001FFDE
                                                        • Part of subcall function 1001FFC0: #823.MFC42(00000002,?,00000000,00000000), ref: 1001FFEB
                                                        • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10020007
                                                      • NetUserAdd.NETAPI32 ref: 100214D6
                                                      • #825.MFC42(?), ref: 100214E4
                                                      • #825.MFC42(?,?), ref: 100214EE
                                                      • wcscpy.MSVCRT ref: 10021532
                                                      • #825.MFC42(?), ref: 1002153D
                                                      • #825.MFC42(?,?), ref: 10021547
                                                      • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 1002156A
                                                      • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10021572
                                                      • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 1002159F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                                                      • String ID:
                                                      • API String ID: 3899135135-0
                                                      • Opcode ID: 471d24f2a99f04f068336eb5ee4591de7282793d3427b92e0a67ffe67382fa1b
                                                      • Instruction ID: 7d8fadddd2169925b57e10fd67cde15fd11a706cf5bde10c36258d042e66e1d0
                                                      • Opcode Fuzzy Hash: 471d24f2a99f04f068336eb5ee4591de7282793d3427b92e0a67ffe67382fa1b
                                                      • Instruction Fuzzy Hash: B941B4755043406BD710DF64DC85EAFBBE8EFC9744F400D2DF54497242EAB9EA098762
                                                      Strings
                                                      • PVOP, xrefs: 1007C0DC
                                                      • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1007C590
                                                      • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1007C2B2
                                                      • *** XXXXXX bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1007BF10
                                                      • CLOSED GOP BVOP->PVOP, xrefs: 1007C039
                                                      • BVOP, xrefs: 1007BD7A
                                                      • IVOP, xrefs: 1007C1A0
                                                      • %d st:%lld if:%d, xrefs: 1007BD44
                                                      • *** END, xrefs: 1007C6EB
                                                      • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1007C17C
                                                      • *** PFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1007C0B8, 1007C698
                                                      • *** BFRAME (store) bf: head=%i tail=%i queue: head=%i tail=%i size=%i quant=%i, xrefs: 1007BE92
                                                      • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 1007C36E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %d st:%lld if:%d$*** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** BFRAME (store) bf: head=%i tail=%i queue: head=%i tail=%i size=%i quant=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** PFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** XXXXXX bf: head=%i tail=%i queue: head=%i tail=%i size=%i$BVOP$CLOSED GOP BVOP->PVOP$IVOP$PVOP
                                                      • API String ID: 0-2148658119
                                                      • Opcode ID: 3455aed5107c4458ededc88416e3a7ebe482fa30bb205f2481a8135d7ccdadfc
                                                      • Instruction ID: f91079162a055caecfe4fac2b2a2bd15c69faba78d0e62f8f0512d514fa22ed0
                                                      • Opcode Fuzzy Hash: 3455aed5107c4458ededc88416e3a7ebe482fa30bb205f2481a8135d7ccdadfc
                                                      • Instruction Fuzzy Hash: 7BA224B56042889FCB68CF18C881BEA77E5FF89304F14861DEE898B351D774AE41CB95
                                                      APIs
                                                        • Part of subcall function 10027D90: LoadLibraryA.KERNEL32 ref: 10027DA7
                                                        • Part of subcall function 10027D90: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 10027DB7
                                                        • Part of subcall function 10027D90: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 10027DC1
                                                        • Part of subcall function 10027D90: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 10027DCD
                                                        • Part of subcall function 10027D90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 10027DD8
                                                        • Part of subcall function 10027D90: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 10027DE4
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000CDED
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 1000CE0F
                                                      • _stricmp.MSVCRT(?,explorer.exe,00000000,00000128), ref: 1000CE30
                                                      • OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 1000CE41
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000CE4A
                                                      • Process32Next.KERNEL32(00000000,?), ref: 1000CE52
                                                      • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 1000CE5C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32_stricmp
                                                      • String ID: SeDebugPrivilege$explorer.exe
                                                      • API String ID: 494571321-2721386251
                                                      • Opcode ID: 9dcab95a827e8108575901c2b1c6ca67a54b20d7fd8737588cbfd5035b167072
                                                      • Instruction ID: f8a8f10fb3cb73c73cb47a4a2118efc0b43cef4f60393f190e00bb46773b2715
                                                      • Opcode Fuzzy Hash: 9dcab95a827e8108575901c2b1c6ca67a54b20d7fd8737588cbfd5035b167072
                                                      • Instruction Fuzzy Hash: 7611C47A2413557BF200E764EC42FAB779CEB94341F500924FF0096181EB75F9188775
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202,?), ref: 1001F481
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 1001F491
                                                      • htons.WS2_32 ref: 1001F4C0
                                                      • bind.WS2_32 ref: 1001F4DB
                                                      • listen.WS2_32(00000000,00000032), ref: 1001F4EC
                                                      • accept.WS2_32(00000000,00000000,00000000), ref: 1001F515
                                                      • malloc.MSVCRT ref: 1001F51B
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_0001F180,00000000,00000000,?), ref: 1001F537
                                                      • Sleep.KERNEL32(000003E8), ref: 1001F546
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001F54F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                                                      • String ID:
                                                      • API String ID: 1905318980-0
                                                      • Opcode ID: a59095f9e3124cbee1a4d9441902c249b362dc60a6f7d5ebdabd048e0652216a
                                                      • Instruction ID: d64cc42701f4da185ffe0f43c7499a31d7295766506552b4b360b44478263ad1
                                                      • Opcode Fuzzy Hash: a59095f9e3124cbee1a4d9441902c249b362dc60a6f7d5ebdabd048e0652216a
                                                      • Instruction Fuzzy Hash: E521C834648310BBF310DF64DC89BAB77A9EF54B50F20871CF9599A2E0E770D9448626
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1002232D
                                                      • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 10022340
                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1002234E
                                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,100200D6), ref: 10022363
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100200D6), ref: 10022370
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100200D6), ref: 10022373
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                                                      • String ID: SeDebugPrivilege$sharedaccess
                                                      • API String ID: 3393504433-1846105483
                                                      • Opcode ID: 9a5bec22da184aafc7de1840fb89d9ed27d65efad80d4713c520f9db900ec074
                                                      • Instruction ID: 5f6db0e678fc87dd5abd25df875302259054930dedc4e593eacc6998952c9221
                                                      • Opcode Fuzzy Hash: 9a5bec22da184aafc7de1840fb89d9ed27d65efad80d4713c520f9db900ec074
                                                      • Instruction Fuzzy Hash: F7F0F63A6601207BE210B7688C8AFFF3F68EF91752F504124FF0865191DBB565488AB2
                                                      APIs
                                                      • OpenClipboard.USER32(00000000), ref: 100148E2
                                                      • EmptyClipboard.USER32 ref: 100148EE
                                                      • GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 100148FE
                                                      • GlobalLock.KERNEL32(00000000), ref: 1001490C
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 10014929
                                                      • SetClipboardData.USER32(00000001,00000000), ref: 10014932
                                                      • GlobalFree.KERNEL32(00000000), ref: 10014939
                                                      • CloseClipboard.USER32 ref: 10014940
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                                      • String ID:
                                                      • API String ID: 453615576-0
                                                      • Opcode ID: 6344113846d5af2778d92395b0f0a7428041fa722a07b8ab9aad75dd3ee35253
                                                      • Instruction ID: cd002b0049826d6ceaebacdf2811ae565fb01a9805823bcc65aa493275a73110
                                                      • Opcode Fuzzy Hash: 6344113846d5af2778d92395b0f0a7428041fa722a07b8ab9aad75dd3ee35253
                                                      • Instruction Fuzzy Hash: A9F0307A244721EFFB54AB748CCDAAB7B98FB48652B558618FD02D7250CB709C01C761
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10017532
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001754A
                                                      • GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 10017550
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001755F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                      • String ID:
                                                      • API String ID: 3398352648-0
                                                      • Opcode ID: 0ad56e8a79e4debe52c01416b8063527252df3a7d3e373228cf3d4ae0fe8c4a5
                                                      • Instruction ID: b2682cf87979ee8176c9da1bf77602dff9e403c07e320506278319093fb252ce
                                                      • Opcode Fuzzy Hash: 0ad56e8a79e4debe52c01416b8063527252df3a7d3e373228cf3d4ae0fe8c4a5
                                                      • Instruction Fuzzy Hash: 0D0179B9614700BFE314DF64CC99F6B77A8FF84700F95C91CF94686190D675D4448B61
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000028), ref: 10024930
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 10024937
                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10024965
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1002497D
                                                      • GetLastError.KERNEL32 ref: 10024983
                                                      • CloseHandle.KERNEL32(?), ref: 10024994
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                      • String ID:
                                                      • API String ID: 3398352648-0
                                                      • Opcode ID: 0d7e2dd838ff04cc2dbbab3b4af3fd10f9afbb0fb5b8408daeb9751cbf8b9a64
                                                      • Instruction ID: 2ef450a22dc1432db0547e529ba1d5a59e0db50674bf4b7841a504130bfc780c
                                                      • Opcode Fuzzy Hash: 0d7e2dd838ff04cc2dbbab3b4af3fd10f9afbb0fb5b8408daeb9751cbf8b9a64
                                                      • Instruction Fuzzy Hash: 30018479604310BFE314EB64CC99FAB77A8FF84B00F51CA1CF98696290D774D8048BA1
                                                      APIs
                                                      • FindFirstFileA.KERNEL32(?,?,?,00000000), ref: 100090E5
                                                      • FindClose.KERNEL32(00000000), ref: 10009167
                                                      • CloseHandle.KERNEL32(?), ref: 10009179
                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009191
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseFileFind$CreateFirstHandle
                                                      • String ID: p
                                                      • API String ID: 3283578348-2181537457
                                                      • Opcode ID: eba956b9fcbe3bfcc7104d0eaea32a5904e49d3a37679d4c714c3b9362f4e101
                                                      • Instruction ID: b12e5796499e45cbb7bbc860ac8b97f10ac8faff609f7352a5540c7b03686c13
                                                      • Opcode Fuzzy Hash: eba956b9fcbe3bfcc7104d0eaea32a5904e49d3a37679d4c714c3b9362f4e101
                                                      • Instruction Fuzzy Hash: 5531B975A087029BE324DF28CC457CFB7EAEBC53A0F258A1DF4A9873D4D63499458B42
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: bindsocket
                                                      • String ID:
                                                      • API String ID: 3370621091-0
                                                      • Opcode ID: 48ec17574366238cad99c539dcb6618e3c139e77b47012e2206df5b20fac36fb
                                                      • Instruction ID: 199b92a5082f7001cbb4ac8ce796d27b6acc07d0293226c99db6652306a76db7
                                                      • Opcode Fuzzy Hash: 48ec17574366238cad99c539dcb6618e3c139e77b47012e2206df5b20fac36fb
                                                      • Instruction Fuzzy Hash: 581130B4814311AFE300DF64D8456EAB7E4FF98318F148A2DF89887291E3B5DA858786
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: gfff$gfff$gfff$gfff
                                                      • API String ID: 0-2178600047
                                                      • Opcode ID: 897d0936ebd965e27aee2e58ea5116ca03ad29add98d0f13980de002f3a01c6f
                                                      • Instruction ID: 9ef823af0777f1d4cb3f62dee556ef4d1ea4b200a88b3e2f90f8be412ea95059
                                                      • Opcode Fuzzy Hash: 897d0936ebd965e27aee2e58ea5116ca03ad29add98d0f13980de002f3a01c6f
                                                      • Instruction Fuzzy Hash: 2832A131A083928BC318CF28C89015EB7E2FBC9745F558A3DE885DB354E775E945CB86
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: exitfprintf
                                                      • String ID: %s
                                                      • API String ID: 4243785698-620797490
                                                      • Opcode ID: 25dc1b16975e234d7738d6ab2dc72ba28bf17fa3fa696483168906151d4a282f
                                                      • Instruction ID: 52e782dcf910148b0d5456635dd42d683ac935d6c7f17b3f20a5fbffaddbf4db
                                                      • Opcode Fuzzy Hash: 25dc1b16975e234d7738d6ab2dc72ba28bf17fa3fa696483168906151d4a282f
                                                      • Instruction Fuzzy Hash: 73E06539804111AFD200DFA4DC45EAEB7B8EF85304F009454F54897211DB75F8498BA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: false$null$true
                                                      • API String ID: 0-2913297407
                                                      • Opcode ID: f60b13ee90018ec338b8caeb0c874bf0a176b0c9a60af7e692ac0f753242cac7
                                                      • Instruction ID: bc9fa4bed883c1ed422a08d0ea5d6b405f48dc408d212a9a6a957781fef77767
                                                      • Opcode Fuzzy Hash: f60b13ee90018ec338b8caeb0c874bf0a176b0c9a60af7e692ac0f753242cac7
                                                      • Instruction Fuzzy Hash: D65232756083428BE705CF28E88071BB7E9EF89295F05852DF889CB345EB36ED05C792
                                                      APIs
                                                      • OpenEventLogA.ADVAPI32(00000000,100F5EBC), ref: 1000C4F4
                                                      • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000C4FF
                                                      • CloseEventLog.ADVAPI32(00000000), ref: 1000C502
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Event$ClearCloseOpen
                                                      • String ID:
                                                      • API String ID: 1391105993-0
                                                      • Opcode ID: 50fefd087aa6a671c00c0657d2ab3d1fb2068d43f4025ee25c5d2f956d57d5f3
                                                      • Instruction ID: 2495073f6dabbcf6a498c7976ae4cfae5c952359d87d41c5d84001ea3fcae639
                                                      • Opcode Fuzzy Hash: 50fefd087aa6a671c00c0657d2ab3d1fb2068d43f4025ee25c5d2f956d57d5f3
                                                      • Instruction Fuzzy Hash: 26F0A73664536567D301EB09AC80F5FFBA8FFC5652F910518EB0593210C77AAB0546E6
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 1000E026
                                                        • Part of subcall function 100174F0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10017532
                                                        • Part of subcall function 100174F0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001754A
                                                        • Part of subcall function 100174F0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 10017550
                                                        • Part of subcall function 100174F0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001755F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                                                      • String ID: SeShutdownPrivilege
                                                      • API String ID: 3672536310-3733053543
                                                      • Opcode ID: 48d77c60ab9cfe5784c9ed0b12854fca7aef6a4897eb2b4279d6559b26e2d240
                                                      • Instruction ID: 972a209dc102ca07ab5f7e13293a3fa0107094833a283df555782093fa129901
                                                      • Opcode Fuzzy Hash: 48d77c60ab9cfe5784c9ed0b12854fca7aef6a4897eb2b4279d6559b26e2d240
                                                      • Instruction Fuzzy Hash: 5FC0807955020037F510D7585C47F463A11FB50707F544010FB085D1D2D772F1544176
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2$?
                                                      • API String ID: 0-2669683831
                                                      • Opcode ID: ce50cb4aa04ee45f41a8e26cf65952bd776c285aaeaf9599e7ff39fb0307dda7
                                                      • Instruction ID: f120eaf025a48dea1a1c0d1a8c80c8a2fcbec25aa556ae18888ddc72439d763f
                                                      • Opcode Fuzzy Hash: ce50cb4aa04ee45f41a8e26cf65952bd776c285aaeaf9599e7ff39fb0307dda7
                                                      • Instruction Fuzzy Hash: FF72B3B4604B429FD368CF29C890A9AF7E5FB88344F108A2EE59D87711E730A955CF91
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintf
                                                      • String ID:
                                                      • API String ID: 590974362-0
                                                      • Opcode ID: fabe67de8444e4f359b9a7a9f5072c2fabfcd0ba8eafa7907d46a0cfb085a6ee
                                                      • Instruction ID: b1ffc32d03522cc592a1744b1c319bb25a4d0295e03e3ee64d77821a0a4852a1
                                                      • Opcode Fuzzy Hash: fabe67de8444e4f359b9a7a9f5072c2fabfcd0ba8eafa7907d46a0cfb085a6ee
                                                      • Instruction Fuzzy Hash: 4F72D579E00B015BE364DA25DC81B6B73D6EF85310F10C81EF9AA87B92DA74F9418BD1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `
                                                      • API String ID: 0-2679148245
                                                      • Opcode ID: b55e0c77f83df8f1df704a5cf75a8cb830c8ca68b6b29744beddd0b2ad468a87
                                                      • Instruction ID: 0c7aaa38d8c783589e85b83618c4bc388c215b7dfc65211fb1efa83baf929443
                                                      • Opcode Fuzzy Hash: b55e0c77f83df8f1df704a5cf75a8cb830c8ca68b6b29744beddd0b2ad468a87
                                                      • Instruction Fuzzy Hash: D67257B16087019FD358CF28CC95A6BB7EAFBC8344F14892DF99A83355E774E8019B52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: 4bb8941778a083db43140db9f7af97d6187d8fc35b0650698a883b7c49a32fe9
                                                      • Instruction ID: 2e42250ebe8801630e4b8c99ef820337379408dee823c5ce20685c9295bbbd8c
                                                      • Opcode Fuzzy Hash: 4bb8941778a083db43140db9f7af97d6187d8fc35b0650698a883b7c49a32fe9
                                                      • Instruction Fuzzy Hash: 8A8249B56042469FCB58CF18C880AAABBF5FF88344F14866EE849CB355D770E981CF95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: p
                                                      • API String ID: 0-2181537457
                                                      • Opcode ID: fc1b4087d2e3965ffdb61af2514e2201c8bca0be4c84010aa0d339e49af2c138
                                                      • Instruction ID: 047faac421d38f02c4a27a831f10da2a26bf8298fbef1a958bf9ac4b3b0609d5
                                                      • Opcode Fuzzy Hash: fc1b4087d2e3965ffdb61af2514e2201c8bca0be4c84010aa0d339e49af2c138
                                                      • Instruction Fuzzy Hash: 607227B56087059FD318CF28C885AABB7E9FBC9304F04892DF99A83351E774E905DB52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: P
                                                      • API String ID: 0-3110715001
                                                      • Opcode ID: b2faae68e039ae93c94987f023382466035bf6c2b0806f6b9b86317c52140978
                                                      • Instruction ID: fddae0ba5053bd7215e588fff2e3ce64200d448768ce4e9abc3860d68ce750e9
                                                      • Opcode Fuzzy Hash: b2faae68e039ae93c94987f023382466035bf6c2b0806f6b9b86317c52140978
                                                      • Instruction Fuzzy Hash: 72523C71A047419FD358CF69C885AABB7EAFBC8340F14492EF98A87351DB74E805CB51
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _ftol
                                                      • String ID:
                                                      • API String ID: 2545261903-0
                                                      • Opcode ID: 997a57a968470b66315254100b85294a1dcbeea25d0c872c58c1f5cbc637ae74
                                                      • Instruction ID: b9a7dbf72bbca29d31a185fc8253c05419d39b86673ae775c678e6732502143a
                                                      • Opcode Fuzzy Hash: 997a57a968470b66315254100b85294a1dcbeea25d0c872c58c1f5cbc637ae74
                                                      • Instruction Fuzzy Hash: F42217746043868FDB68CF18C580B9ABBE2FFC8340F11896EE9898B355D734E951CB95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: p
                                                      • API String ID: 0-2181537457
                                                      • Opcode ID: ef50fb7f95fc95ab007bebbc7a484f52570524163a8ac5852587389ada60b133
                                                      • Instruction ID: 0415f33868ec631d9f24845f51a2c3a4756a252f261da6e74c37cfebc9223e3b
                                                      • Opcode Fuzzy Hash: ef50fb7f95fc95ab007bebbc7a484f52570524163a8ac5852587389ada60b133
                                                      • Instruction Fuzzy Hash: 852226B5604704AFD368CF68C885AABB7E9FBC8304F04891DF99AD7351DB74E9048B52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: 20f0497f72d8f2858c323abbbb4ee9063dd284395692e2fef15ac99316622317
                                                      • Instruction ID: a672394fb0a9d515a37c8ea24986688da715b5f8065393969cd1af6520e683fa
                                                      • Opcode Fuzzy Hash: 20f0497f72d8f2858c323abbbb4ee9063dd284395692e2fef15ac99316622317
                                                      • Instruction Fuzzy Hash: 8622E0B5A142059FCB48CF18C490A9ABBE1FF88310F558A6EFC89DB346D770E941CB95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: d0ff54dc02329e4ce3af5c809fa83e4076651098167a4f2de2f91ee549abe99e
                                                      • Instruction ID: a0335fb7b3cc4e7949973ecc54ca33cec89d616e4998ad57091d4628dd6f783e
                                                      • Opcode Fuzzy Hash: d0ff54dc02329e4ce3af5c809fa83e4076651098167a4f2de2f91ee549abe99e
                                                      • Instruction Fuzzy Hash: FCE159B56047059FD358CF28C885AABB7E9FFC9304F00892EF99A83351E774A905CB52
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c9d4e269c7e5d8dfc1c3b1479ce608c319bb6856b4f63d24a71a2977f90843c
                                                      • Instruction ID: e1e09e00d2cb919f4e0c1b2fb75a94ff4fd2e580d4839679f701139020a6b155
                                                      • Opcode Fuzzy Hash: 4c9d4e269c7e5d8dfc1c3b1479ce608c319bb6856b4f63d24a71a2977f90843c
                                                      • Instruction Fuzzy Hash: A9626C75600B418FD728CF29D990A67B7F1EF85700B258A2DE986C7B51D730F84ACBA1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a1a3a7a6c1a61a110cc9872121fa8f5dd959bd39fb4efbe824d6cc6267858a1
                                                      • Instruction ID: 8322abf8b0b955dac81cea3db484e8213f042d7ce1aeca65ef4ca4cbfabb46ab
                                                      • Opcode Fuzzy Hash: 4a1a3a7a6c1a61a110cc9872121fa8f5dd959bd39fb4efbe824d6cc6267858a1
                                                      • Instruction Fuzzy Hash: 15426CB8604B418FC326CF19D491A6BB7F5FF89305F04896DE9868B712D731E906CB92
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b56e87c455ae229922531da44af7ef31599210eba2ebbbab9aa5256d8f1ee55
                                                      • Instruction ID: 5e506f813ce3795ab2a659b2399931107a940bbc6a5fdc2b0548d8533bf1e509
                                                      • Opcode Fuzzy Hash: 2b56e87c455ae229922531da44af7ef31599210eba2ebbbab9aa5256d8f1ee55
                                                      • Instruction Fuzzy Hash: 8832E0B56042458FCB68CF28C890B9AB7E5FF88304F15866DED899B346D730EA41CB95
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6531e2dcb4bf90011010f25e107e9b58ec79ad60afa305f281d8e9dc45f80e5
                                                      • Instruction ID: 8b525b23a56454370f3609cf3247acb9ca1e09c5ae49427a1e87592fd837b5d7
                                                      • Opcode Fuzzy Hash: a6531e2dcb4bf90011010f25e107e9b58ec79ad60afa305f281d8e9dc45f80e5
                                                      • Instruction Fuzzy Hash: 44123EB56087419FD354CF28C880AABB7E6FBC8704F158A2EF59A87354E770E905CB52
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ab83320384d23b40fc1417d007c4357bef5baf8ffe25234705f772e139871ea
                                                      • Instruction ID: 4bd040945393104228b902ff5bbf528ef052ded4cb47a4277b6028b427a1360a
                                                      • Opcode Fuzzy Hash: 2ab83320384d23b40fc1417d007c4357bef5baf8ffe25234705f772e139871ea
                                                      • Instruction Fuzzy Hash: C312E8A5E35FA741E783AAB855424A5F3607FEB140B069B57FC90B0C02FB3AD78D4258
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: daf70ce384407582ee2030c5e65aaac713d4d1cf0225c956924e23c938139221
                                                      • Instruction ID: dbb86b5c6a8f24956775a14608f8be4705b4f0c18bedf7d810b9e1684c504ff6
                                                      • Opcode Fuzzy Hash: daf70ce384407582ee2030c5e65aaac713d4d1cf0225c956924e23c938139221
                                                      • Instruction Fuzzy Hash: B70245B4604B458FC326CF18D580A6AB7F5FF89305F154A6CE9868B712DB31F90ACB91
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b2072d55bb7c1a585e8fc70eb866a26767e4c444dd9cd7d1b0fc4c0a4501d85
                                                      • Instruction ID: 62e7ed029932a5a0c2726ee49bf5d388e2cffa013f09f1f91472f4ff30602f15
                                                      • Opcode Fuzzy Hash: 9b2072d55bb7c1a585e8fc70eb866a26767e4c444dd9cd7d1b0fc4c0a4501d85
                                                      • Instruction Fuzzy Hash: 6E123C74A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0ea6ba0e0c666c75ca1ffed69118899b20ddd70fee2f9200a364a4617e2a4543
                                                      • Instruction ID: 8dd0056cc80d329c4821cf66463cb1161cd1972c5f2980a50cb96e72a8a29513
                                                      • Opcode Fuzzy Hash: 0ea6ba0e0c666c75ca1ffed69118899b20ddd70fee2f9200a364a4617e2a4543
                                                      • Instruction Fuzzy Hash: F2025E756087428FC309CF19C8C0A5AFBE2FFC8219F19896DD5899B316D731E906CB41
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 23da49b82e630a6b15dda6fd8795ce7ad110208d11bbafd6ba99b9b8164766ff
                                                      • Instruction ID: 078c1a236177cb12f0e3a8f5eda14a29c9bc878b48d1d8658bb5de089719bd91
                                                      • Opcode Fuzzy Hash: 23da49b82e630a6b15dda6fd8795ce7ad110208d11bbafd6ba99b9b8164766ff
                                                      • Instruction Fuzzy Hash: 2CD1D879F00B014BE754CA25DC91BABB3D6FFC4354F04892EFA9A87B91D670F9418A90
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c9f6111135b445193610b6f2b17a7c162fbcc6c4a780efe62c55da2ff4b8554
                                                      • Instruction ID: dc6ffa5f307edc0fce47a0efe9d9b3f74e22de3c4cc9d858f32f8a147ff9e474
                                                      • Opcode Fuzzy Hash: 1c9f6111135b445193610b6f2b17a7c162fbcc6c4a780efe62c55da2ff4b8554
                                                      • Instruction Fuzzy Hash: BDE10872A083954FD318CF28D89069AFBE1FBC8380F16866DE4D6DB351D634D94ACB85
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                      • Instruction ID: 649f1e7f4b3158c3088a07b07cbcdc8be7234f0b54355cb83c5254a91e377189
                                                      • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                      • Instruction Fuzzy Hash: 73F1AEB65092418FC309CF18D8989E2BBE5EF98714F1F82FDC4499B362D3329985CB91
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4fc5fe6b7f16479f301ca830f74ecf4a5ff8ae17c3fe4b5b1419e4e95972a34e
                                                      • Instruction ID: cb9dc1c5c35ae900588d5d83a189e5af79ebbbf85b11cf0855b0056c2aa5d3c3
                                                      • Opcode Fuzzy Hash: 4fc5fe6b7f16479f301ca830f74ecf4a5ff8ae17c3fe4b5b1419e4e95972a34e
                                                      • Instruction Fuzzy Hash: DED167B5A043468FC318CF49D880A5AF7E1FFC8354F558A2EE89997301D731E946CB92
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                      • Instruction ID: 8772f270340eae366f9f0b09bee7f52aae8078fc417304f2f13b3946d46c4f44
                                                      • Opcode Fuzzy Hash: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                      • Instruction Fuzzy Hash: B5D1A074925B0196D716CF38C092436B3A1EFF27147A4C75ED882B715AFB31E895C780
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a4a767744e4c19a47f92bdd4c448351933d34ef1759a38cf811ada6d24431ff
                                                      • Instruction ID: 15cc7bd5faffbe600695c5bcb3d1fe30eaa379d87f997e966023115dd4e626bf
                                                      • Opcode Fuzzy Hash: 3a4a767744e4c19a47f92bdd4c448351933d34ef1759a38cf811ada6d24431ff
                                                      • Instruction Fuzzy Hash: A0C134716087068BD31CCF19C89156BFBE2FBC8304F048A2DE59A87354EB34E915CB89
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92135398a67efd078a544a17ba555325c51b6af8340fb51d43000b0486edd924
                                                      • Instruction ID: 7651e89345c56d010d6ffb7d207b32acc9d81d8035143639a3cd2b2f8c4e9ea2
                                                      • Opcode Fuzzy Hash: 92135398a67efd078a544a17ba555325c51b6af8340fb51d43000b0486edd924
                                                      • Instruction Fuzzy Hash: 05D188756092518FC319CF18E8D88E27BE5FF98740B1E46F8C9898B323D7329985CB55
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                      • Instruction ID: d3bc92f85f095f95102d310fdc65c6d801894b3729e9338783eebb768fab37f3
                                                      • Opcode Fuzzy Hash: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                      • Instruction Fuzzy Hash: BDC13C3560D3828FC308CF69C89055AFBE2BFDA204F49D97DE9C98B312D671A919CB45
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2e415dac85e7dcbfcd4cabc1aec951562da8b6b1c947135ceea6e6317e3d00e5
                                                      • Instruction ID: 4737e71dc0b6e6c087583cff0ea57ec0ab44ba6327535c089a3ef1f2f88609c9
                                                      • Opcode Fuzzy Hash: 2e415dac85e7dcbfcd4cabc1aec951562da8b6b1c947135ceea6e6317e3d00e5
                                                      • Instruction Fuzzy Hash: F9A1D134A087968FD709CF29849035ABBF2FFD9615F24CA6DD8A58F389E7709805C781
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                      • Instruction ID: 552c8f6db82fe191c976eab87a11c4cdb869c7ae1d8240d18a23a5b7c2478a67
                                                      • Opcode Fuzzy Hash: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                      • Instruction Fuzzy Hash: 37C16CA492AB0596D7168F38C482536B3A1FFF67147A4C75AD8C2B715AFB30E4A1C280
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                      • Instruction ID: 432799a227a104eec1ff79a2288d05d0e4e1369f6b1345dc811011302a061338
                                                      • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                      • Instruction Fuzzy Hash: 89718333755A8207E71CCE3E8C712BAABD34FC522932EC87E94DAC7756EC79941A5204
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a445a02a992d47832cc69a1fcabfbb982e78f1ba09698b0b68cabf9ccd5209e
                                                      • Instruction ID: 16c0175a477e18b109f141d824dada1b23d5b3178ee30b8fb2fe71ae4ba23b7d
                                                      • Opcode Fuzzy Hash: 6a445a02a992d47832cc69a1fcabfbb982e78f1ba09698b0b68cabf9ccd5209e
                                                      • Instruction Fuzzy Hash: 38915C756047059FD358CF68C881AABB7E9FBC8340F14892EF99A87341EA74F909CB51
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb52c3b1f88c05b4eb834061f1912a52330814b5715fd87aa2888b364c86378e
                                                      • Instruction ID: 9404cba3d8da1d211fdb4783ed3079d2e62e9d1759d12bfb618f7433bb15857f
                                                      • Opcode Fuzzy Hash: fb52c3b1f88c05b4eb834061f1912a52330814b5715fd87aa2888b364c86378e
                                                      • Instruction Fuzzy Hash: 2E914C716083814FC318CF6DC89055AFBE2FFCA304F198A3EE5C9C7365DA7599068A46
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7c448c6a1fb9114aafba6b0d16267dbc202f2804b4a444c376df820d5a9da16
                                                      • Instruction ID: 6402ec8e47e860fd8fd12f861d34c86558428d32eeeae7b909b9d1c132786d36
                                                      • Opcode Fuzzy Hash: b7c448c6a1fb9114aafba6b0d16267dbc202f2804b4a444c376df820d5a9da16
                                                      • Instruction Fuzzy Hash: 2C8160327145924BFB18CF2AECD053BBB93FBCD344B19843ED64A97356C931A91987A0
                                                      APIs
                                                      • atoi.MSVCRT(?), ref: 1002182A
                                                        • Part of subcall function 10012640: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000052,?,75C25200), ref: 100126B0
                                                        • Part of subcall function 10012640: GetProcAddress.KERNEL32(00000000), ref: 100126B9
                                                        • Part of subcall function 10012640: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 100126C7
                                                        • Part of subcall function 10012640: GetProcAddress.KERNEL32(00000000), ref: 100126CA
                                                        • Part of subcall function 10012640: RegOpenKeyExA.KERNELBASE(?,?,00000000,0002001F,?), ref: 1001271E
                                                        • Part of subcall function 10012640: RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,ExA,?), ref: 10012751
                                                        • Part of subcall function 10012640: RegSetValueExA.KERNELBASE(?,?,00000000,?,?), ref: 10012773
                                                        • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                                                        • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                                                        • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                                                        • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                                                      • atoi.MSVCRT(?,80000002,?,?,00000004,?,00000000,00000000,00000000), ref: 10022298
                                                        • Part of subcall function 10012640: RegDeleteKeyA.ADVAPI32(?,?), ref: 1001279B
                                                      • Sleep.KERNEL32(000005DC), ref: 100222C3
                                                        • Part of subcall function 10012640: RegDeleteValueA.ADVAPI32(?,?), ref: 100127C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProcValue$#823Deleteatoi$OpenSleep
                                                      • String ID: $ $ $ $ $ $-$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$E$E$E$E$E$E$M$M$M$M$M$M$N$P$P$P$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$W$W$Y$Y$Y$Y$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$a$a$a$a$a$a$a$b$c$c$c$c$d$d$d$d$f$i$i$i$i$i$i$i$i$i$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$s$s$s$s$u$u$u$u$u$v$v$v$v$v$v$w$y
                                                      • API String ID: 1755616524-431623420
                                                      • Opcode ID: bb5bc13e24530c506057757fba7ee057590585419c2a25c150e3766fac485fbb
                                                      • Instruction ID: b7d153ca61f950d74ac5b9ed9a5235a71a203f5caac45e25c8abc04362815b5f
                                                      • Opcode Fuzzy Hash: bb5bc13e24530c506057757fba7ee057590585419c2a25c150e3766fac485fbb
                                                      • Instruction Fuzzy Hash: 57523B2154D7C0DDE332C6689859BDBBED21BB3709F48489D92DC1B283C2BA4658C77B
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • LoadLibraryA.KERNEL32 ref: 10018B09
                                                      • GetProcAddress.KERNEL32 ref: 10018BD5
                                                      • GetProcAddress.KERNEL32 ref: 10018E4C
                                                      • GetCurrentProcess.KERNEL32 ref: 10018EE3
                                                      • Sleep.KERNEL32(00000014), ref: 10018F35
                                                      • Sleep.KERNEL32(000003E8), ref: 10018FBC
                                                      • CloseHandle.KERNEL32(?), ref: 1001900F
                                                      • CloseHandle.KERNEL32(?), ref: 1001902C
                                                      • CloseHandle.KERNEL32(?), ref: 10019037
                                                      • CloseHandle.KERNEL32(?), ref: 10019045
                                                      • FreeLibrary.KERNEL32(00000000), ref: 1001904C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                                                      • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y$#v
                                                      • API String ID: 2138834447-1455284159
                                                      • Opcode ID: d60e362cb3ea19bb9b918263f8a5cc7cbf0147f7071e98e4caf12c5e75ccddf2
                                                      • Instruction ID: 9f46a4fe2709f87d1547e335fc683e97650eff0903745346e8a720fc49d5be28
                                                      • Opcode Fuzzy Hash: d60e362cb3ea19bb9b918263f8a5cc7cbf0147f7071e98e4caf12c5e75ccddf2
                                                      • Instruction Fuzzy Hash: DC32926050D3C0C9E332C7688858BDBBFD66BA6748F08499DE1CC4B292C7BA5558C777
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 1000545C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005465
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005475
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005478
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 1000548B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000548E
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 100054A1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 100054B4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100054B7
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054C7
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100054CA
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054DD
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100054E0
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 100054F3
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100054F6
                                                      • strchr.MSVCRT ref: 10005810
                                                      • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10005851
                                                      • wsprintfA.USER32 ref: 10005871
                                                      • #823.MFC42(00001000), ref: 100058CD
                                                      • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 10005A92
                                                      • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10005A98
                                                      • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10005A9E
                                                      • #825.MFC42(00000000), ref: 10005AD6
                                                        • Part of subcall function 100051B0: LoadLibraryA.KERNEL32 ref: 10005207
                                                        • Part of subcall function 100051B0: GetProcAddress.KERNEL32(00000000), ref: 1000520E
                                                        • Part of subcall function 100051B0: wsprintfA.USER32 ref: 10005277
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                                                      • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                      • API String ID: 2391671045-4160613188
                                                      • Opcode ID: 5dd7f00943cd2c0a923effaf4c7da91811888f5d84e71c45dea34ae61a63ae2e
                                                      • Instruction ID: e9c7c0b327a0fb81a2237c4f4fcca35bddff45c7dcc2e83bc4e322a20fe25bf7
                                                      • Opcode Fuzzy Hash: 5dd7f00943cd2c0a923effaf4c7da91811888f5d84e71c45dea34ae61a63ae2e
                                                      • Instruction Fuzzy Hash: 52121E6150D7C0DEE322C7788858B9BBFD5AFE2748F48494DE1C847292C6BA9508C777
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32 ref: 10025C37
                                                      • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000000,?,?), ref: 10025C6C
                                                      • RegCloseKey.ADVAPI32(?), ref: 10025C77
                                                      • GetSystemInfo.KERNEL32(?), ref: 10025C85
                                                      • wsprintfA.USER32 ref: 10025CA8
                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000043,00000000,00000001,?), ref: 10025DE6
                                                      • RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,?,?,00000043), ref: 10025E30
                                                      • RegCloseKey.ADVAPI32(?), ref: 10025E63
                                                      • GetComputerNameA.KERNEL32(?,secorPlartneC), ref: 10025E9E
                                                      • GetTickCount.KERNEL32 ref: 10025EB4
                                                      • wsprintfA.USER32 ref: 10025EEC
                                                      • GetDC.USER32(00000000), ref: 10025EF3
                                                      • GetDeviceCaps.GDI32(00000000,00000075), ref: 10025F04
                                                      • GetDeviceCaps.GDI32(00000000,00000076), ref: 10025F0A
                                                      • wsprintfA.USER32 ref: 10025F1A
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 10025F22
                                                      • wsprintfA.USER32 ref: 10025F46
                                                      • wsprintfA.USER32 ref: 10025F68
                                                      • wsprintfA.USER32 ref: 10025F81
                                                      • GetCommandLineA.KERNEL32 ref: 10025F86
                                                      • wsprintfA.USER32 ref: 10025F9A
                                                      • GetUserNameA.ADVAPI32(?,?), ref: 10025FB4
                                                      • wsprintfA.USER32 ref: 10026045
                                                      • wsprintfA.USER32 ref: 1002605D
                                                      • FindWindowA.USER32(?,00000000), ref: 100260A7
                                                      • GetWindowTextA.USER32(00000000,?,00000104), ref: 100260E6
                                                      • GetWindow.USER32(00000000,00000002), ref: 100261A0
                                                      • GetClassNameA.USER32(00000000,?,00000104), ref: 100261B2
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 100261D3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wsprintf$NameWindow$CapsCloseDeviceOpenQueryValue$ClassCommandComputerCountFindGlobalInfoLineMemoryReleaseStatusSystemTextTickUser
                                                      • String ID: Fs$%d * %d$%d*%dMHz$%s%s%s$0$A$A$A$A$C$C$C$C$CTXOPConntion_Class$D$D$D$D$E$E$E$E$H$H$I$I$I$I$N$N$O$O$P$P$P$P$ProcessorNameString$R$R$R$R$R$R$S$S$S$S$T$T$W$W$a$a$c$c$e$e$e$e$e$e$l$l$m$m$n$n$o$o$o$r$r$r$r$r$s$s$s$s$secorPlartneC$t$t$t$t$y$y$~MHz
                                                      • API String ID: 469327843-2520879492
                                                      • Opcode ID: 805ac10ab2f48204ccbece396feff7a8114c12c1c18ee338f2746b953305a60c
                                                      • Instruction ID: bb4ad010b7f8939bce9835b1ae977bb960c19676a9ca6088720af52a91a35842
                                                      • Opcode Fuzzy Hash: 805ac10ab2f48204ccbece396feff7a8114c12c1c18ee338f2746b953305a60c
                                                      • Instruction Fuzzy Hash: 1512B07050C7C19EE325C738C888B9BBFE5AB96304F44496CF6D84B282D7BA9508C767
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • GetVersionExA.KERNEL32 ref: 100192A9
                                                        • Part of subcall function 100168E0: LoadLibraryW.KERNEL32(ntdll.dll,?,00001F99,1001713F,?,?,?), ref: 100168E9
                                                        • Part of subcall function 100168E0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                                                        • Part of subcall function 100168E0: FreeLibrary.KERNEL32(00000000), ref: 10016922
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100192DE
                                                      • sprintf.MSVCRT ref: 100192F9
                                                      • Sleep.KERNEL32(?), ref: 10019315
                                                      • GetCurrentProcessId.KERNEL32(00000000), ref: 10019323
                                                      • WTSQuerySessionInformationA.WTSAPI32(?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001937D
                                                      • WTSFreeMemory.WTSAPI32(?,00000000,00000000,00000005,?,?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100193A4
                                                      • AttachConsole.KERNEL32(?,?,00000000,00000000,00000005,?,?,?,?,?,?,?,00000000,00000000,00000005,?), ref: 100193DE
                                                      • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100193E6
                                                      • AttachConsole.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100193F0
                                                      • GetConsoleProcessList.KERNEL32(?,00000001,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019406
                                                      • #823.MFC42(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019417
                                                      • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1001942A
                                                      • GetCurrentProcessId.KERNEL32 ref: 10019435
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10019449
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 10019458
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001945F
                                                      • #825.MFC42(00000000), ref: 10019472
                                                      • FreeConsole.KERNEL32(?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019480
                                                      • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019488
                                                      • FreeConsole.KERNEL32(?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001948E
                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001949A
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100194F1
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100194F9
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019541
                                                      • OpenServiceA.ADVAPI32(00000000,Gwogwo Hxpgx,00000010,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019559
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019566
                                                      • StartServiceA.ADVAPI32(00000000,00000001,?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001957F
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019590
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019593
                                                      • CloseHandle.KERNEL32(00000000), ref: 100195AD
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100195CE
                                                      • CloseHandle.KERNEL32(00000000), ref: 100195D1
                                                      • ExitProcess.KERNEL32 ref: 100195D5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$Close$Process$ConsoleService$Free$LibraryOpenSleep$AddressAttachCurrentListLoadModuleProcTerminate$#823#825ExitFileInformationManagerMemoryNameQuerySessionStartVersionsprintf
                                                      • String ID: %s -acsi$-rsvc$.$.$2$2$3$3$A$A$A$C$D$G$Gwogwo Hxpgx$I$I$I$K$L$N$P$P$R$S$S$S$S$S$T$V$W$a$c$c$d$d$d$d$i$i$i$i$l$l$l$l$l$n$n$n$o$o$o$o$r$s$s$s$s$s$s$s$t$t$t$t$t$u$v$v
                                                      • API String ID: 309006072-2307843300
                                                      • Opcode ID: bebd94fb9d66cd2a6c9807ac9a59c28cf3e364d6deb180264265ee367210ff0a
                                                      • Instruction ID: 0d8a1c0337f729bf120780405ecb07af7d4cbcd350d0dad57c0dea9748ba42e3
                                                      • Opcode Fuzzy Hash: bebd94fb9d66cd2a6c9807ac9a59c28cf3e364d6deb180264265ee367210ff0a
                                                      • Instruction Fuzzy Hash: F2F1393050C3D19EE321CB688888B5BBFE5AB96744F14494CF5D84B292D7BAD548CBA3
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10004BD1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004BDA
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10004BE8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004BEB
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 10004BFE
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004C01
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 10004C14
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004C17
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 10004C2A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004C2D
                                                      • strchr.MSVCRT ref: 10004F23
                                                      • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10004F60
                                                      • wsprintfA.USER32 ref: 10004F80
                                                      • #823.MFC42(00001000), ref: 10004FA7
                                                      • #825.MFC42(00000000), ref: 10004FF4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$#823#825FolderPathSpecialstrchrwsprintf
                                                      • String ID: $ $ $%s\%s$.$.$C$C$D$D$GetPrivateProfileSectionNamesA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                      • API String ID: 1413152188-1163569440
                                                      • Opcode ID: 60e1f5670d4e59d71ea06813ef95798d9fb06afead0f3a8e7a8b6fff4f9d3fc1
                                                      • Instruction ID: a25c4c4a05ef4dd6831a0854a8be96b0c0093fc050141028d973439405daab13
                                                      • Opcode Fuzzy Hash: 60e1f5670d4e59d71ea06813ef95798d9fb06afead0f3a8e7a8b6fff4f9d3fc1
                                                      • Instruction Fuzzy Hash: 55D1B22140D7C0DDE322C7788498B9BBFD65FA2748F08498DE1C84B293C6BA9658C777
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleLibraryLoadModuleProc
                                                      • String ID: .$.$.$.$:$A$AOr$C$E$F$H$I$I$I$I$I$I$I$O$O$R$T$U$W$a$a$a$a$at.$b$c$d$d$d$g$i$i$i$l$l$l$l$l$l$l$l$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$p$p$p$p$p$p$p$r$r$r$r$r$t$t$t$t$t$t$t$t$t$t$t$t$t$t
                                                      • API String ID: 310444273-3809768815
                                                      • Opcode ID: cef6d62206289f8bf9b5031ec186c6ee400cfaf22a9e10936f9cb7c11049f40b
                                                      • Instruction ID: 6684d99e4b667c4f25544f811cc3834124da222db8b82e260fb8c5d0abf0ecbc
                                                      • Opcode Fuzzy Hash: cef6d62206289f8bf9b5031ec186c6ee400cfaf22a9e10936f9cb7c11049f40b
                                                      • Instruction Fuzzy Hash: 80E1C42150D3C0CDE332C228984879FBFD65BA2648F48499DE5C84B292C7BA9658D777
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • GetVersionExA.KERNEL32(?), ref: 1001AC44
                                                        • Part of subcall function 100168E0: LoadLibraryW.KERNEL32(ntdll.dll,?,00001F99,1001713F,?,?,?), ref: 100168E9
                                                        • Part of subcall function 100168E0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                                                        • Part of subcall function 100168E0: FreeLibrary.KERNEL32(00000000), ref: 10016922
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001AC72
                                                      • sprintf.MSVCRT ref: 1001AC8D
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001ACD5
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001AD08
                                                      • FindWindowA.USER32(#32770,GINA Logon), ref: 1001AD32
                                                      • FindWindowA.USER32(#32770,1011A0D4), ref: 1001AD48
                                                      • Sleep.KERNEL32(0000012C), ref: 1001AD58
                                                      • FindWindowA.USER32(#32770,GINA Logon), ref: 1001AD64
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001ADAA
                                                      • ExitProcess.KERNEL32 ref: 1001ADC9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FindHandleLibraryWindow$AddressCloseLoadModuleProc$ExitFileFreeNameObjectProcessSingleSleepVersionWaitsprintf
                                                      • String ID: #32770$%s -acsi$-rsvc$-wait$.$.$2$2$3$3$A$A$A$A$C$C$D$E$E$E$GINA Logon$Gwogwo Hxpgx$H$I$K$L$P$S$S$V$a$a$a$c$c$d$d$d$i$i$l$l$l$l$l$l$n$n$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$v$v$v$x
                                                      • API String ID: 2386940797-983557985
                                                      • Opcode ID: 442c612858c73173195389a4eddb957052e2e41f53ead77f4fe0cda57f213f98
                                                      • Instruction ID: 383084075018d47f515dd9277afaf8b904d7810295c520eab7b289dba0045448
                                                      • Opcode Fuzzy Hash: 442c612858c73173195389a4eddb957052e2e41f53ead77f4fe0cda57f213f98
                                                      • Instruction Fuzzy Hash: A9B1097040C3C0DEE312D7688848B5BBFE59BA6348F58494DF6C84B292D7BA9588C777
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • Sleep.KERNEL32(00000064,?,?,?,?,?), ref: 10018572
                                                      • malloc.MSVCRT ref: 100185A8
                                                      • free.MSVCRT ref: 100185DF
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 100185ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$AddressCloseLibraryLoadModuleProcSleepfreemalloc
                                                      • String ID: .$.$2$2$3$3$A$A$A$A$C$D$G$I$I$I$I$P$P$Q$S$S$S$S$S$T$T$T$T$T$U$V$W$W$a$d$d$d$d$d$f$g$i$i$i$i$i$k$k$l$l$l$l$m$n$n$n$n$n$n$n$o$o$o$o$o$o$o$r$r$r$r$r$s$s$t$t$t$t$u$v$y
                                                      • API String ID: 1468382267-2587082030
                                                      • Opcode ID: a3d7307fdc4262af2ae71d1e207a59b29c039eec11ffa01f7e7848866a66bb23
                                                      • Instruction ID: f8b4604172815dbbf924b76dd4a6860b725f790ca83e141a00bfd1a50c1d4dd8
                                                      • Opcode Fuzzy Hash: a3d7307fdc4262af2ae71d1e207a59b29c039eec11ffa01f7e7848866a66bb23
                                                      • Instruction Fuzzy Hash: 23C1AD6050C7C0DDE332C2388449B9BBFD55BA2748F48499DA2DC4A293C7FA9658CB77
                                                      APIs
                                                      • AttachConsole.KERNEL32(?), ref: 1000DB83
                                                      • Sleep.KERNEL32(0000000A), ref: 1000DB8B
                                                      • AttachConsole.KERNEL32(?), ref: 1000DB95
                                                      • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000DBA8
                                                      • #823.MFC42(00000000), ref: 1000DBB9
                                                      • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000DBC9
                                                      • GetCurrentProcessId.KERNEL32 ref: 1000DBD4
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000DBE8
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000DBF7
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000DBFE
                                                      • #825.MFC42(00000000), ref: 1000DC0E
                                                      • FreeConsole.KERNEL32 ref: 1000DC1C
                                                      • Sleep.KERNEL32(0000000A), ref: 1000DC24
                                                      • FreeConsole.KERNEL32 ref: 1000DC2A
                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 1000DC36
                                                      • swprintf.MSVCRT(?,\Registry\Machine\System\CurrentControlSet\Services\%S,10119A58,NTDLL.DLL,ZwUnloadDriver,NTDLL.DLL,RtlInitUnicodeString,SeLoadDriverPrivilege,00000001), ref: 1000DCD4
                                                      • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1000DD55
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 1000DD61
                                                      • OpenServiceA.ADVAPI32(00000000,Gwogwo Hxpgx,00010000), ref: 1000DD78
                                                      • DeleteService.ADVAPI32(00000000), ref: 1000DD8B
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000DD92
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000DD95
                                                      • GetSystemDirectoryA.KERNEL32 ref: 1000DE5A
                                                      • lstrcatA.KERNEL32(?,?), ref: 1000DE6F
                                                      • DeleteFileA.KERNEL32(?), ref: 1000DE7F
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000DEC4
                                                      • lstrcatA.KERNEL32(?,?), ref: 1000DED3
                                                      • DeleteFileA.KERNEL32(?), ref: 1000DEDD
                                                      • LocalFree.KERNEL32(?), ref: 1000DEE5
                                                      • free.MSVCRT ref: 1000DEF8
                                                      • free.MSVCRT ref: 1000DF01
                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1000DF18
                                                      • GetCurrentProcess.KERNEL32(00000000), ref: 1000DF23
                                                      • IsWow64Process.KERNEL32(00000000), ref: 1000DF2A
                                                      • DeleteFileA.KERNEL32(?), ref: 1000DFDA
                                                      • SetServiceStatus.ADVAPI32(?,10126020), ref: 1000DFF9
                                                      • ExitProcess.KERNEL32 ref: 1000E006
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$Console$DeleteService$CloseDirectoryFileFreeHandleOpen$AttachCurrentListSleepSystemTerminatefreelstrcat$#823#825ExitLocalManagerStatusWindowsWow64swprintf
                                                      • String ID: .$.$.sys$4dc4196b5e701ca70204bacb05351f42$Gwogwo Hxpgx$Host$MarkTime$NTDLL.DLL$P$RtlInitUnicodeString$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\Select$SYSTEM\Setup$SeLoadDriverPrivilege$V$ZwUnloadDriver$\$\$\Registry\Machine\System\CurrentControlSet\Services\%S$\sysnative\drivers\$\system32\drivers\$a$b$d$d$d$e$g$g$m$n$o$o$s$t$u
                                                      • API String ID: 2905031204-2487465450
                                                      • Opcode ID: 10306450246df6fceb6d5fd868041334226ccbf54d86f33e6519ae88f31df8d4
                                                      • Instruction ID: f2d5719fd3c94805e88c604ff9d1f9d02ebb05236071693f561366e80b396905
                                                      • Opcode Fuzzy Hash: 10306450246df6fceb6d5fd868041334226ccbf54d86f33e6519ae88f31df8d4
                                                      • Instruction Fuzzy Hash: 8DD13734108391ABE310DB38CC84F9FBBE5EF84344F144A19FA8997295DBB5E944C766
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • LocalAlloc.KERNEL32(00000040,00000400), ref: 100205B6
                                                      • WTSEnumerateSessionsA.WTSAPI32 ref: 100205EB
                                                      • GetVersionExA.KERNEL32(?), ref: 10020603
                                                        • Part of subcall function 10020440: WTSQuerySessionInformationW.WTSAPI32 ref: 10020464
                                                        • Part of subcall function 10020400: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10020881,?,?,?), ref: 1002041F
                                                        • Part of subcall function 100204F0: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020510
                                                        • Part of subcall function 100204F0: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020530
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208B3
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208D5
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208E1
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208EA
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208F6
                                                      • LocalSize.KERNEL32(00000000), ref: 10020904
                                                      • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10020912
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020923
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020941
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020957
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002097F
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020995
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100209B6
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100209CC
                                                      • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100209ED
                                                      • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 10020A50
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                                                      • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                                                      • API String ID: 3275454331-1820797497
                                                      • Opcode ID: fa9b1362d51a891e5aa67abb4069f8c472a3376c900e0b1363beb883e3c3a62a
                                                      • Instruction ID: 473d89a8a620706a7e1dc6bb4a96d90b09cb1464d826f49f00a793c1ea81399f
                                                      • Opcode Fuzzy Hash: fa9b1362d51a891e5aa67abb4069f8c472a3376c900e0b1363beb883e3c3a62a
                                                      • Instruction Fuzzy Hash: E5E1063050C3C1CEE325CB28C494B9FBBE2AB96708F58495DF5C857252C7BA9509CB67
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • strrchr.MSVCRT ref: 1001A376
                                                      • DeleteUrlCacheEntry.WININET(?), ref: 1001A3C4
                                                        • Part of subcall function 10027400: GetFileAttributesA.KERNEL32(?,1001A3E6,?), ref: 10027405
                                                        • Part of subcall function 10027400: GetLastError.KERNEL32 ref: 10027410
                                                      • free.MSVCRT ref: 1001A3EE
                                                      • strrchr.MSVCRT ref: 1001A3FB
                                                      • _stricmp.MSVCRT(00000000,.bat), ref: 1001A40E
                                                      • free.MSVCRT ref: 1001A43E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: freestrrchr$AddressAttributesCacheDeleteEntryErrorFileHandleLastLibraryLoadModuleProc_stricmp
                                                      • String ID: .$.$.$.bat$2$2$3$3$A$A$E$E$E$E$F$H$K$L$L$L$L$M$N$N$O$P$R$R$T$T$a$a$c$d$d$d$d$e$e$e$e$e$e$h$i$m$n$p$t$t$u$w$x
                                                      • API String ID: 2380421641-2479118741
                                                      • Opcode ID: ee87ea3f4d77b4e628393a47c3542b82fada6d47b58a998bfb5d574fa0dfee24
                                                      • Instruction ID: a6303484c15a343b57759271ba5627d096c80b6721d22544dc32c5737b9dd4b9
                                                      • Opcode Fuzzy Hash: ee87ea3f4d77b4e628393a47c3542b82fada6d47b58a998bfb5d574fa0dfee24
                                                      • Instruction Fuzzy Hash: 7191476114C7C09EE352C238888879FBFD55BA2608F48099DF6D84B393C6BAC548C73B
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exec
                                                      • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                                                      • API String ID: 459137531-3041118241
                                                      • Opcode ID: 629be47fbcb081da40840767131ebefb143d2beefc4f156cf1384e374abc7d55
                                                      • Instruction ID: 9fb5809027c82ad1b4419236376a01b5f97328f6bcb48b4eb796f21288b7ede1
                                                      • Opcode Fuzzy Hash: 629be47fbcb081da40840767131ebefb143d2beefc4f156cf1384e374abc7d55
                                                      • Instruction Fuzzy Hash: 29510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA925CC777
                                                      APIs
                                                      • strstr.MSVCRT ref: 10011597
                                                      • strstr.MSVCRT ref: 100115AA
                                                      • strstr.MSVCRT ref: 100115BF
                                                      • strncpy.MSVCRT ref: 100115F9
                                                      • _itoa.MSVCRT ref: 1001163F
                                                      • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10011658
                                                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001167E
                                                      • InternetCloseHandle.WININET(00000000), ref: 1001168B
                                                      • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 100116BB
                                                      • InternetCloseHandle.WININET(00000000), ref: 100116CE
                                                      • InternetCloseHandle.WININET(00000000), ref: 100116D1
                                                      • sprintf.MSVCRT ref: 100116FC
                                                      • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10011734
                                                      • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10011750
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011761
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011764
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011767
                                                      • atol.MSVCRT ref: 10011780
                                                      • #823.MFC42(00000001,?,?), ref: 1001178E
                                                      • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 100117B6
                                                      • #825.MFC42(00000000), ref: 100117C1
                                                      • InternetCloseHandle.WININET(00000000), ref: 100117D0
                                                      • InternetCloseHandle.WININET(00000000), ref: 100117D3
                                                      • InternetCloseHandle.WININET(?), ref: 100117DA
                                                      • InternetCloseHandle.WININET(00000000), ref: 100117F2
                                                      • InternetCloseHandle.WININET(00000000), ref: 100117F5
                                                      • InternetCloseHandle.WININET(?), ref: 100117FC
                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001180C
                                                      • #823.MFC42(00000002), ref: 10011819
                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10011843
                                                      • #825.MFC42(00000000), ref: 1001184A
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10011861
                                                      • #823.MFC42(00000001), ref: 1001186D
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10011898
                                                      • #825.MFC42(00000000), ref: 1001189F
                                                      • #825.MFC42(00000000,00000000,00000000), ref: 100118AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                      • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                                                      • API String ID: 3684279964-3639289013
                                                      • Opcode ID: 8cd366d35a56cc67e953ceca93f10caae82da04eb858c4f707cbfba63977e83d
                                                      • Instruction ID: f41a4409aab42c67a4222de06bf1a9b6598beb96a592aff86d4465959b7fc557
                                                      • Opcode Fuzzy Hash: 8cd366d35a56cc67e953ceca93f10caae82da04eb858c4f707cbfba63977e83d
                                                      • Instruction Fuzzy Hash: EAD15376A002102BE314DB749C45FEB77E8EB88760F044629FA45A72C1EB75E90987A6
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$Eventfreemalloc
                                                      • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                                                      • API String ID: 4197004350-898277365
                                                      • Opcode ID: 06c5343088ad0be74049b29a999acdc587aa91bbb7caf46546b28c9174a9f940
                                                      • Instruction ID: e2eeff473db2cc0a6c334e26801d82f8b95635e02a729b8633b668800f956786
                                                      • Opcode Fuzzy Hash: 06c5343088ad0be74049b29a999acdc587aa91bbb7caf46546b28c9174a9f940
                                                      • Instruction Fuzzy Hash: 5661586100C3C0DEE302C7688848B8BBFD59BA6348F08499DF5C857292C6BA925CC77B
                                                      APIs
                                                      • #535.MFC42(00000030,00000002,00000000,00000000), ref: 1000F433
                                                      • #540.MFC42 ref: 1000F444
                                                      • #540.MFC42 ref: 1000F452
                                                      • #6282.MFC42 ref: 1000F46E
                                                      • #6283.MFC42 ref: 1000F477
                                                      • #941.MFC42(100F54AC), ref: 1000F485
                                                      • #2784.MFC42(100F617C,100F54AC), ref: 1000F493
                                                      • #6662.MFC42(00000022,00000001,100F617C,100F54AC), ref: 1000F4BC
                                                      • #4278.MFC42(?,00000001,00000000,00000022,00000001,100F617C,100F54AC), ref: 1000F4DB
                                                      • #858.MFC42(00000000,?,00000001,00000000,00000022,00000001,100F617C,100F54AC), ref: 1000F4EA
                                                      • #4129.MFC42(?,00000000,100F617C,100F54AC), ref: 1000F5C8
                                                      • #858.MFC42(00000000,?,00000000,100F617C,100F54AC), ref: 1000F5D5
                                                      • #800.MFC42(00000000,?,00000000,100F617C,100F54AC), ref: 1000F5E2
                                                      • #535.MFC42(?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F5FF
                                                      • #858.MFC42(?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F612
                                                      • #6874.MFC42(0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F61D
                                                      • #6874.MFC42(0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F631
                                                      • #6874.MFC42(00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F645
                                                      • #800.MFC42(00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F652
                                                      • #858.MFC42(?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F681
                                                      • #858.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F68E
                                                      • #2614.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F697
                                                      • #2614.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6A0
                                                      • #5710.MFC42(100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6BD
                                                      • #858.MFC42(00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6CC
                                                      • #800.MFC42(00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6D9
                                                      • #6282.MFC42(00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6E2
                                                      • #2784.MFC42(100F617C,00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6F0
                                                      • #535.MFC42(?,100F617C,100F54AC), ref: 1000F718
                                                      • #858.MFC42(?,?,100F617C,100F54AC), ref: 1000F72B
                                                      • #6874.MFC42(0000002F,?,?,100F617C,100F54AC), ref: 1000F736
                                                      • #6874.MFC42(0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F74A
                                                      • #6874.MFC42(00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F75E
                                                      • #800.MFC42(00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F76B
                                                      • #858.MFC42(?,?,000000FF,00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F79A
                                                      • #858.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F7A7
                                                      • #800.MFC42(100F617C,100F54AC), ref: 1000F7BD
                                                      • #800.MFC42(100F617C,100F54AC), ref: 1000F7CB
                                                      • #800.MFC42(100F617C,100F54AC), ref: 1000F7DC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #858$#800$#6874$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                                                      • String ID: -
                                                      • API String ID: 3213762517-2547889144
                                                      • Opcode ID: 8acf3cb63babd9786aea4a7d3520a08386678d002cc51827b3737ca6d400d473
                                                      • Instruction ID: 2d3482710ad86b21f31d95882338d400fd67b2b2f7a2d5024396f9a694a1e96c
                                                      • Opcode Fuzzy Hash: 8acf3cb63babd9786aea4a7d3520a08386678d002cc51827b3737ca6d400d473
                                                      • Instruction Fuzzy Hash: 7BC1703910E381ABD344DF24D995AAFB7E4EF94780F80091CF99643292DB34FA09CB52
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32 ref: 1001D62B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D638
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1001D64C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D64F
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 1001D69B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D69E
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 1001D712
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D715
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 1001D725
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D728
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 1001D738
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D73B
                                                      • Sleep.KERNEL32(0000000A), ref: 1001D750
                                                      • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1001D770
                                                      • #823.MFC42 ref: 1001D781
                                                      • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1001D78F
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,10125F08), ref: 1001D79E
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1001D7B5
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 1001D7C4
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001D7CB
                                                      • #825.MFC42(?), ref: 1001D7DB
                                                      • FreeConsole.KERNEL32 ref: 1001D7E9
                                                      • Sleep.KERNEL32(0000000A), ref: 1001D7F1
                                                      • FreeConsole.KERNEL32 ref: 1001D7F7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                                                      • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                                                      • API String ID: 708691324-3966567685
                                                      • Opcode ID: 053c5955f392c687bfd33b2469e7dd0ab56c0e0b56cc72b742401b93eab69fa6
                                                      • Instruction ID: 35777ab2d1f3cb90c61100db4c14cde2d1ae3a79af34cf3268925a4ae83cd207
                                                      • Opcode Fuzzy Hash: 053c5955f392c687bfd33b2469e7dd0ab56c0e0b56cc72b742401b93eab69fa6
                                                      • Instruction Fuzzy Hash: 2EA1B2715083949BD720EB78CC84B9F7FE9AF85740F14491EF5849B281CBB6E940CBA2
                                                      APIs
                                                      • strstr.MSVCRT ref: 10010F04
                                                      • strstr.MSVCRT ref: 10010F17
                                                      • strstr.MSVCRT ref: 10010F2C
                                                      • strncpy.MSVCRT ref: 10010F66
                                                      • _itoa.MSVCRT ref: 10010FAC
                                                      • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10010FC5
                                                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10010FEB
                                                      • InternetCloseHandle.WININET(00000000), ref: 10010FF8
                                                      • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10011028
                                                      • InternetCloseHandle.WININET(00000000), ref: 1001103B
                                                      • InternetCloseHandle.WININET(00000000), ref: 1001103E
                                                      • sprintf.MSVCRT ref: 10011069
                                                      • HttpSendRequestA.WININET(00000000,?,?,?), ref: 100110A1
                                                      • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 100110BD
                                                      • InternetCloseHandle.WININET(00000000), ref: 100110CE
                                                      • InternetCloseHandle.WININET(00000000), ref: 100110D1
                                                      • InternetCloseHandle.WININET(00000000), ref: 100110D4
                                                      • atol.MSVCRT ref: 100110ED
                                                      • #823.MFC42(00000001,?,?), ref: 100110FB
                                                      • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10011123
                                                      • #825.MFC42(00000000), ref: 1001112E
                                                      • InternetCloseHandle.WININET(00000000), ref: 1001113D
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011140
                                                      • InternetCloseHandle.WININET(?), ref: 10011147
                                                      • InternetCloseHandle.WININET(00000000), ref: 1001115F
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011162
                                                      • InternetCloseHandle.WININET(?), ref: 10011169
                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10011179
                                                      • #823.MFC42(00000002), ref: 10011186
                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 100111B0
                                                      • #825.MFC42(00000000), ref: 100111B7
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 100111CE
                                                      • #823.MFC42(00000001), ref: 100111DA
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10011205
                                                      • #825.MFC42(00000000), ref: 1001120C
                                                      • #825.MFC42(00000000,00000000,00000000), ref: 1001121A
                                                      Strings
                                                      • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10011063
                                                      • HTTP/1.1, xrefs: 1001101C
                                                      • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 10010E9F
                                                      • , xrefs: 10010EF3
                                                      • p_skey, xrefs: 10010EED
                                                      • skey=, xrefs: 10010F11
                                                      • bkn=, xrefs: 10010F46
                                                      • /cgi-bin/qun_mgr/get_friend_list, xrefs: 10010ECB
                                                      • POST, xrefs: 10011022
                                                      • qun.qq.com, xrefs: 10010EAB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                      • String ID: $/cgi-bin/qun_mgr/get_friend_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$p_skey$qun.qq.com$skey=
                                                      • API String ID: 3684279964-1003693118
                                                      • Opcode ID: 834b28e6aada6ff7c4e253e65cc512ad6fcb83798260e4ca7b9d0c92cf3d06a5
                                                      • Instruction ID: 2a96d4639711e32a31fa216b1d1fa8d87fce2c50ca9985320045d7024461e085
                                                      • Opcode Fuzzy Hash: 834b28e6aada6ff7c4e253e65cc512ad6fcb83798260e4ca7b9d0c92cf3d06a5
                                                      • Instruction Fuzzy Hash: D1A149766403147BE324DB748C45FEB77D9EB88720F108A29FA55E73C0EAB4E90487A5
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 1000D67C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000D685
                                                      • LoadLibraryA.KERNEL32(?,.23L), ref: 1000D6CC
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000D6CF
                                                      • GetTickCount.KERNEL32 ref: 1000D736
                                                      • sprintf.MSVCRT ref: 1000D747
                                                      • GetTickCount.KERNEL32 ref: 1000D776
                                                      • sprintf.MSVCRT ref: 1000D787
                                                      • lstrcatA.KERNEL32(?,?), ref: 1000D79D
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000D803
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000D80A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                                                      • String ID: .23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$g$h$i$igulP$l$l$l$l$m$p$r$s$t$t$t$u
                                                      • API String ID: 3729143920-1982144353
                                                      • Opcode ID: 8500295940ee5713c979f938623f7523479d27b1662c309ef609c6efbb48d7eb
                                                      • Instruction ID: 3b86f45124331e69cc26e3988c22d688a9d6c29007d44fd87142ae4bdaf882f7
                                                      • Opcode Fuzzy Hash: 8500295940ee5713c979f938623f7523479d27b1662c309ef609c6efbb48d7eb
                                                      • Instruction Fuzzy Hash: 1A816C3110C3C0D9E311C7689888B9FBFD59BA2318F484A5EF6D4462C2D6BA964CC7B7
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • DeleteFileA.KERNEL32(00000001,?,00000001,00000001,?,00000001,00000001,00000001), ref: 10007C1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressDeleteFileHandleLibraryLoadModuleProc
                                                      • String ID: .$2$3$4$4$6$6$E$E$F$K$L$N$R$R$R$R$W$W$a$c$d$d$i$i$i$l$l$n$n$o$o$o$r$r$r$s$t$t$v$w$w
                                                      • API String ID: 357481036-603278164
                                                      • Opcode ID: c188341969660364ba6951a74f12629230a2fc8208b02874f3d6a9ac50d9f993
                                                      • Instruction ID: f7bf75286afe3d8a42186a9b67d0cbdd36214184b2124f2163c9c57e140b2506
                                                      • Opcode Fuzzy Hash: c188341969660364ba6951a74f12629230a2fc8208b02874f3d6a9ac50d9f993
                                                      • Instruction Fuzzy Hash: 18A1406050C3C0D9F352C6388458B1FBFD6ABA6688F48599DF5C84B287C6BE8608C377
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(KERNEL32.dll,AttachConsole), ref: 1001DB16
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001DB23
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 1001DB31
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001DB38
                                                      • Sleep.KERNEL32(0000000A), ref: 1001DB87
                                                      • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1001DBA7
                                                      • #823.MFC42 ref: 1001DBB8
                                                      • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1001DBC6
                                                      • GetCurrentProcessId.KERNEL32 ref: 1001DBD5
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1001DBEC
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 1001DBFB
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001DC02
                                                      • #825.MFC42(?), ref: 1001DC20
                                                      • FreeConsole.KERNEL32 ref: 1001DC2E
                                                      • Sleep.KERNEL32(0000000A), ref: 1001DC36
                                                      • FreeConsole.KERNEL32 ref: 1001DC3C
                                                        • Part of subcall function 1000E580: SetEvent.KERNEL32(?,10001B2B), ref: 1000E584
                                                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1001DDAF
                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 1001DDF9
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1001DE1D
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001DE28
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$Console$Handle$AddressCloseFileFreeListProcSleep$#823#825CreateCurrentDirectoryEventLibraryLoadModuleOpenSystemTerminateWrite
                                                      • String ID: AttachConsole$Control-C^C$GetMP privilege::debug sekurlsa::logonpasswords exit$KERNEL32.dll$WriteFile$\GetMP.exe
                                                      • API String ID: 1461520672-3309419308
                                                      • Opcode ID: f84956a07df247edf311c5799ddc4baa807eb2fe50a1dd6d086526cbde69518a
                                                      • Instruction ID: 0fdc0c3ac0505846a588ed27590c7b3002cafbec8b63b1e70fb61ff4190d5a07
                                                      • Opcode Fuzzy Hash: f84956a07df247edf311c5799ddc4baa807eb2fe50a1dd6d086526cbde69518a
                                                      • Instruction Fuzzy Hash: 38A13775600315ABE710FB64DC85FDB7BD8EB84390F004A2AFD419B290DB75E889CBA1
                                                      APIs
                                                      • InternetOpenA.WININET ref: 100112AF
                                                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100112D5
                                                      • InternetCloseHandle.WININET(00000000), ref: 100112E2
                                                      • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10011312
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011325
                                                      • InternetCloseHandle.WININET(00000000), ref: 10011328
                                                      Strings
                                                      • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001134D
                                                      • HTTP/1.1, xrefs: 10011306
                                                      • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001124F
                                                      • /cgi-bin/qun_mgr/search_group_members, xrefs: 10011278
                                                      • , xrefs: 1001129C
                                                      • POST, xrefs: 1001130C
                                                      • qun.qq.com, xrefs: 10011258
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                                                      • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                                                      • API String ID: 3078302290-2376693140
                                                      • Opcode ID: bd9fa302bee900862bf426a8875ed0a3dbf66317b0aa3280b1abee7e86b53b1e
                                                      • Instruction ID: 4ad5aca93e34474c20f29cdb4eae83b40ac075edd08c27d1a8f8fa6645732482
                                                      • Opcode Fuzzy Hash: bd9fa302bee900862bf426a8875ed0a3dbf66317b0aa3280b1abee7e86b53b1e
                                                      • Instruction Fuzzy Hash: 817127767403147BE324EB749C45FAB77DDEB88720F14862AFA45E62C0DAB4A90487A1
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 100278EF
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100278F8
                                                      • LoadLibraryA.KERNEL32(wininet.dll,InternetCloseHandle), ref: 10027926
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10027929
                                                      • LoadLibraryA.KERNEL32(wininet.dll,InternetOpenUrlA), ref: 10027939
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1002793C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: $($)$.$/$0$4$CreateFileA$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$KERNEL32.dll$M$WININET.dll$b$c$e$m$o$o$p$t$wininet.dll$z
                                                      • API String ID: 2574300362-3884860928
                                                      • Opcode ID: 72df75db54b9a77fcfe174f2d85735a4464157dcb5abd64b8a117bbe19bb2df2
                                                      • Instruction ID: d0ff9ba2e5253897007b568e1ccb8589c5b64692a4ff212bc6d8c30fb0664a4e
                                                      • Opcode Fuzzy Hash: 72df75db54b9a77fcfe174f2d85735a4464157dcb5abd64b8a117bbe19bb2df2
                                                      • Instruction Fuzzy Hash: 1051707120C384AEE311DB789C84B9FBFD8DBD5258F844A1DF28897281C679D648C767
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • GetVersionExA.KERNEL32(?), ref: 1001A95B
                                                        • Part of subcall function 100168E0: LoadLibraryW.KERNEL32(ntdll.dll,?,00001F99,1001713F,?,?,?), ref: 100168E9
                                                        • Part of subcall function 100168E0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                                                        • Part of subcall function 100168E0: FreeLibrary.KERNEL32(00000000), ref: 10016922
                                                      • ExitProcess.KERNEL32 ref: 1001A9F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressLoadProc$ExitFreeHandleModuleProcessVersion
                                                      • String ID: .$.$2$2$3$3$D$I$L$P$S$S$S$S$V$a$c$d$d$e$e$e$e$e$i$l$l$l$l$n$r$s$u$v$v
                                                      • API String ID: 1234256494-3470857448
                                                      • Opcode ID: dc3349114cab900db3be2e7e38a4a6d43859a588f9e1454eaa359d57b4cf2be3
                                                      • Instruction ID: 0d6082d801bb7822d17bac24007c9f5b2c27eee5289ee2a0827e1010335011dc
                                                      • Opcode Fuzzy Hash: dc3349114cab900db3be2e7e38a4a6d43859a588f9e1454eaa359d57b4cf2be3
                                                      • Instruction Fuzzy Hash: 2F51EA6140C3C1DDE312C6688898B5FBFD59BE6748F48499DF1C84B282D2BAC658C777
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100120F7
                                                      • #823.MFC42(?), ref: 10012123
                                                      • #823.MFC42(73252073), ref: 1001217D
                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000104), ref: 1001226B
                                                      • RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000104,?,00001F99), ref: 100122D4
                                                      • strncat.MSVCRT ref: 10012309
                                                      • strncat.MSVCRT ref: 1001231C
                                                      • strchr.MSVCRT ref: 10012321
                                                      • RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000004,?,?,?,?), ref: 1001236B
                                                      • wsprintfA.USER32 ref: 10012389
                                                      • RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100123BB
                                                      • RegEnumKeyExA.ADVAPI32(?,75C395E0,?,00000104,00000000,00000000,00000000,00000000), ref: 1001240E
                                                      • wsprintfA.USER32 ref: 1001242F
                                                      • RegEnumValueA.ADVAPI32(?,75C395E2,?,00000020,00000000,?,?,00000104), ref: 100124E0
                                                      • wsprintfA.USER32(?,?,?,REG_SZ,?), ref: 1001251D
                                                      • wsprintfA.USER32(?,?,?,REG_EXPAND_SZ,?), ref: 1001253F
                                                      • wsprintfA.USER32(?,'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n',',?,REG_DWORD,?,?), ref: 10012569
                                                      • wsprintfA.USER32(?,?,?,REG_BINARY), ref: 1001258B
                                                      • lstrcatA.KERNEL32(?,?), ref: 1001259B
                                                      • #825.MFC42(?), ref: 100125C7
                                                      • #825.MFC42(00000001,?), ref: 100125D0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wsprintf$Value$Query$#823#825Enumstrncat$AddressLibraryLoadProclstrcatstrchr
                                                      • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                                                      • API String ID: 1793144691-2764046103
                                                      • Opcode ID: b80f459a7f35ef880510022212f48df7bf583857994cb6187f93a0e29b96c2d7
                                                      • Instruction ID: 6e1f4b84cb619d63e8fe981d9e852213dff8859bb30e1cffc45be7c0d31010ac
                                                      • Opcode Fuzzy Hash: b80f459a7f35ef880510022212f48df7bf583857994cb6187f93a0e29b96c2d7
                                                      • Instruction Fuzzy Hash: 1AE1E8B5900558ABDB14CFA4CC94ADEB7B9FF88310F10429DF519A7290DB71AE85CF50
                                                      APIs
                                                      • AttachConsole.KERNEL32(?), ref: 1000D8C3
                                                      • Sleep.KERNEL32(0000000A), ref: 1000D8CB
                                                      • AttachConsole.KERNEL32(?), ref: 1000D8D5
                                                      • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000D8E8
                                                      • #823.MFC42(00000000), ref: 1000D8F9
                                                      • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000D909
                                                      • GetCurrentProcessId.KERNEL32 ref: 1000D914
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000D928
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000D937
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000D93E
                                                      • #825.MFC42(00000000), ref: 1000D94E
                                                      • FreeConsole.KERNEL32 ref: 1000D95C
                                                      • Sleep.KERNEL32(0000000A), ref: 1000D964
                                                      • FreeConsole.KERNEL32 ref: 1000D96A
                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 1000D976
                                                      • CloseHandle.KERNEL32(?), ref: 1000D9D8
                                                      • CloseHandle.KERNEL32(?), ref: 1000D9E0
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1000DA01
                                                      • OpenServiceA.ADVAPI32(00000000,Gwogwo Hxpgx,00000010), ref: 1000DA15
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000DA22
                                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000DA36
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000DA47
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000DA4A
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000DA55
                                                      • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000DA94
                                                      • CreateProcessA.KERNEL32(00000000,00000000), ref: 1000DA9D
                                                      • CloseHandle.KERNEL32(?), ref: 1000DAAC
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 1000DAC4
                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000DB32
                                                      • CloseHandle.KERNEL32(?), ref: 1000DB45
                                                      • CloseHandle.KERNEL32(?), ref: 1000DB4C
                                                      • ExitProcess.KERNEL32 ref: 1000DB50
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandle$Process$ConsoleService$Open$AttachCreateFreeListSleepTerminate$#823#825CommandCurrentExitFileLineManagerModuleNameStart
                                                      • String ID: -inst$D$Gwogwo Hxpgx
                                                      • API String ID: 4235677823-2500525881
                                                      • Opcode ID: fca86d0ea5ff4f934777a8043b9430515fb0c33e408446140a424fd3d66faa97
                                                      • Instruction ID: 67f7a363069772d3fa21c1ae02a59748374d6809d3261c43ad81f48562521719
                                                      • Opcode Fuzzy Hash: fca86d0ea5ff4f934777a8043b9430515fb0c33e408446140a424fd3d66faa97
                                                      • Instruction Fuzzy Hash: E0819375604321AFE700EB28CC85BAE7BE9EF84790F11891AF94597294DB74E841CBA1
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001720
                                                      • LoadLibraryA.KERNEL32 ref: 10001792
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001795
                                                      • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                                                      • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                                                      • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                                                      • API String ID: 2574300362-3155383694
                                                      • Opcode ID: 54035a306bc455f23417f1d514db26f36071f5d7ff2e4b13f3130c1cef3d81cf
                                                      • Instruction ID: 13c6fadc6fc6de4963117757f067def7adb7781f5d41049c58ce33d0f32d84e0
                                                      • Opcode Fuzzy Hash: 54035a306bc455f23417f1d514db26f36071f5d7ff2e4b13f3130c1cef3d81cf
                                                      • Instruction Fuzzy Hash: D041BE6050C384AAE310DB758C48B8BBFD8EFD5758F444A1DF68497281DABAD608CB67
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001B3BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$AddressCloseLibraryLoadModuleProc
                                                      • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                                                      • API String ID: 1380958172-3142711299
                                                      • Opcode ID: 21583695aab97b59dc2da0f4581df6c348da833e472b1a552ddf1e6033f920b0
                                                      • Instruction ID: a868e874d23b2159b369d60bd78af4235ee83f98fe54d068fe945bb826491e5b
                                                      • Opcode Fuzzy Hash: 21583695aab97b59dc2da0f4581df6c348da833e472b1a552ddf1e6033f920b0
                                                      • Instruction Fuzzy Hash: 1F712B6014C3C0DDE342C6A8888875FFFD55BA2748F48099DF2C85B292C2FA9558C77B
                                                      APIs
                                                      • CoInitialize.OLE32 ref: 10026693
                                                      • CoCreateInstance.OLE32(100B3894,00000000,00000001,100B38B4,?), ref: 100266AC
                                                      • LocalAlloc.KERNEL32(00000040,00002710), ref: 100266BB
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10026752
                                                      • #823.MFC42(00000000), ref: 10026765
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10026780
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002679D
                                                      • #823.MFC42(00000000), ref: 100267AD
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100267C8
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 100267D6
                                                      • wsprintfA.USER32 ref: 10026826
                                                      • lstrlenA.KERNEL32(00000000), ref: 10026830
                                                      • lstrlenA.KERNEL32(?), ref: 10026839
                                                      • lstrlenA.KERNEL32(?), ref: 10026842
                                                      • LocalSize.KERNEL32(?), ref: 10026854
                                                      • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10026862
                                                      • lstrlenA.KERNEL32(?), ref: 10026871
                                                      • lstrlenA.KERNEL32(?), ref: 10026898
                                                      • lstrlenA.KERNEL32(00000000), ref: 100268A7
                                                      • lstrlenA.KERNEL32(00000000), ref: 100268C3
                                                      • lstrlenA.KERNEL32(?), ref: 100268D6
                                                      • lstrlenA.KERNEL32(?), ref: 100268F4
                                                      • #825.MFC42(00000000), ref: 10026915
                                                      • #825.MFC42(?), ref: 10026934
                                                      • CoUninitialize.OLE32 ref: 10026969
                                                      • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 10026977
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$ByteCharLocalMultiWide$Alloc$#823#825Time$CreateFileInitializeInstanceSizeSystemUninitializewsprintf
                                                      • String ID: %d-%d-%d %d:%d:%d
                                                      • API String ID: 1491319390-2068262593
                                                      • Opcode ID: 7ed334581e13f78fb49acbd591281340d2f6404bd03b892269f2411400cdfcea
                                                      • Instruction ID: 2585ae8bd131340c97572d7615d770b0d002d09b44d3df47a7e5f1b242e6799b
                                                      • Opcode Fuzzy Hash: 7ed334581e13f78fb49acbd591281340d2f6404bd03b892269f2411400cdfcea
                                                      • Instruction Fuzzy Hash: E1919371204302AFE314CF24DC85F6BB7E9EBC8B10F548A2CFA5597390DA74E9098B56
                                                      APIs
                                                        • Part of subcall function 1000E390: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F99,1001A69F,?,00000000,00001F99), ref: 1000E3B0
                                                        • Part of subcall function 1000E390: GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                                                      • LoadLibraryA.KERNEL32 ref: 1001D23C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D245
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 1001D255
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D258
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,CreatePipe), ref: 1001D268
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D26B
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetStartupInfoA), ref: 1001D27B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D27E
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateProcessA), ref: 1001D28E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D291
                                                      • WaitForInputIdle.USER32(00000000,000000FF), ref: 1001D466
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$IdleInputWait
                                                      • String ID: C$CreatePipe$CreateProcessA$D$GetStartupInfoA$GetSystemDirectoryA$H$KERNEL32.dll$\cmd.exe$a$d$n$o$s
                                                      • API String ID: 2019908028-2710123323
                                                      • Opcode ID: 398de6a9a246124730f9f97313e10ce8374521fbbd3ae929985d5ed2c7fafb31
                                                      • Instruction ID: 9f6d8f11a929b764d91f568a8260bfe8586987121c3337f2e1d97e3d4e61c701
                                                      • Opcode Fuzzy Hash: 398de6a9a246124730f9f97313e10ce8374521fbbd3ae929985d5ed2c7fafb31
                                                      • Instruction Fuzzy Hash: 46C18971608384AFD310EF24C880B8BBBE5EFC9744F10891EF6889B291D775E944CB96
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(10126498), ref: 1001F18C
                                                      • LeaveCriticalSection.KERNEL32(10126498), ref: 1001F1A4
                                                      • malloc.MSVCRT ref: 1001F1BD
                                                      • malloc.MSVCRT ref: 1001F1C6
                                                      • malloc.MSVCRT ref: 1001F1CF
                                                      • recv.WS2_32 ref: 1001F236
                                                      • send.WS2_32 ref: 1001F2B6
                                                      • getpeername.WS2_32(?,?,?), ref: 1001F2E5
                                                      • inet_addr.WS2_32(00000000), ref: 1001F2F2
                                                      • inet_addr.WS2_32(00000000), ref: 1001F30C
                                                      • htons.WS2_32(?), ref: 1001F317
                                                      • send.WS2_32 ref: 1001F359
                                                      • CreateThread.KERNEL32(00000000,00000000,1001F710,?,00000000,?), ref: 1001F398
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001F3A9
                                                        • Part of subcall function 1001EF40: htons.WS2_32 ref: 1001EF63
                                                        • Part of subcall function 1001EF40: inet_addr.WS2_32(?), ref: 1001EF79
                                                        • Part of subcall function 1001EF40: inet_addr.WS2_32(?), ref: 1001EF97
                                                        • Part of subcall function 1001EF40: socket.WS2_32(00000002,00000001,00000006), ref: 1001EFA3
                                                        • Part of subcall function 1001EF40: setsockopt.WS2_32 ref: 1001EFCE
                                                        • Part of subcall function 1001EF40: connect.WS2_32(?,?,00000010), ref: 1001EFDE
                                                        • Part of subcall function 1001EF40: closesocket.WS2_32 ref: 1001EFEC
                                                      • send.WS2_32(?,?,00000008,00000000), ref: 1001F3FA
                                                      • CreateThread.KERNEL32(00000000,00000000,1001F950,?,00000000,?), ref: 1001F427
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 1001F434
                                                        • Part of subcall function 1001ED30: gethostbyname.WS2_32(?), ref: 1001ED35
                                                      • closesocket.WS2_32(00000000), ref: 1001F443
                                                      • closesocket.WS2_32(?), ref: 1001F449
                                                      • free.MSVCRT ref: 1001F452
                                                      • free.MSVCRT ref: 1001F455
                                                      • free.MSVCRT ref: 1001F45C
                                                      • free.MSVCRT ref: 1001F45F
                                                        • Part of subcall function 1001E8C0: EnterCriticalSection.KERNEL32(10126498), ref: 1001E8EA
                                                        • Part of subcall function 1001E8C0: LeaveCriticalSection.KERNEL32(10126498), ref: 1001E900
                                                        • Part of subcall function 1001E8C0: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 1001E99C
                                                        • Part of subcall function 1001E8C0: CreateThread.KERNEL32(00000000,00000000,1001F950,?,00000000,?), ref: 1001EA47
                                                        • Part of subcall function 1001E8C0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 1001EA54
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                                                      • String ID: [
                                                      • API String ID: 3942976521-784033777
                                                      • Opcode ID: af2f3a6755e4dd54eba74b6d812a398b91a693528deb826b729d090648f3ac60
                                                      • Instruction ID: 78c909b6e9883a692a89872d42e63ff08bd18c564b2496e608a0bf91c473c944
                                                      • Opcode Fuzzy Hash: af2f3a6755e4dd54eba74b6d812a398b91a693528deb826b729d090648f3ac60
                                                      • Instruction Fuzzy Hash: A481D275908340AFE310DB24CC84B6BBBE8EFD8754F208A1DF99587390E775E8458B62
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7622F550), ref: 100015B9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7622F550), ref: 100015D2
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7622F550), ref: 100015E5
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7622F550), ref: 100015F8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7622F550), ref: 10001609
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7622F550), ref: 1000161C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7622F550), ref: 1000162F
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                      • API String ID: 2574300362-1356117283
                                                      • Opcode ID: 53f8f97ecea0f07707f0ce813dd369aed999d2d9eb66686662b6088bc8cd252f
                                                      • Instruction ID: 6df2d328ee56342332754b68cf572232ace2e14c1bc22b0122cb6f865c4340fb
                                                      • Opcode Fuzzy Hash: 53f8f97ecea0f07707f0ce813dd369aed999d2d9eb66686662b6088bc8cd252f
                                                      • Instruction Fuzzy Hash: 244150B1900308ABDB10EF759C88E9BBBA8FF88351F11495AFB449B205D776E505CFA1
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                                                      • GlobalLock.KERNEL32(00000000), ref: 1000208C
                                                      • GlobalFree.KERNEL32(00000000), ref: 10002099
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Global$AllocFreeLock
                                                      • String ID:
                                                      • API String ID: 1811133220-0
                                                      • Opcode ID: c70d963ceb7205a77e7b039621d8b6287a5f299361663ae9f1a594045dc5f360
                                                      • Instruction ID: 2963b7c595fe6703442901b184946e2e633142f8b2496e550674c782d1ab8e5e
                                                      • Opcode Fuzzy Hash: c70d963ceb7205a77e7b039621d8b6287a5f299361663ae9f1a594045dc5f360
                                                      • Instruction Fuzzy Hash: 6E71A276610301ABD314CF60CC8AF96B3B4FF54714F669604EA04AB2B1E3B5E509C76A
                                                      APIs
                                                      • GetWindowLongA.USER32(?,000000EB), ref: 10002358
                                                      • PostQuitMessage.USER32(00000000), ref: 10002389
                                                      • SetWindowLongA.USER32(?,000000EB,?), ref: 100023AC
                                                      • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B6
                                                      • LoadIconA.USER32(00000000), ref: 100023BD
                                                      • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C7
                                                      • DestroyWindow.USER32(?), ref: 100023EE
                                                      Strings
                                                      • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 100024F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                                                      • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                      • API String ID: 3894596752-2160474225
                                                      • Opcode ID: c6ef11715ce3834cbf7b63564787257b2ac56eb4a1fe9dc3c93563d08b9826fd
                                                      • Instruction ID: ac77f1b25a34f61bdfd576b2c1d92d54315cfb2c758991c1eb945010c81a4bc8
                                                      • Opcode Fuzzy Hash: c6ef11715ce3834cbf7b63564787257b2ac56eb4a1fe9dc3c93563d08b9826fd
                                                      • Instruction Fuzzy Hash: B051D3766043116BF320D728DC89FFB739CFB84311F508A39FA46D21C1DA7DA6458661
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseDeleteOpenstrncmpwsprintf
                                                      • String ID: 00000$00000%s$D$S$S$U$a$e$i$m$n$n$o$o$r$t$u
                                                      • API String ID: 3243141281-189977666
                                                      • Opcode ID: 82d64efb8bd3c0169095f34cab8c79fbb69e2b2c6739765b8e04520f52e22601
                                                      • Instruction ID: e6bae5c4d6058b7237b7c4b99d682e7c1299bf716e5efd4840c56e2be42a815b
                                                      • Opcode Fuzzy Hash: 82d64efb8bd3c0169095f34cab8c79fbb69e2b2c6739765b8e04520f52e22601
                                                      • Instruction Fuzzy Hash: B2316B2500D3C0AED302C7388888B9FBFD15FA6248F485A9DF4D857292D2A5C658C777
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32 ref: 100162FD
                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 1001631E
                                                      • RegCloseKey.ADVAPI32(?), ref: 10016329
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: 0$C$C$H$N$O$P$P$T$W$a$c$l$m$n$o$o$y
                                                      • API String ID: 3677997916-1107408310
                                                      • Opcode ID: cc1f3afda5f25d5d5c6910a2eca2037ded0ff48e43e832b6a259963ce7b7dd9c
                                                      • Instruction ID: 2d7e6642d5d34e9925561298202e2e9c56bbddca8206934248b48eaff07bd9b0
                                                      • Opcode Fuzzy Hash: cc1f3afda5f25d5d5c6910a2eca2037ded0ff48e43e832b6a259963ce7b7dd9c
                                                      • Instruction Fuzzy Hash: 2651053110E3C19ED322CB78949479FBFE15BE6244F08499DF2D947392C2A6864CC7A7
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 10004A9C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004AA5
                                                      • LoadLibraryA.KERNEL32 ref: 10004AF6
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004AF9
                                                      • LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10004B07
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10004B0A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: .23$2$3$ConvertSidToStringSidA$D$FreeLibrary$I$IsValidSid$L$_RasDefaultCredentials#0$LookupAccountNameA$P$V$kernel32.dll
                                                      • API String ID: 2574300362-2447002180
                                                      • Opcode ID: 2b9d9150bdc193e683fcd63b9b1be8d0578ab2ff089e745188d042a326528f4d
                                                      • Instruction ID: b94883c055996bb45d722ebe750fc7f75842dd935221d1a49c9a8d998b74639a
                                                      • Opcode Fuzzy Hash: 2b9d9150bdc193e683fcd63b9b1be8d0578ab2ff089e745188d042a326528f4d
                                                      • Instruction Fuzzy Hash: 2031C272108385AED340DBA8DC44AAFBFD8EFD5255F040A5EF68487141D769D60C8BA3
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • Sleep.KERNEL32(?), ref: 10018777
                                                      • GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 1001877D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressCurrentHandleLibraryLoadModuleProcProcessSleep
                                                      • String ID: .$2$3$K$L$N$P$R$W$c$d$g$k$n$r$r$t$t$z
                                                      • API String ID: 2634094405-2686203248
                                                      • Opcode ID: e5c070dabb9814ca0299c0816af8263300361d6bc12fe2894b49ad7e736bf595
                                                      • Instruction ID: 93f6354b3e455c9359d04b7e0602711e8d407314bd373b2f7964dfcac6467bbe
                                                      • Opcode Fuzzy Hash: e5c070dabb9814ca0299c0816af8263300361d6bc12fe2894b49ad7e736bf595
                                                      • Instruction Fuzzy Hash: 8A31A01500E3C1DDE342CA28848474FBFD51BB6648F485A8DF0D81B393C2AA865CC77B
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100101E2
                                                      • GetProcAddress.KERNEL32(00000000,socket), ref: 100101F6
                                                      • GetProcAddress.KERNEL32(00000000,recv), ref: 10010202
                                                      • GetProcAddress.KERNEL32(00000000,connect), ref: 1001020E
                                                      • GetProcAddress.KERNEL32(00000000,getsockname), ref: 1001021A
                                                      • GetProcAddress.KERNEL32(00000000,select), ref: 10010226
                                                      • GetLastError.KERNEL32(00000000), ref: 10010243
                                                      • GetLastError.KERNEL32(00000000), ref: 10010293
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$ErrorLast$LibraryLoad
                                                      • String ID: %$connect$getsockname$recv$select$socket$ws2_32.dll$#v
                                                      • API String ID: 1969025732-831182410
                                                      • Opcode ID: 34d701f7f83a1233487097c4504d55a1e41bd25d118b03ef6462f042e1a6fca9
                                                      • Instruction ID: feb9a907931d40a3a4d0135a168c2ecf67b2f2631b1eac8dea27b7dabfe89221
                                                      • Opcode Fuzzy Hash: 34d701f7f83a1233487097c4504d55a1e41bd25d118b03ef6462f042e1a6fca9
                                                      • Instruction Fuzzy Hash: 95716B756083419FD300DF64C888AABBBE8FFC8354F108A2DFA9997290D7B5D945CB52
                                                      APIs
                                                      • #540.MFC42 ref: 1000F137
                                                      • #2818.MFC42(00000000, %c%s,?,?), ref: 1000F160
                                                      • #2763.MFC42(00000020), ref: 1000F17D
                                                      • #537.MFC42(100F5B4C,00000000,00000020), ref: 1000F195
                                                      • #537.MFC42(100F617C,100F5B4C,00000000,00000020), ref: 1000F1AA
                                                      • #922.MFC42(?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1BB
                                                      • #922.MFC42(?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1CC
                                                      • #939.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1DB
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1E9
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1F7
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F205
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F213
                                                      • #537.MFC42(100F54AC,00000020), ref: 1000F224
                                                      • #922.MFC42(00000000,00000000,?,100F54AC,00000020), ref: 1000F235
                                                      • #939.MFC42(00000000,00000000,00000000,?,100F54AC,00000020), ref: 1000F244
                                                      • #800.MFC42(00000000,00000000,00000000,?,100F54AC,00000020), ref: 1000F252
                                                      • #800.MFC42(00000000,00000000,00000000,?,100F54AC,00000020), ref: 1000F260
                                                      • #535.MFC42(00000000), ref: 1000F270
                                                      • #800.MFC42(00000000), ref: 1000F286
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#537#922$#939$#2763#2818#535#540
                                                      • String ID: %c%s
                                                      • API String ID: 566216251-4217438733
                                                      • Opcode ID: 1eabbaef6823bc920628103d38dd739d1ece5b7014670c955b8b041a784970c3
                                                      • Instruction ID: d6c525beef93d6d8679147f2c5d4460e388dc9380c8c9f5f885b40ae94460d49
                                                      • Opcode Fuzzy Hash: 1eabbaef6823bc920628103d38dd739d1ece5b7014670c955b8b041a784970c3
                                                      • Instruction Fuzzy Hash: 9B41927D00D381AED305DB24D859B6FBBD4EFA4758F44490CF88963282DB74AA09C767
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 10027DA7
                                                      • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 10027DB7
                                                      • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 10027DC1
                                                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 10027DCD
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 10027DD8
                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 10027DE4
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 10027E40
                                                      • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10027E48
                                                      • CloseHandle.KERNEL32(?), ref: 10027E5A
                                                      • FreeLibrary.KERNEL32(00000000), ref: 10027E6B
                                                      • FreeLibrary.KERNEL32(?), ref: 10027E76
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                      • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll$#v
                                                      • API String ID: 2887716753-2689547331
                                                      • Opcode ID: 455eee7d388b15bc5da2bea146c2449c737fe4db7a8798a06f82cb6cab5f8a06
                                                      • Instruction ID: e2618c826015a8944393190aa95fb01132fbf627ebd04ed4471cd2eb1cf39d9d
                                                      • Opcode Fuzzy Hash: 455eee7d388b15bc5da2bea146c2449c737fe4db7a8798a06f82cb6cab5f8a06
                                                      • Instruction Fuzzy Hash: 8A21CE72A043156BD704DB759C85FABBFE8EFC8650F40492EF54897240CB79D9448B62
                                                      APIs
                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,00000000,00000000,?,?,?,?,10022AD0,?,00000000,?), ref: 1002298E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: OpenProcess
                                                      • String ID: .$2$3$F$L$a$b$d$i$k$n$y
                                                      • API String ID: 3743895883-2751716537
                                                      • Opcode ID: 35a834b5deb326a33c13b9e67ac101c485a8f1f3162054dee228f111312e829a
                                                      • Instruction ID: 1ca23fc2194db23670c16f9ce41bd854b1fc66ba2f2aeb2993e12380afc4d27e
                                                      • Opcode Fuzzy Hash: 35a834b5deb326a33c13b9e67ac101c485a8f1f3162054dee228f111312e829a
                                                      • Instruction Fuzzy Hash: ED316B2500D3D2AAE312DB6C8888BCFBFD45FE2654F58498DF4C457292C2A5864DC7B7
                                                      APIs
                                                      • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10007630
                                                      • #5186.MFC42 ref: 1000764A
                                                      • #665.MFC42 ref: 1000765F
                                                      • #540.MFC42(?), ref: 1000767F
                                                      • #537.MFC42(?,?), ref: 1000768E
                                                      • #4204.MFC42(?,?), ref: 100076CA
                                                      • #2915.MFC42(00000080,?,?), ref: 100076DA
                                                      • #5442.MFC42(00000000,?,00000080,?,?), ref: 10007721
                                                      • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10007730
                                                      • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000773B
                                                      • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10007744
                                                      • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10007752
                                                      • MessageBoxA.USER32(00000000,100F5494,warning,00000000), ref: 1000779A
                                                      • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100077B2
                                                      • #800.MFC42 ref: 100077C0
                                                      • #800.MFC42 ref: 100077CE
                                                      • #665.MFC42 ref: 100077DF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                                                      • String ID: $warning
                                                      • API String ID: 2155908909-2294955047
                                                      • Opcode ID: f0b5dcdfcecbdf8fcdb1401f5d0367c5b06f59ef465da6436665c017a5d3e557
                                                      • Instruction ID: 3e2e336fd4e66b461f65b3a3a7d61c41f3b405be7ce234c9fafe03686b0b0973
                                                      • Opcode Fuzzy Hash: f0b5dcdfcecbdf8fcdb1401f5d0367c5b06f59ef465da6436665c017a5d3e557
                                                      • Instruction Fuzzy Hash: 3E510E796093419FD308DF28E891B9EB7E1FBD4750F80091CF99A93281DB35AE08CB52
                                                      APIs
                                                        • Part of subcall function 10006EB0: #541.MFC42(?,?,?,10093BFB,000000FF), ref: 10006ED0
                                                        • Part of subcall function 10006EB0: #540.MFC42(?,?,?,10093BFB,000000FF), ref: 10006EE0
                                                      • #540.MFC42(?,?,00000000,00000065), ref: 100093AE
                                                      • #540.MFC42 ref: 100093BF
                                                      • #540.MFC42 ref: 100093D0
                                                      • #2614.MFC42 ref: 100093E1
                                                      • #860.MFC42(*.*), ref: 100093EF
                                                      • #3811.MFC42(?,*.*), ref: 10009415
                                                      • #3811.MFC42(?,?,*.*), ref: 10009425
                                                      • #3811.MFC42(?,?,?,*.*), ref: 10009435
                                                      • #3811.MFC42(?,?,?,?,*.*), ref: 10009445
                                                      • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009455
                                                      • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 10009465
                                                      • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 10009493
                                                      • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 100094AA
                                                      • #860.MFC42(?,?,00000000,00000065), ref: 100094F7
                                                      • #800.MFC42 ref: 10009532
                                                      • #800.MFC42 ref: 10009543
                                                      • #800.MFC42 ref: 10009553
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3811$#540$#800#860$#2614#2818#541
                                                      • String ID: *%s*$*.*
                                                      • API String ID: 185796673-1558234275
                                                      • Opcode ID: f3f4fa458144455813e9f1941b5d47db53ef8a6b879c0d5b94e638632577bd8b
                                                      • Instruction ID: 423085315ff641abc04c7078cf6d7afe046adc771317f1a8858087fadee05ff7
                                                      • Opcode Fuzzy Hash: f3f4fa458144455813e9f1941b5d47db53ef8a6b879c0d5b94e638632577bd8b
                                                      • Instruction Fuzzy Hash: 425127794093819FD324CF64D495A9BBBE5FFD9700F804E2DB19943291DB74A608CB63
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001332
                                                      • LoadLibraryA.KERNEL32 ref: 100013A4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7622F550), ref: 100015B9
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7622F550), ref: 100015D2
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7622F550), ref: 100015E5
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7622F550), ref: 100015F8
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7622F550), ref: 10001609
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7622F550), ref: 1000161C
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                        • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7622F550), ref: 1000162F
                                                        • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                                                      • API String ID: 2574300362-1789360232
                                                      • Opcode ID: a166e62ea3106cbbb19ddae654761d6378f1e2560a5de16bcd4d7998630b047f
                                                      • Instruction ID: 79bad19294003be944af05e2a3a02d10cd6f8ba42ffaf3ccbfff314eee45a48d
                                                      • Opcode Fuzzy Hash: a166e62ea3106cbbb19ddae654761d6378f1e2560a5de16bcd4d7998630b047f
                                                      • Instruction Fuzzy Hash: 4631E22110C3C08ED301DA699840B8BFFD59FA6658F080A9DE5C897343C66AD60CC7BB
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10006849
                                                      • LocalAlloc.KERNEL32(00000040,00000400), ref: 100068A0
                                                      • GetFileAttributesA.KERNEL32(?), ref: 100068B0
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100068D9
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 100068E8
                                                      • malloc.MSVCRT ref: 100068F5
                                                      • ReadFile.KERNEL32(?,00000000,?,0000023D,00000000), ref: 1000691C
                                                      • CloseHandle.KERNEL32(?), ref: 10006929
                                                      • free.MSVCRT ref: 1000695F
                                                      • lstrlenA.KERNEL32(?), ref: 100069CB
                                                      • lstrlenA.KERNEL32(?), ref: 100069EA
                                                      • lstrlenA.KERNEL32(?), ref: 100069F9
                                                      • lstrlenA.KERNEL32(?), ref: 10006A1B
                                                      • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10006A29
                                                      • lstrlenA.KERNEL32(?), ref: 10006A48
                                                      • lstrlenA.KERNEL32(?), ref: 10006A65
                                                      • LocalReAlloc.KERNEL32(00000000,-00000002,00000042), ref: 10006A72
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$File$AllocLocal$AttributesCloseCreateDirectoryHandleReadSizeSystemfreemalloc
                                                      • String ID: Version
                                                      • API String ID: 3533827912-1889659487
                                                      • Opcode ID: dabfc0bd9743fd7b82f9ffcb32220f1a9367512a23e75a7fd0fbbc7c8f6f7071
                                                      • Instruction ID: dc2e1e5779e6f192b1c33f9b3601eebf9bb9013add8b1e18ca70323f07bfe1cb
                                                      • Opcode Fuzzy Hash: dabfc0bd9743fd7b82f9ffcb32220f1a9367512a23e75a7fd0fbbc7c8f6f7071
                                                      • Instruction Fuzzy Hash: 6B51D075600315ABE714EB24CCC9BEB7799FB88310F248728FE569B395DB74A908C760
                                                      APIs
                                                      • #2614.MFC42(00000000,?), ref: 1000EAA5
                                                      • #2614.MFC42(00000000,?), ref: 1000EAAD
                                                      • #6143.MFC42(00000000,000000FF,00000000,?), ref: 1000EAC0
                                                      • #2614.MFC42(00000000,000000FF,00000000,?), ref: 1000EACC
                                                        • Part of subcall function 1000FB90: #825.MFC42(1000FB70,00000000,?,?,?,1000EADD,00000000,000000FF,00000000,000000FF,00000000,?), ref: 1000FBCD
                                                      • #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 1000EAE7
                                                      • PathGetArgsA.SHLWAPI(00000000,?), ref: 1000EB13
                                                      • #860.MFC42(00000000), ref: 1000EB1D
                                                      • PathRemoveArgsA.SHLWAPI(00000000), ref: 1000EB27
                                                      • PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 1000EB32
                                                      • _splitpath.MSVCRT ref: 1000EB66
                                                      • #860.MFC42(?,?,?,?,?), ref: 1000EB77
                                                      • #860.MFC42(?,?,?,?,?,?), ref: 1000EB89
                                                      • #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 1000EB94
                                                      • #858.MFC42 ref: 1000EBD8
                                                      • #800.MFC42 ref: 1000EBEB
                                                      • #941.MFC42(?), ref: 1000EBFA
                                                      • #858.MFC42 ref: 1000EC1F
                                                      • #800.MFC42 ref: 1000EC2F
                                                      • #860.MFC42(?,0000002F,0000005C,?,?,?,?,?,?), ref: 1000EC41
                                                      • #860.MFC42(?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 1000EC5F
                                                      • #6874.MFC42(0000002E,?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 1000EC68
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #860$#2614Path$#800#858Args$#6143#6874#6876#825#941RemoveSpacesUnquote_splitpath
                                                      • String ID:
                                                      • API String ID: 2691293456-0
                                                      • Opcode ID: 040d0aaac995b57d02b5666d6375f7825ce5bf468ed1c299a33512fd6ff3bfc2
                                                      • Instruction ID: a1e5407be2d41dbb6fc07f1872120fd75221e25c2e847f3836601d5df1a8d181
                                                      • Opcode Fuzzy Hash: 040d0aaac995b57d02b5666d6375f7825ce5bf468ed1c299a33512fd6ff3bfc2
                                                      • Instruction Fuzzy Hash: 53519DB92043419FD224DF20D895FAFB7E9EF88700F804A1DF59653282DB34B609CB52
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 1000506A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005073
                                                      • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005083
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005086
                                                      • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005094
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005097
                                                      • free.MSVCRT ref: 100050F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$free
                                                      • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                                                      • API String ID: 1540231353-1695543321
                                                      • Opcode ID: db1f1adb1b7f18fac24bbc77eecb5520449f33e86495ce116e9eed326085b21e
                                                      • Instruction ID: 6fcf9963470e9c66f3b5ba85de9563ea291f185d7e63e2ddb678491d27fcf75c
                                                      • Opcode Fuzzy Hash: db1f1adb1b7f18fac24bbc77eecb5520449f33e86495ce116e9eed326085b21e
                                                      • Instruction Fuzzy Hash: 4B31D2B210C385AFD300DB68DC84A9BBFD8DBD8254F04491EF984C3241D6B5EA09CBA3
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseDeleteFreeLocalOpenwsprintf
                                                      • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                                                      • API String ID: 321629408-3882932831
                                                      • Opcode ID: 92bf30bf3027e4507bdc0db52b90b85f77396adb438749fa654483d7f8d9e39c
                                                      • Instruction ID: 3ed0fbc41df4cf011b988fc4e1afbb857f9d81656ae9e40e43e80165df1ee3a0
                                                      • Opcode Fuzzy Hash: 92bf30bf3027e4507bdc0db52b90b85f77396adb438749fa654483d7f8d9e39c
                                                      • Instruction Fuzzy Hash: 6141076610E3C19ED302DB68948468BBFD55FB6608F48499DF4C857342C2A9C61CC77B
                                                      APIs
                                                      • #540.MFC42 ref: 100095AF
                                                      • #540.MFC42 ref: 100095C3
                                                      • #860.MFC42(00000000), ref: 10009611
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000E9B5
                                                        • Part of subcall function 1000E980: #825.MFC42(?), ref: 1000E9F0
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA06
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA13
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA20
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA2D
                                                        • Part of subcall function 1000E980: #801.MFC42 ref: 1000EA3A
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA47
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA54
                                                        • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA64
                                                      • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000963A
                                                      • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000964D
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 1000965D
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000966B
                                                      • PathFindFileNameA.SHLWAPI(?), ref: 10009676
                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 10009685
                                                      • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 10009693
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 100096A3
                                                      • wsprintfA.USER32 ref: 100096D6
                                                      • #823.MFC42(0000022E), ref: 100096E1
                                                      • Sleep.KERNEL32(0000000A), ref: 10009711
                                                      • #800.MFC42 ref: 10009725
                                                      • #800.MFC42 ref: 10009739
                                                        • Part of subcall function 1000F8A0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,100943A8,000000FF,1000960C), ref: 1000F8D8
                                                        • Part of subcall function 1000F8A0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,100943A8,000000FF,1000960C), ref: 1000F8E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                                                      • String ID: %d-%d-%d
                                                      • API String ID: 4162832437-1067691376
                                                      • Opcode ID: 8da111a0ccbd5b81e393d9f05b686b4f3c5c2e4f43409741cb799548d5318c76
                                                      • Instruction ID: 21adac118ac1a3d22f22db7e4ccb3c5fa41a4288115175b77754e23db17b4505
                                                      • Opcode Fuzzy Hash: 8da111a0ccbd5b81e393d9f05b686b4f3c5c2e4f43409741cb799548d5318c76
                                                      • Instruction Fuzzy Hash: 7D416179148382ABE324DB64CC59FAFB7A8FF84740F108A2CF599932D0DB74A5058B52
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,ReadFile), ref: 1001D97A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D983
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,LocalAlloc), ref: 1001D993
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D996
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,LocalFree), ref: 1001D9A6
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D9A9
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,Sleep), ref: 1001D9B9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D9BC
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,PeekNamedPipe), ref: 1001D9CC
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001D9CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: KERNEL32.dll$LocalAlloc$LocalFree$PeekNamedPipe$ReadFile$Sleep$kernel32.dll
                                                      • API String ID: 2574300362-1218197485
                                                      • Opcode ID: 0a9f798be02a53ceb2ce9f6517136ab9a7e684ad0b7be3cb697133bf033275c7
                                                      • Instruction ID: 3f4145bbd9ca2c386ca363cc47c9324bb4ee3201ee0eb4740598fe8591716f75
                                                      • Opcode Fuzzy Hash: 0a9f798be02a53ceb2ce9f6517136ab9a7e684ad0b7be3cb697133bf033275c7
                                                      • Instruction Fuzzy Hash: EA210AB1A043597BD714EBB18C49E9B7FE8EFC8744F004929B684AB140DB78D944CBA6
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32 ref: 100164D2
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100164D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                                                      • API String ID: 1646373207-3978980583
                                                      • Opcode ID: 44a28597f0d466bbe54a4cd8c62617ba047553ced51f53b6b84ca1c176f9cbaa
                                                      • Instruction ID: 76f335fc34860fd29dc4ec242bd97a5762851810f53614de93e2330c81fce09d
                                                      • Opcode Fuzzy Hash: 44a28597f0d466bbe54a4cd8c62617ba047553ced51f53b6b84ca1c176f9cbaa
                                                      • Instruction Fuzzy Hash: 6A111F1050C3D28EE301DB6C884438BBFD55FA2648F48888DF4D84A292D2BAC69CC7B7
                                                      APIs
                                                      • LoadCursorA.USER32(00000000,00007F8A), ref: 10014B4A
                                                        • Part of subcall function 10015760: ReleaseDC.USER32(00000000,?), ref: 10015778
                                                        • Part of subcall function 10015760: GetDC.USER32(00000000), ref: 10015780
                                                      • GetDC.USER32(00000000), ref: 10014B99
                                                      • QueryPerformanceFrequency.KERNEL32(00000030), ref: 10014BA6
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10014BC8
                                                      • GetDeviceCaps.GDI32(?,00000076), ref: 10014BE5
                                                      • GetDeviceCaps.GDI32(?,00000075), ref: 10014BF0
                                                      • CreateCompatibleDC.GDI32(?), ref: 10014C0E
                                                      • CreateCompatibleDC.GDI32(?), ref: 10014C17
                                                      • CreateCompatibleDC.GDI32(?), ref: 10014C20
                                                      • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 10014C6D
                                                      • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10014C7E
                                                      • SelectObject.GDI32(?,?), ref: 10014C91
                                                      • SelectObject.GDI32(?,?), ref: 10014C9B
                                                      • #823.MFC42(?,?,?,?,00000000), ref: 10014CA6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$Compatible$CapsDeviceObjectSectionSelect$#823CursorFrequencyLoadPerformanceQueryReleaseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: Fs
                                                      • API String ID: 1396098503-3114537292
                                                      • Opcode ID: f30582dd3e04e2cf3d19ed53d9550a0cfebe61783fadf715d61b3f9180777093
                                                      • Instruction ID: cd2d74be6e3fa504a26b79fdcc722707750be6f15986ded161daa2ec4afc2e3d
                                                      • Opcode Fuzzy Hash: f30582dd3e04e2cf3d19ed53d9550a0cfebe61783fadf715d61b3f9180777093
                                                      • Instruction Fuzzy Hash: 7181F4B5504B419FD320CF2AC884A2BFBF9FB88704F118A1DE58A87750DB79F8058B91
                                                      APIs
                                                      • GetLogicalDriveStringsA.KERNEL32 ref: 1000836D
                                                      • GetUserNameA.ADVAPI32(?,?), ref: 10008399
                                                      • _stricmp.MSVCRT(?,SYSTEM), ref: 100083AC
                                                      • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 100083D7
                                                      • CloseHandle.KERNEL32(00000000), ref: 100083DE
                                                      • lstrlenA.KERNEL32(?), ref: 100083F2
                                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 1000842D
                                                      • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 1000844B
                                                      • lstrlenA.KERNEL32(?), ref: 10008459
                                                      • lstrlenA.KERNEL32(?), ref: 10008467
                                                      • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008486
                                                      • GetDriveTypeA.KERNEL32(?), ref: 100084C5
                                                      • lstrlenA.KERNEL32(?), ref: 1000852F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_stricmp
                                                      • String ID: SYSTEM$g
                                                      • API String ID: 3735514147-3120117691
                                                      • Opcode ID: bd696c4cef1b93f272b65f2cd570373f29085df2035be5b46b8d8c85b68281c1
                                                      • Instruction ID: 995c0707421343ab744ffff33625381e1df9850639ea77a8c7a4dd0424174244
                                                      • Opcode Fuzzy Hash: bd696c4cef1b93f272b65f2cd570373f29085df2035be5b46b8d8c85b68281c1
                                                      • Instruction Fuzzy Hash: 8451B0715083599FE710DF14C880AEFBBE9FBC8344F444A2DF98997251CB74AA09CB66
                                                      APIs
                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 10024DE3
                                                      • GetCurrentProcess.KERNEL32(?), ref: 10024DEE
                                                      • IsWow64Process.KERNEL32(00000000), ref: 10024DF5
                                                      • SetFileAttributesA.KERNEL32(00000000,00000080), ref: 10024E39
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000000,00000000), ref: 10024E53
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 10024E64
                                                      • LocalAlloc.KERNEL32(00000040,00000002), ref: 10024E72
                                                      • ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 10024E87
                                                      • LocalFree.KERNEL32(00000000), ref: 10024E93
                                                      • CloseHandle.KERNEL32(00000000), ref: 10024E9A
                                                      • CloseHandle.KERNEL32(00000000), ref: 10024EAA
                                                      • LocalSize.KERNEL32(00000000), ref: 10024EB4
                                                      • LocalFree.KERNEL32(00000000), ref: 10024EC6
                                                      Strings
                                                      • \sysnative\drivers\etc\hosts, xrefs: 10024E0C
                                                      • \system32\drivers\etc\hosts, xrefs: 10024E20
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileLocal$CloseFreeHandleProcessSize$AllocAttributesCreateCurrentDirectoryReadWindowsWow64
                                                      • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                      • API String ID: 2528494210-1011561390
                                                      • Opcode ID: 06355d24816bb06a6f6fdcbaf4ff182d97c683ad20e663d130b4a001acad0401
                                                      • Instruction ID: d4c6b7f003ce1fb89a5f0c0e96aef7d5fe6728801e37779bf80f48b805c58ebe
                                                      • Opcode Fuzzy Hash: 06355d24816bb06a6f6fdcbaf4ff182d97c683ad20e663d130b4a001acad0401
                                                      • Instruction Fuzzy Hash: E031D779104210BFF310DB64CC89FDB7BE8FB88710F508A18FA55E61E0DBB8A5448766
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10010021
                                                      • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10010031
                                                      • wsprintfA.USER32 ref: 10010063
                                                      • CloseHandle.KERNEL32(00000000), ref: 100100B7
                                                      • Sleep.KERNEL32(00000002), ref: 100100D1
                                                      • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10010110
                                                      • GetProcAddress.KERNEL32(00000000,send), ref: 1001011C
                                                      • FreeLibrary.KERNEL32(?), ref: 10010174
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                                                      • String ID: ID= %d $closesocket$send$ws2_32.dll$#v
                                                      • API String ID: 1680113600-352651951
                                                      • Opcode ID: caead9352300d690aacfc6565e40d65679a0f54f63f645c65897dd9a4dbe00c8
                                                      • Instruction ID: 1977dbbe5936afe754478adadd53682a3f15b347482e6e568a3283db1f873a1c
                                                      • Opcode Fuzzy Hash: caead9352300d690aacfc6565e40d65679a0f54f63f645c65897dd9a4dbe00c8
                                                      • Instruction Fuzzy Hash: 01418F35604355AFE710DFB4CC84B9B7BE8FB88344F104A18FA85DB241E7B9E9448B52
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: getenv
                                                      • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                                                      • API String ID: 498649692-40509672
                                                      • Opcode ID: 2bdca469eb1f4c8cd7f74797f3e2f54c5997b5496bca4d1b9cc46674ff0bc64f
                                                      • Instruction ID: ef247b63f098e4333d3efabe3abd0855fdd5821f48198182909b032b497f0f54
                                                      • Opcode Fuzzy Hash: 2bdca469eb1f4c8cd7f74797f3e2f54c5997b5496bca4d1b9cc46674ff0bc64f
                                                      • Instruction Fuzzy Hash: 382107A6A071441FE754C2359E897A632D5E3542D3F0A9130EA08CF3BAFB38DC025762
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 10005207
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000520E
                                                        • Part of subcall function 10004A80: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 10004A9C
                                                        • Part of subcall function 10004A80: GetProcAddress.KERNEL32(00000000), ref: 10004AA5
                                                        • Part of subcall function 10004A80: LoadLibraryA.KERNEL32 ref: 10004AF6
                                                        • Part of subcall function 10004A80: GetProcAddress.KERNEL32(00000000), ref: 10004AF9
                                                        • Part of subcall function 10004A80: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10004B07
                                                        • Part of subcall function 10004A80: GetProcAddress.KERNEL32(00000000), ref: 10004B0A
                                                      • wsprintfA.USER32 ref: 10005277
                                                        • Part of subcall function 10005010: LoadLibraryA.KERNEL32 ref: 1000506A
                                                        • Part of subcall function 10005010: GetProcAddress.KERNEL32(00000000), ref: 10005073
                                                        • Part of subcall function 10005010: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005083
                                                        • Part of subcall function 10005010: GetProcAddress.KERNEL32(00000000), ref: 10005086
                                                        • Part of subcall function 10005010: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005094
                                                        • Part of subcall function 10005010: GetProcAddress.KERNEL32(00000000), ref: 10005097
                                                        • Part of subcall function 100052E0: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 100052F6
                                                        • Part of subcall function 100052E0: GetProcAddress.KERNEL32(00000000), ref: 100052FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$wsprintf
                                                      • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                                                      • API String ID: 2290142023-608447665
                                                      • Opcode ID: 30f463635e1a4875aa09e411c7b5b35d793b108a13a915ca86658f8851624c70
                                                      • Instruction ID: 84bb1f5448e4a274f0715bf3815c20e49b2e3dacba25022615ed876d59f224f2
                                                      • Opcode Fuzzy Hash: 30f463635e1a4875aa09e411c7b5b35d793b108a13a915ca86658f8851624c70
                                                      • Instruction Fuzzy Hash: E231D0751083809FD305CFA8C894A6FBBE9AF99741F04495CF5C987342D6B6DA08CBA6
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 1000105A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001061
                                                      • #823.MFC42(000003E8), ref: 1000109D
                                                      • #823.MFC42(00000020,000003E8), ref: 100010A7
                                                      • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                                                      • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823$AddressLibraryLoadProc
                                                      • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                                                      • API String ID: 4155842574-2549505875
                                                      • Opcode ID: 51bd1dd82d00143a8cdb6546822411bb95342cbcbd0749ba9e4245cebdc29538
                                                      • Instruction ID: 2822403b8f08ad602c06a97c45789028a5216e8bfbd40cf3f64cb702b5711b84
                                                      • Opcode Fuzzy Hash: 51bd1dd82d00143a8cdb6546822411bb95342cbcbd0749ba9e4245cebdc29538
                                                      • Instruction Fuzzy Hash: 87319CB04097809EE310CF29D844547FFE8EF58308F44895DE5898B712D3B9E648CB6A
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10022B10
                                                      • lstrcatA.KERNEL32(?,\termsrv.dll), ref: 10022B20
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                        • Part of subcall function 10022A80: CreateToolhelp32Snapshot.KERNEL32 ref: 10022A95
                                                        • Part of subcall function 10022A80: Process32First.KERNEL32(00000000,?), ref: 10022AA2
                                                        • Part of subcall function 10022A80: Process32Next.KERNEL32(00000000,?), ref: 10022AE0
                                                        • Part of subcall function 10022A80: CloseHandle.KERNEL32(00000000,00000000,?), ref: 10022AEB
                                                        • Part of subcall function 100174F0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10017532
                                                        • Part of subcall function 100174F0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001754A
                                                        • Part of subcall function 100174F0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 10017550
                                                        • Part of subcall function 100174F0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001755F
                                                        • Part of subcall function 100174F0: CloseHandle.KERNEL32(?,?,00000000,?,00000010,00000000,00000000), ref: 10017570
                                                      • GetProcessId.KERNEL32(csrss.exe,?,?,?,00000065,?,?,\termsrv.dll), ref: 10022B69
                                                      • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10022B79
                                                      • GetProcessId.KERNEL32(drwtsn32.exe,?,76230F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10022B92
                                                      • EnumWindows.USER32(10022880,00000000), ref: 10022BA2
                                                      • EnumWindows.USER32(10022880,00000000), ref: 10022BAA
                                                      • Sleep.KERNEL32(0000000A,?,76230F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10022BAE
                                                      • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10022BB2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandleSystem$AbortEnumProcess32ShutdownTokenWindows$AdjustCreateCurrentDirectoryErrorFirstLastLookupNextOpenPrivilegePrivilegesSleepSnapshotToolhelp32Valuelstrcat
                                                      • String ID: SeDebugPrivilege$SeShutdownPrivilege$\termsrv.dll$csrss.exe$drwtsn32.exe
                                                      • API String ID: 1044539573-3630850118
                                                      • Opcode ID: 3fdea0f797f9fe23094386ee836a567a45483825a33008c298ee4c307d8c2eef
                                                      • Instruction ID: 2e736371e7b37e2a385a2d08273fc267f4c7893994bd6a519d798079d075a470
                                                      • Opcode Fuzzy Hash: 3fdea0f797f9fe23094386ee836a567a45483825a33008c298ee4c307d8c2eef
                                                      • Instruction Fuzzy Hash: E611487A60031577F600E7F9AC86FDA3F68EF80745F804520FF0459091DBB6E4848672
                                                      APIs
                                                        • Part of subcall function 10057530: CreateFileW.KERNEL32(1001802F,C0000000,00000000,00000000,00000003,00000080,00000000,?,1001802F,1012644C,00000000), ref: 10057561
                                                        • Part of subcall function 10057530: GetLastError.KERNEL32(?,1001802F,1012644C,00000000), ref: 1005756E
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 10018076
                                                      • swprintf.MSVCRT(?,SYSTEM\CurrentControlSet\Services\%S,Gwogwo Hxpgx), ref: 100180C9
                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 1001811F
                                                      • wcscat.MSVCRT ref: 10018134
                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 10018162
                                                      • wcscat.MSVCRT ref: 10018171
                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100181A0
                                                      • wcscat.MSVCRT ref: 100181AF
                                                        • Part of subcall function 10017780: GetWindowsDirectoryA.KERNEL32 ref: 1001779C
                                                        • Part of subcall function 10017780: GetCurrentProcess.KERNEL32(?), ref: 100177A7
                                                        • Part of subcall function 10017780: IsWow64Process.KERNEL32(00000000), ref: 100177AE
                                                        • Part of subcall function 10017780: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10017873
                                                        • Part of subcall function 10017780: WriteFile.KERNEL32(00000000,10106038,?,00000104,00000000), ref: 100178AA
                                                        • Part of subcall function 10017780: CloseHandle.KERNEL32(00000000), ref: 100178B5
                                                        • Part of subcall function 10057530: malloc.MSVCRT ref: 10057580
                                                        • Part of subcall function 10057530: CloseHandle.KERNEL32(00000000,00000000), ref: 1005758D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DirectoryFile$Systemwcscat$CloseCreateHandleProcess$CurrentErrorLastModuleNameWindowsWow64Writemallocswprintf
                                                      • String ID: Gwogwo Hxpgx$SYSTEM\CurrentControlSet\Services\%S$\audiodg.exe$\lsass.exe$\lsm.exe
                                                      • API String ID: 894407600-3539089102
                                                      • Opcode ID: e5edea0454a23e52e4bdccb43d9ca7e7d158ad0bb122e7cdc5f0e9123b9c4f3a
                                                      • Instruction ID: 364108441924454984723050d8630c2e4011a9070e94262d6fe381631b54a037
                                                      • Opcode Fuzzy Hash: e5edea0454a23e52e4bdccb43d9ca7e7d158ad0bb122e7cdc5f0e9123b9c4f3a
                                                      • Instruction Fuzzy Hash: DD41A5B5600345BBD214EB60DC86FEB73ADEBC8700F048D1CF644861C1E6B5E649C7A2
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000CABA
                                                      • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000CACB
                                                      • wsprintfA.USER32 ref: 1000CAEE
                                                      • wsprintfA.USER32 ref: 1000CB07
                                                      • GetFileAttributesA.KERNEL32(?), ref: 1000CB14
                                                      • wsprintfA.USER32 ref: 1000CB3A
                                                      • Sleep.KERNEL32(00000064), ref: 1000CB41
                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 1000CB59
                                                      • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000CB6B
                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 1000CB78
                                                        • Part of subcall function 1000C980: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000C98D
                                                        • Part of subcall function 1000C980: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000C9C4
                                                        • Part of subcall function 1000C980: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000C9DD
                                                        • Part of subcall function 1000C980: GetFileSize.KERNEL32(00000000,00000000), ref: 1000C9E6
                                                        • Part of subcall function 1000C980: rand.MSVCRT ref: 1000CA23
                                                        • Part of subcall function 1000C980: WriteFile.KERNEL32(00000000,?,00000400,00000000,00000000), ref: 1000CA55
                                                        • Part of subcall function 1000C980: CloseHandle.KERNEL32(00000000), ref: 1000CA62
                                                      • SetFileAttributesA.KERNEL32(?,?), ref: 1000CBA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$wsprintf$AttributesCreate$CloseCopyDirectoryFolderHandleLibraryLoadModuleMoveNamePathPointerSizeSleepSpecialWriterand
                                                      • String ID: %s.exe$%s\%s
                                                      • API String ID: 3934066423-3574828809
                                                      • Opcode ID: a009d4eca98be4483e24c719c3d4c4184de554cec7e5567dcf429bf1f79b9854
                                                      • Instruction ID: 5cce1ceeaccf2a8344d843d24eec7d699efa89d2b8630c159b7528a57ed85d3d
                                                      • Opcode Fuzzy Hash: a009d4eca98be4483e24c719c3d4c4184de554cec7e5567dcf429bf1f79b9854
                                                      • Instruction Fuzzy Hash: 7831B675508345ABE320DBA4CCD9FEBB3A8EB84701F50491CF745960D0E7B5A508CB62
                                                      APIs
                                                      • CloseHandle.KERNEL32(?), ref: 100175D4
                                                      • CloseHandle.KERNEL32(?), ref: 100175DD
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 100175E8
                                                      • OpenServiceA.ADVAPI32(00000000,Gwogwo Hxpgx,00000010), ref: 100175FC
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10017609
                                                      • StartServiceA.ADVAPI32(00000000,00000001,?), ref: 10017629
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001763A
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001763D
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10017649
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1001764C
                                                      • ExitProcess.KERNEL32 ref: 10017650
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleService$Open$ExitManagerProcessStart
                                                      • String ID: -wait$Gwogwo Hxpgx
                                                      • API String ID: 560043911-534881760
                                                      • Opcode ID: e245130537142ea01ed15361159789d44a4ff3c89450aa275989a24b6e39fb8e
                                                      • Instruction ID: e593243639bc46a37c5ff123e361992a4e900fee870cb10c5864219e02b116fc
                                                      • Opcode Fuzzy Hash: e245130537142ea01ed15361159789d44a4ff3c89450aa275989a24b6e39fb8e
                                                      • Instruction Fuzzy Hash: 0821C93521066167D311EB28DCC4FDB77A9FFD4750F128915F8449B290D7B4EC858A61
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,00000000,?,00000000,?,1000591A,00000000), ref: 10005B06
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005B0F
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,?,1000591A,00000000), ref: 10005B1F
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005B22
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,?,1000591A,00000000), ref: 10005B32
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10005B35
                                                      • #823.MFC42(00000002,?,00000000,?,1000591A,00000000), ref: 10005B51
                                                      • #823.MFC42(00000002,00000002,?,00000000,?,1000591A,00000000), ref: 10005B59
                                                      • #825.MFC42(00000000,?,00000000,?,1000591A,00000000), ref: 10005B85
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$#823$#825
                                                      • String ID: KERNEL32.dll$MultiByteToWideChar$WideCharToMultiByte$lstrlenA
                                                      • API String ID: 1309867234-4059950253
                                                      • Opcode ID: 50cee9463abd30fc7cc8b1d40fe414db95ace4768b98de84bdc97cf65c5b80eb
                                                      • Instruction ID: 9ea26af0343d941c3596c3f0c221c4d9fa970b70434830e4c0a75c4377676db9
                                                      • Opcode Fuzzy Hash: 50cee9463abd30fc7cc8b1d40fe414db95ace4768b98de84bdc97cf65c5b80eb
                                                      • Instruction Fuzzy Hash: F71102B6A0132837E510B7752C4DF9B7E8CCB967B2F110526FB04A7281DA66E90886F1
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 100274CB
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100274D2
                                                        • Part of subcall function 10027720: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,100274E9,00000000), ref: 1002773B
                                                        • Part of subcall function 10027720: GetProcAddress.KERNEL32(00000000), ref: 10027744
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: .$2$3$K$L$N$R$S$d$n$v
                                                      • API String ID: 2574300362-924470386
                                                      • Opcode ID: 239e7d5484e6e7de8914853fb81fae4ac45b47c284811d1eebe42bf563dd7d9b
                                                      • Instruction ID: e22ea56f81167809c6b98e8fee439baa6eb41fbd18513ea98b6f221bad690a68
                                                      • Opcode Fuzzy Hash: 239e7d5484e6e7de8914853fb81fae4ac45b47c284811d1eebe42bf563dd7d9b
                                                      • Instruction Fuzzy Hash: E3317175C092D8EEDB01CBE8D884ADEFF75AF2A240F044559E54477342C7794608CBB6
                                                      APIs
                                                      • #823.MFC42(0000001C,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005C2A
                                                      • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005C6D
                                                      • #823.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005C81
                                                      • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005CB4
                                                      • #823.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005CC8
                                                      • #825.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005CFB
                                                      • #823.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005D0F
                                                      • #825.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005D42
                                                      • #823.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005D56
                                                      • #825.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005D89
                                                      • #823.MFC42(?,00000000,?,00000000,00000000,?,10005A8D,?,?,00000000,?,?,00000000,?,?), ref: 10005D9D
                                                      • #825.MFC42(?,?,?), ref: 10005DE3
                                                      • #823.MFC42(?,?,?), ref: 10005DF7
                                                      • #825.MFC42(00000000,?,?), ref: 10005E29
                                                      • #823.MFC42(?,?,?), ref: 10005E3D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823$#825
                                                      • String ID:
                                                      • API String ID: 2704444950-0
                                                      • Opcode ID: 7b0fa48e5c3dbf7ed1b0186155abf17ccfda3206c82718279d205ef86c9715e6
                                                      • Instruction ID: 59a3e93104fd256623cb7af241243b39c17a4b14fb030dfa57c0a396406e5be0
                                                      • Opcode Fuzzy Hash: 7b0fa48e5c3dbf7ed1b0186155abf17ccfda3206c82718279d205ef86c9715e6
                                                      • Instruction Fuzzy Hash: 46B1F4B9A043828FE714CF38C49591B77E1EF99290F15856DF89687386DB32FD058BA0
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,76230BD0,00000000,?,7622F550), ref: 1002768A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10027693
                                                      • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,7622F550), ref: 100276A1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100276A4
                                                      • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 100276C8
                                                      • SetThreadDesktop.USER32(?,?,7622F550), ref: 100276DE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                                                      • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                                                      • API String ID: 2607951617-608436089
                                                      • Opcode ID: d2343acd70f964f6d9e73709e9419f5986920cc52dff689c9824b2cfbd684ae5
                                                      • Instruction ID: 56cf2ca52c9595b1f84137fc8de1eae00d8291b24afd933cdb6c838a960a7d87
                                                      • Opcode Fuzzy Hash: d2343acd70f964f6d9e73709e9419f5986920cc52dff689c9824b2cfbd684ae5
                                                      • Instruction Fuzzy Hash: 1401B97670021D37E61467B9AC89FDB7B8CDB80765F814432FB14D3100EA7EA84446B5
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlDosPathNameToRelativeNtPathName_U,?,?,10057536,?,1001802F,1012644C,00000000), ref: 100574A1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100574A4
                                                      • GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 100574AF
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlFormatCurrentUserKeyPath,?,?,10057536,?,1001802F,1012644C,00000000), ref: 100574D3
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100574D6
                                                      • GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 100574E1
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlFreeUnicodeString,?,?,10057536,?,1001802F,1012644C,00000000), ref: 10057505
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10057508
                                                      • GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 10057513
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressErrorHandleLastModuleProc
                                                      • String ID: RtlDosPathNameToRelativeNtPathName_U$RtlFormatCurrentUserKeyPath$RtlFreeUnicodeString$ntdll.dll
                                                      • API String ID: 4275029093-883409132
                                                      • Opcode ID: a895c9c6f9aedaabd8393c46a3ebcf7f36a05ab4e636c85486febbe17d75ca31
                                                      • Instruction ID: 4c6bc2ddfafc4b1b6e2e63541fa733738877968d7308d87e76998631d9058310
                                                      • Opcode Fuzzy Hash: a895c9c6f9aedaabd8393c46a3ebcf7f36a05ab4e636c85486febbe17d75ca31
                                                      • Instruction Fuzzy Hash: 27118675B051236AF300E77EEC44B896BDBEBC4295B178071E404D5158FB3498965D50
                                                      APIs
                                                      • malloc.MSVCRT ref: 10006AE9
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10006B10
                                                      • free.MSVCRT ref: 10006B5A
                                                      • GetFileAttributesA.KERNEL32(?), ref: 10006B68
                                                      • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10006B8F
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 10006B9E
                                                      • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 10006BB4
                                                      • ReadFile.KERNEL32(?,00000000,?,0000035D,00000000), ref: 10006BD8
                                                      • CloseHandle.KERNEL32(?), ref: 10006BE5
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 10006C25
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Virtual$AllocAttributesCloseCreateDirectoryFreeHandleReadSizeSystemfreemalloc
                                                      • String ID: Main
                                                      • API String ID: 3886448261-521822810
                                                      • Opcode ID: 0cb5667eaee505691f3b557714419b3d64325ce31a898f8a6cfc118ff73037da
                                                      • Instruction ID: d6bfa1ec429d7d2890abd9b1ad9581922f926236802a51ebe742f4fcfdf8ebdc
                                                      • Opcode Fuzzy Hash: 0cb5667eaee505691f3b557714419b3d64325ce31a898f8a6cfc118ff73037da
                                                      • Instruction Fuzzy Hash: 674112B56402006BE704EB749C99FAB3399EB88721F248738FE46DB2D5DF74A904C760
                                                      APIs
                                                      • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 100025E2
                                                      • GetLocalTime.KERNEL32(?), ref: 100025F9
                                                      • sprintf.MSVCRT ref: 10002664
                                                      • GetDlgItem.USER32(?,000003E8), ref: 10002679
                                                      • GetWindowTextLengthA.USER32(00000000), ref: 10002688
                                                      • SetWindowTextA.USER32(00000000,10125614), ref: 10002697
                                                      • GetWindowTextLengthA.USER32(00000000), ref: 1000269E
                                                      • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 100026AE
                                                      • SendMessageA.USER32(00000000,000000C2,00000000,?), ref: 100026BD
                                                      • ShowWindow.USER32(?,00000009), ref: 100026C8
                                                        • Part of subcall function 1000E580: SetEvent.KERNEL32(?,10001B2B), ref: 1000E584
                                                      Strings
                                                      • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 1000265E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$MessageSendText$Length$EventItemLocalShowTimesprintf
                                                      • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                      • API String ID: 3595294075-2160474225
                                                      • Opcode ID: af4e1782e2380a4bfc19bcec33c5f8bb5d63cbbe9542183d41b56f5a966d040d
                                                      • Instruction ID: f3d78d3da39a4f7d58d604062a5c6b7fdfd23bcb46c582fe78627b16340e3250
                                                      • Opcode Fuzzy Hash: af4e1782e2380a4bfc19bcec33c5f8bb5d63cbbe9542183d41b56f5a966d040d
                                                      • Instruction Fuzzy Hash: 273127762047127BF720DB14CC85FEB7399EF89311F204638FE4197284C638A8499B76
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000A8B4
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000A92D
                                                      • GetFileSize.KERNEL32 ref: 1000A940
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000A954
                                                      • lstrlenA.KERNEL32(?), ref: 1000A962
                                                      • #823.MFC42(00000000), ref: 1000A96B
                                                      • lstrlenA.KERNEL32(?,?,00000000), ref: 1000A991
                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000A99A
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000A9A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$lstrlen$#823CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                      • String ID: .key$6gkIBfkS+qY=
                                                      • API String ID: 2856261289-3577161720
                                                      • Opcode ID: 5d1aa76a94c64984c06e26a43ffe3998f021ee813757f1b3cb1573a2f673d90a
                                                      • Instruction ID: cb290c3885fe9c332e29f4db8da23000fda627c681e33592d9496ca497278396
                                                      • Opcode Fuzzy Hash: 5d1aa76a94c64984c06e26a43ffe3998f021ee813757f1b3cb1573a2f673d90a
                                                      • Instruction Fuzzy Hash: E5317B752406156BF3108B309C8AFAB7B99FB85761F204718FE939B2D1CAB1A808C750
                                                      APIs
                                                        • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,762283C0,1001BB36), ref: 100174C6
                                                        • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                                                        • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                                                      • sprintf.MSVCRT ref: 1001416F
                                                      • sprintf.MSVCRT ref: 10014184
                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 100141B0
                                                      • RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 100141CF
                                                      • RegCloseKey.ADVAPI32(?), ref: 100141DE
                                                      • RegCloseKey.ADVAPI32(?), ref: 100141F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Closesprintf$AddressHandleLibraryLoadModuleOpenProcValue
                                                      • String ID: %s\%s$DwmEnableComposition$Dwmapi.dll$Software\Microsoft\Windows\DWM$SuppressDisableCompositionUI
                                                      • API String ID: 4114852116-3285329454
                                                      • Opcode ID: f95c8638a6eec1af999b9b30360cc7607a1f77164d8b3b362c64c7dbd84d459e
                                                      • Instruction ID: 3c80574b7c74393b933e56cd7828a7ca5a0613af95fff4d3ee7798af007ab6d2
                                                      • Opcode Fuzzy Hash: f95c8638a6eec1af999b9b30360cc7607a1f77164d8b3b362c64c7dbd84d459e
                                                      • Instruction Fuzzy Hash: AB21D475604202BBE310EB24CC81FA737A8EF88795F00892CFB559A090DB34E589C765
                                                      APIs
                                                      • wsprintfA.USER32 ref: 100226C5
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100226DB
                                                      • lstrcatA.KERNEL32(?,?), ref: 100226EE
                                                      • LocalAlloc.KERNEL32(00000040,00000400), ref: 100226FB
                                                      • GetFileAttributesA.KERNEL32(?), ref: 1002270B
                                                      • LoadLibraryA.KERNEL32(?), ref: 1002271E
                                                      • lstrlenA.KERNEL32(?,?,?,76230F00), ref: 10022739
                                                      • lstrlenA.KERNEL32(?,?,76230F00), ref: 10022759
                                                      • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,76230F00), ref: 10022763
                                                      • LocalFree.KERNEL32(00000000,?,76230F00), ref: 10022777
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                                                      • String ID: \termsrv_t.dll
                                                      • API String ID: 2807520882-1337493607
                                                      • Opcode ID: d05dafc5fe6d14057582a55e5b4722bc21772c6013dc9381755346d13f2db951
                                                      • Instruction ID: a9041602d65a234f1924c5882a4677b5f27ea997392bc1cbde97f530f7afb129
                                                      • Opcode Fuzzy Hash: d05dafc5fe6d14057582a55e5b4722bc21772c6013dc9381755346d13f2db951
                                                      • Instruction Fuzzy Hash: 1E21F37A104315AFD324DB60DC88EEB77A8EB85310F108B18FA56D6190DB74E509CB62
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,C:\Windows\System32,76230F00,0000005C,00000000,00000000,76230F00,1001C7E6,?,?,?,?,?,?,?), ref: 1002755E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10027567
                                                      • CreateThread.KERNEL32(?,?,10027430,?,?,?), ref: 10027595
                                                      • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?), ref: 100275A7
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100275AA
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 100275BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                                                      • String ID: C:\Windows\System32$CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                                                      • API String ID: 2992130774-1560667073
                                                      • Opcode ID: 2c1ff59eba6be876e36673c30af6e9a69b8f08df05ac575060c6b707c4ef4945
                                                      • Instruction ID: 2f0a56f5d40e5cff3a63aa68bef0bb8a478e86ce94cfbdcd054d9ceef03db571
                                                      • Opcode Fuzzy Hash: 2c1ff59eba6be876e36673c30af6e9a69b8f08df05ac575060c6b707c4ef4945
                                                      • Instruction Fuzzy Hash: EC111E75608315BFD640DFA88C84F9BBBE8EBCC324F504A0DF698D3251C674E9058B92
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: inet_ntoa$htons$inet_addr
                                                      • String ID:
                                                      • API String ID: 2325850693-0
                                                      • Opcode ID: 7711c2c0ef5c6fd9459687e63668e4694d41ab158b696797557cc579b1db685e
                                                      • Instruction ID: c2d84828078161eef70251933b02086fe87a673e7704824fe2fba3b5f06ae9bb
                                                      • Opcode Fuzzy Hash: 7711c2c0ef5c6fd9459687e63668e4694d41ab158b696797557cc579b1db685e
                                                      • Instruction Fuzzy Hash: E151353A6042509BCB08CF38A8501AFB7D1FF88720B55816DFD8ADB341DA31EC82C765
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000ACDE
                                                      • Process32First.KERNEL32(00000000,?), ref: 1000ACF3
                                                      • GetLastError.KERNEL32(00000000,?), ref: 1000AD00
                                                      • _wcsupr.MSVCRT ref: 1000AD1D
                                                      • _wcsupr.MSVCRT ref: 1000AD26
                                                      • wcsstr.MSVCRT ref: 1000AD2A
                                                      • Process32Next.KERNEL32(00000000,?), ref: 1000AD4D
                                                      • _strlwr.MSVCRT ref: 1000AD67
                                                      • _strlwr.MSVCRT ref: 1000AD6A
                                                      • strstr.MSVCRT ref: 1000AD72
                                                      • Process32Next.KERNEL32(00000000,?), ref: 1000AD81
                                                      • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1000AD8B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$Next_strlwr_wcsupr$CloseCreateErrorFirstHandleLastSnapshotToolhelp32strstrwcsstr
                                                      • String ID:
                                                      • API String ID: 146143966-0
                                                      • Opcode ID: 8e3b6b6b81d8187c1f3e13b0ae20789b261b71289c528d48fd7dc81e6dc95482
                                                      • Instruction ID: 8fcf719c2b2fbdd5341f51715748a92587a5c4cc408969bfd69fa5135a0b05d1
                                                      • Opcode Fuzzy Hash: 8e3b6b6b81d8187c1f3e13b0ae20789b261b71289c528d48fd7dc81e6dc95482
                                                      • Instruction Fuzzy Hash: E811937A1013157BF350E7659C85AEB77DCEFC5391F814A29FD0282111EB39FA4886B1
                                                      APIs
                                                        • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001FFDE
                                                        • Part of subcall function 1001FFC0: #823.MFC42(00000002,?,00000000,00000000), ref: 1001FFEB
                                                        • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10020007
                                                      • NetUserDel.NETAPI32(00000000,00000000), ref: 100215D8
                                                      • #825.MFC42(00000000,00000000,00000000), ref: 100215E0
                                                      • wsprintfA.USER32 ref: 10021628
                                                      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10021648
                                                      • Sleep.KERNEL32(00000032), ref: 10021654
                                                        • Part of subcall function 100210A0: LocalSize.KERNEL32(00000000), ref: 100210B0
                                                        • Part of subcall function 100210A0: LocalFree.KERNEL32(00000000,?,1002159A,00000001,?,00000000,00000001,?,?), ref: 100210C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharLocalMultiWide$#823#825FreeOpenSizeSleepUserwsprintf
                                                      • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                                                      • API String ID: 3751864237-1111274145
                                                      • Opcode ID: b8c23196a3a83fa7ffb35ae4972e3dae7a6f759f9ab6db5e449d1d71dc04ed71
                                                      • Instruction ID: 19f2a48cf0ea9bc467426b91027db1d1e551371d79a469111d0dba8f8b1a22a4
                                                      • Opcode Fuzzy Hash: b8c23196a3a83fa7ffb35ae4972e3dae7a6f759f9ab6db5e449d1d71dc04ed71
                                                      • Instruction Fuzzy Hash: DE31E47A2043156BE214DB24FC85FEF77D8EBD5294F80092DFE4596241EA39E90C87A2
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                      • API String ID: 2574300362-4065288365
                                                      • Opcode ID: 2f637b39e38ff6b7ca012c7e9c1340899ad12a80c5c05bc5b15e4a0ab5224134
                                                      • Instruction ID: 5138c781762bdaf7d2be9a3f8db0ee17f07db1ab80d4ea102ccef75462070410
                                                      • Opcode Fuzzy Hash: 2f637b39e38ff6b7ca012c7e9c1340899ad12a80c5c05bc5b15e4a0ab5224134
                                                      • Instruction Fuzzy Hash: 3F21F672600204ABDB14DF68DC84A967BE4FFC8311F114469EB059B345DB36E909DBE0
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000001), ref: 10015A20
                                                      • OpenServiceA.ADVAPI32(00000000,?,00010024), ref: 10015A4A
                                                      • GetLastError.KERNEL32 ref: 10015A52
                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10015A5E
                                                      • ControlService.ADVAPI32(00000000,00000001,?), ref: 10015A73
                                                      • DeleteService.ADVAPI32(00000000), ref: 10015A7A
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10015A87
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10015A8A
                                                      • Sleep.KERNEL32(000000C8), ref: 10015A91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$Open$CloseHandleProcess$ControlCurrentDeleteErrorLastManagerQuerySleepStatusToken
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 566901190-2896544425
                                                      • Opcode ID: a868cea441b0b181d1bcda42c1527c7f915a78cd6b44cba96a3f0420c669ae6a
                                                      • Instruction ID: 2ef96949fae8660429f2246ed8f4a0e5e55a9ea50cfbc658a5a9164771e757bf
                                                      • Opcode Fuzzy Hash: a868cea441b0b181d1bcda42c1527c7f915a78cd6b44cba96a3f0420c669ae6a
                                                      • Instruction Fuzzy Hash: FF112C39550310BFE210E7648CDEFDE3B64EF99316F148624FA445A191DB71A54C87A2
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,100274E9,00000000), ref: 1002773B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10027744
                                                        • Part of subcall function 10027670: LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,76230BD0,00000000,?,7622F550), ref: 1002768A
                                                        • Part of subcall function 10027670: GetProcAddress.KERNEL32(00000000), ref: 10027693
                                                        • Part of subcall function 10027670: LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,7622F550), ref: 100276A1
                                                        • Part of subcall function 10027670: GetProcAddress.KERNEL32(00000000), ref: 100276A4
                                                        • Part of subcall function 10027670: GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 100276C8
                                                      • LoadLibraryA.KERNEL32(USER32.dll,OpenInputDesktop,?,?,00000000,100274E9,00000000), ref: 1002775E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10027767
                                                      • LoadLibraryA.KERNEL32(USER32.dll,CloseDesktop), ref: 10027795
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10027798
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$InformationObjectUser
                                                      • String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$USER32.dll
                                                      • API String ID: 3339922732-643134891
                                                      • Opcode ID: f49df19dfd7a481f2431d29014ac3989a76107643ac1541244d958575534b706
                                                      • Instruction ID: 05f3591641b59c40158af03f51d3c63c2cafec4d9869337a30d4bd98cc44708c
                                                      • Opcode Fuzzy Hash: f49df19dfd7a481f2431d29014ac3989a76107643ac1541244d958575534b706
                                                      • Instruction Fuzzy Hash: AB01817B74122A3BF515A3B96C81FCEA388EFC46A6F524032FB04EA150C795AC4115B5
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1001DA77
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001DA80
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 1001DA8E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001DA91
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForMultipleObjects), ref: 1001DA9F
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1001DAA2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: KERNEL32.dll$TerminateProcess$TerminateThread$WaitForMultipleObjects
                                                      • API String ID: 2574300362-2489239429
                                                      • Opcode ID: 10c1ec8c4877e19d46f263a7d3b2d516325cf5ac19bf207d9ddd888e972d4674
                                                      • Instruction ID: 767bbe9493450f20dd53a46692bd469db8e7ab75656f4deba809bf7e4cf9941f
                                                      • Opcode Fuzzy Hash: 10c1ec8c4877e19d46f263a7d3b2d516325cf5ac19bf207d9ddd888e972d4674
                                                      • Instruction Fuzzy Hash: BC01DE36A403143BD610E7B18C98F8B7FD8DBC8721F000A19FA10A7280CE75F8008AE4
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                      • String ID:
                                                      • API String ID: 3289936468-0
                                                      • Opcode ID: ffe1d05bc46bad58c184e752a090555fdc136e5519369ff024ebe97c9b2de9d7
                                                      • Instruction ID: a127b58851b469d197b267c5449f29fdd50635439a07f794ce76bf9a14914ea7
                                                      • Opcode Fuzzy Hash: ffe1d05bc46bad58c184e752a090555fdc136e5519369ff024ebe97c9b2de9d7
                                                      • Instruction Fuzzy Hash: E041B9B5C04666AFEB61CF188C447EDBBE9FF096D0F200279E899A3245D7381942C7A5
                                                      APIs
                                                      • #540.MFC42 ref: 1000ECF8
                                                      • #858.MFC42(00000004), ref: 1000ED16
                                                      • #922.MFC42(?,00000000,00000000,?,?,?,?), ref: 1000ED49
                                                      • #858.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 1000ED58
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 1000ED66
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 1000ED74
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 1000ED81
                                                      • #939.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 1000EDA9
                                                      • #800.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 1000EDB6
                                                      • #535.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 1000EDC6
                                                      • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 1000EDD8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#858$#535#540#922#939
                                                      • String ID:
                                                      • API String ID: 1721966335-0
                                                      • Opcode ID: 0ae253e1f802128a8e6d560b9639d3bc5af11960c1f5d73089830ab73fe0ca2d
                                                      • Instruction ID: a0ce5428e411c9d519dac12fa635146fb428cb3c23d217010fe0ee268cc2c2b7
                                                      • Opcode Fuzzy Hash: 0ae253e1f802128a8e6d560b9639d3bc5af11960c1f5d73089830ab73fe0ca2d
                                                      • Instruction Fuzzy Hash: E7318E79109381ABD301DB24D455B9FBBE8EF98754F400E0DF8D963292DB34AA08C767
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E192
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000E209
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 1000E218
                                                      • #823.MFC42(00000000), ref: 1000E221
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000E234
                                                      • #825.MFC42(00000000), ref: 1000E25C
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000E265
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$#823#825CloseCreateDirectoryHandleReadSizeSystem
                                                      • String ID: .key$6gkIBfkS+qY=
                                                      • API String ID: 836583384-3577161720
                                                      • Opcode ID: f6c8326082b23d6279ffa8405f357592c43ee62e521fba7e4166068b07f62420
                                                      • Instruction ID: 61497290cd371e3597cec339e2895b0745de3c3bbeacfb8a241aa010364a87dc
                                                      • Opcode Fuzzy Hash: f6c8326082b23d6279ffa8405f357592c43ee62e521fba7e4166068b07f62420
                                                      • Instruction Fuzzy Hash: BB3148711046056FE300DB34CC85A9B7BD9FB89360F100B2CFA62D72D1DAB59948C791
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000008), ref: 10015931
                                                      • OpenServiceA.ADVAPI32(00000000,?,00000002), ref: 10015958
                                                      • LockServiceDatabase.ADVAPI32(00000000), ref: 10015961
                                                      • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100159A7
                                                      • UnlockServiceDatabase.ADVAPI32(00000000), ref: 100159B2
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 100159BF
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 100159C2
                                                      • Sleep.KERNEL32(000000C8), ref: 100159C9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$Open$CloseDatabaseHandleProcess$ChangeConfigCurrentLockManagerSleepTokenUnlock
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2207141857-2896544425
                                                      • Opcode ID: cf75de3677da97c66b1eac7bdbbb7aa4f4f6883692a68a1fe093881d4b22c12d
                                                      • Instruction ID: 41c3ee73928a091b4b75727be2cb4efa7427b7bd48286d0f2c9fd581ce7a7384
                                                      • Opcode Fuzzy Hash: cf75de3677da97c66b1eac7bdbbb7aa4f4f6883692a68a1fe093881d4b22c12d
                                                      • Instruction Fuzzy Hash: 12115934244255EBE220EB288C8AFDE3798DF92322F154224FE449F2D1CA72D84A4763
                                                      APIs
                                                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 10024F0F
                                                      • GetCurrentProcess.KERNEL32(?), ref: 10024F1A
                                                      • IsWow64Process.KERNEL32(00000000), ref: 10024F21
                                                      • SetFileAttributesA.KERNEL32(00000000,00000080), ref: 10024F65
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 10024F7F
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10024FA4
                                                      • CloseHandle.KERNEL32(00000000), ref: 10024FAB
                                                      Strings
                                                      • \sysnative\drivers\etc\hosts, xrefs: 10024F38
                                                      • \system32\drivers\etc\hosts, xrefs: 10024F4C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Process$AttributesCloseCreateCurrentDirectoryHandleWindowsWow64Write
                                                      • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                      • API String ID: 4291671391-1011561390
                                                      • Opcode ID: dfbd6178d270d8325a7b131624da07196af4a7e742f34f3f56c1c16566298b63
                                                      • Instruction ID: 4568ac19c5ae6f984bb9c0e2c7236e9d568ef5c3514a30908fd8eba0bd32fed6
                                                      • Opcode Fuzzy Hash: dfbd6178d270d8325a7b131624da07196af4a7e742f34f3f56c1c16566298b63
                                                      • Instruction Fuzzy Hash: 79219375104310BBE354DB24CC49FDBBBE8FB88710F508F28FA95961D0DBB4A9488791
                                                      APIs
                                                        • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                                                        • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10015AE0
                                                      • OpenServiceA.ADVAPI32(00000000,?,00000034), ref: 10015B07
                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10015B15
                                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10015B35
                                                      • ControlService.ADVAPI32(00000000,00000001,?), ref: 10015B4A
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10015B57
                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 10015B5A
                                                      • Sleep.KERNEL32(000000C8), ref: 10015B61
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQuerySleepStartStatusToken
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 3878120848-2896544425
                                                      • Opcode ID: 3ce517399e9ed1e502cd560a2fffde9f3d78e329874cd9e41453f29785be35a8
                                                      • Instruction ID: 1d0f87f25a0cef4413373a9629e3e746f07c286f2f787a13798e99f4b19be84d
                                                      • Opcode Fuzzy Hash: 3ce517399e9ed1e502cd560a2fffde9f3d78e329874cd9e41453f29785be35a8
                                                      • Instruction Fuzzy Hash: 8A112B34654214FFE220E7248CDAFDE7BA4EF95752F154A14FE04AF190D771E8888B62
                                                      APIs
                                                      • #2614.MFC42(?,?,1000706F), ref: 10007574
                                                      • #860.MFC42(*.*,?,?,1000706F), ref: 10007581
                                                      • #3811.MFC42(?,*.*,?,?,1000706F), ref: 100075A2
                                                      • #3811.MFC42(?,?,*.*,?,?,1000706F), ref: 100075B1
                                                      • #3811.MFC42(?,?,?,*.*,?,?,1000706F), ref: 100075C0
                                                      • #3811.MFC42(?,?,?,?,*.*,?,?,1000706F), ref: 100075CF
                                                      • #3811.MFC42(?,?,?,?,?,*.*,?,?,1000706F), ref: 100075DE
                                                      • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,1000706F), ref: 100075ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3811$#2614#860
                                                      • String ID: *.*
                                                      • API String ID: 4293058641-438819550
                                                      • Opcode ID: f7e80b46e8e8ad192a980f7d64b587719454c85639dc02cddce59df522029549
                                                      • Instruction ID: 886016e6cc9c24fc1ad7d238590431bfb23b4bf9589cd23df48c0071d0ebcafa
                                                      • Opcode Fuzzy Hash: f7e80b46e8e8ad192a980f7d64b587719454c85639dc02cddce59df522029549
                                                      • Instruction Fuzzy Hash: EF11C2B9805B019FC364DF65D585947B7F4FF886007808E2EB18AC7A21E738F6049F91
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,100050D9,?,?), ref: 10005144
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000514D
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,100050D9,?,?), ref: 1000515B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000515E
                                                      • malloc.MSVCRT ref: 1000517F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$malloc
                                                      • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                                                      • API String ID: 1625907898-566195008
                                                      • Opcode ID: a73406a0adc5e66accce3e236893738fa79a00bb5dc0068611bde8894a42f104
                                                      • Instruction ID: d18e7df542eac22ebb7ecdbcd3e1eaee5414bd8950a5a21a81c744e59eaea12e
                                                      • Opcode Fuzzy Hash: a73406a0adc5e66accce3e236893738fa79a00bb5dc0068611bde8894a42f104
                                                      • Instruction Fuzzy Hash: 16F0C8B65403197BE610A7748C4AF67BBECDF84351F118426F641D3310DA69E80087B1
                                                      APIs
                                                      • select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 1001F7A5
                                                      • _errno.MSVCRT ref: 1001F7AF
                                                      • __WSAFDIsSet.WS2_32(?,?), ref: 1001F7C7
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 1001F7DD
                                                      • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 1001F816
                                                      • inet_addr.WS2_32(00000000), ref: 1001F897
                                                      • htons.WS2_32(?), ref: 1001F8A6
                                                      • Sleep.KERNEL32(00000005,00000000,?), ref: 1001F920
                                                      • closesocket.WS2_32 ref: 1001F935
                                                      • closesocket.WS2_32(?), ref: 1001F93B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: closesocket$Sleep_errnohtonsinet_addrrecvfromselect
                                                      • String ID:
                                                      • API String ID: 2127894283-0
                                                      • Opcode ID: a14384a698a24317f3d9bb2e5b19546c97c6d3696cb471342b9180b9e8079b4f
                                                      • Instruction ID: 8f7cdc0751f26ed70635fe3987a00804b8bbec81c42ef1f195f88b90dc5300a6
                                                      • Opcode Fuzzy Hash: a14384a698a24317f3d9bb2e5b19546c97c6d3696cb471342b9180b9e8079b4f
                                                      • Instruction Fuzzy Hash: FE516EB5508341ABD720DF24D848AAFB7E8EFC8714F008E2EF99997250E770D945CB66
                                                      APIs
                                                        • Part of subcall function 10015760: ReleaseDC.USER32(00000000,?), ref: 10015778
                                                        • Part of subcall function 10015760: GetDC.USER32(00000000), ref: 10015780
                                                      • GetCursorPos.USER32(?), ref: 10014F86
                                                      • GetSystemMetrics.USER32(00000000), ref: 10014F95
                                                      • _ftol.MSVCRT ref: 10014FB3
                                                      • _ftol.MSVCRT ref: 10014FC8
                                                      • GetCursorInfo.USER32(?,?,00000008), ref: 10014FEE
                                                      • DestroyCursor.USER32(?), ref: 10015019
                                                      • BitBlt.GDI32(?,00000000,00000000,100144BA,?,?,00000000,00000000,?), ref: 1001505C
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 100150B3
                                                      • Sleep.KERNEL32(00000001), ref: 100150D3
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 100150DC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Cursor$CounterPerformanceQuery_ftol$DestroyInfoMetricsReleaseSleepSystem
                                                      • String ID:
                                                      • API String ID: 2306850792-0
                                                      • Opcode ID: 4ce84d975e1e076a76ee98180abf802b20060a920d25cd688c076c42bcce2763
                                                      • Instruction ID: ce7c7a6fb899e1e3feb067bdd5b156bbe32988fcb1e3e2f33d4d55095503025d
                                                      • Opcode Fuzzy Hash: 4ce84d975e1e076a76ee98180abf802b20060a920d25cd688c076c42bcce2763
                                                      • Instruction Fuzzy Hash: 91519A75204B00DFD325DF69C891A9BB7E5FF88701F548A1CFA928B290E771F8858B91
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeatoi
                                                      • String ID:
                                                      • API String ID: 804761504-0
                                                      • Opcode ID: 58d56ab3cf45778fe87170a0f8302ecf9a1404fe5e69cada2aa785e03c6c3e59
                                                      • Instruction ID: 33b99e4236c682c1ff544956042dcef2d68a68459d95c472ebf3e151dc08d8b3
                                                      • Opcode Fuzzy Hash: 58d56ab3cf45778fe87170a0f8302ecf9a1404fe5e69cada2aa785e03c6c3e59
                                                      • Instruction Fuzzy Hash: 823137354046556BE329DB388C449FB7BD4EB99360F244B2EF9A6C31D1EE74E90883A1
                                                      APIs
                                                      • ReleaseDC.USER32(00000000,?), ref: 10014D74
                                                      • DeleteDC.GDI32(?), ref: 10014D84
                                                      • DeleteDC.GDI32(?), ref: 10014D8A
                                                      • DeleteDC.GDI32(?), ref: 10014D90
                                                      • DeleteObject.GDI32(?), ref: 10014D9C
                                                      • DeleteObject.GDI32(?), ref: 10014DA2
                                                      • #825.MFC42(?,?,?,?,?,?,?,1009464C,000000FF,10014D28), ref: 10014DC3
                                                      • #825.MFC42(?,?,?,?,?,?,?,1009464C,000000FF,10014D28), ref: 10014DD3
                                                      • #825.MFC42(?,?,?,?,?,?,?,1009464C,000000FF,10014D28), ref: 10014DE3
                                                      • DestroyCursor.USER32(?), ref: 10014E09
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Delete$#825$Object$CursorDestroyRelease
                                                      • String ID:
                                                      • API String ID: 719826280-0
                                                      • Opcode ID: ea7f09c0dd095e3cfa6090820c4273ac288a19fbaf2b7b8253a498c45a577bbf
                                                      • Instruction ID: 267969eacb6f8dabddd7ecadcf41464d9208151a92df99a288ea960b47bf0bfc
                                                      • Opcode Fuzzy Hash: ea7f09c0dd095e3cfa6090820c4273ac288a19fbaf2b7b8253a498c45a577bbf
                                                      • Instruction Fuzzy Hash: CD21DEB9A00B409BD620DF25DC80B57F3E8EF84650F114A1DF99687360DB79F804CBA1
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#801#825
                                                      • String ID:
                                                      • API String ID: 3675457401-0
                                                      • Opcode ID: 60529bdddc34d0559af31597c17837888980222ee8d980a9dfd145a347542e94
                                                      • Instruction ID: 711dbe9aa5bc6af227e0257676b66c009fe867b3274259c2b48d0f5be073422d
                                                      • Opcode Fuzzy Hash: 60529bdddc34d0559af31597c17837888980222ee8d980a9dfd145a347542e94
                                                      • Instruction Fuzzy Hash: 20214C79008781DED320DF29D489B5ABBE4EF54710F84895CF8A543782DB74B609CF62
                                                      APIs
                                                        • Part of subcall function 10016650: wsprintfA.USER32 ref: 100166DF
                                                      • lstrlenA.KERNEL32(?,?,?,00000000,762332F0,?,?,?,?,00000000,00001F99,?,762323A0), ref: 100168B5
                                                      • lstrlenA.KERNEL32(?,?,?,?,?,00000000,00001F99,?,762323A0), ref: 100168CD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$wsprintf
                                                      • String ID: M$T$a$e$i$k$m$r
                                                      • API String ID: 1220175532-394501062
                                                      • Opcode ID: 29caf255ba95ae19ab128c463488f669d950603d8611970e7e7a041451170205
                                                      • Instruction ID: 444a3b2983720071a96c7c8884fb9f16ad14e4eb1c6d087ba26a0b7a3471e439
                                                      • Opcode Fuzzy Hash: 29caf255ba95ae19ab128c463488f669d950603d8611970e7e7a041451170205
                                                      • Instruction Fuzzy Hash: E8012C2110C3D29AD301DB288C44B8BBFD59FD6648F08494CF5D456282D77AA65DC7FB
                                                      APIs
                                                        • Part of subcall function 100275D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100275F1
                                                        • Part of subcall function 100275D0: Process32First.KERNEL32(00000000,00000000), ref: 1002760B
                                                        • Part of subcall function 100275D0: _stricmp.MSVCRT(?,?,00000002,00000000), ref: 10027627
                                                        • Part of subcall function 100275D0: Process32Next.KERNEL32(00000000,?), ref: 10027636
                                                        • Part of subcall function 100275D0: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 10027640
                                                      • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 10027AE2
                                                      • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 10027AFC
                                                      • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 10027B22
                                                      • #823.MFC42(?), ref: 10027B2F
                                                      • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 10027B4E
                                                      • #823.MFC42(00000100), ref: 10027B6A
                                                      • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 10027B91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Token$#823InformationOpenProcessProcess32$AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32_stricmp
                                                      • String ID: explorer.exe
                                                      • API String ID: 2854352592-3187896405
                                                      • Opcode ID: 8fe462df509430f617e41447442ca30ecd45d84b5a0de526e8e23182d89c2a4c
                                                      • Instruction ID: 8fb1ee092e6bdff437a95fc7b6c82c6352318731551f21aec1ebf3126f09b0e5
                                                      • Opcode Fuzzy Hash: 8fe462df509430f617e41447442ca30ecd45d84b5a0de526e8e23182d89c2a4c
                                                      • Instruction Fuzzy Hash: FF411FB5D50228AFDB11DF99DC85BDEBBB8FB48750F10411AF619A3240D7705904CFA4
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000C98D
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000C9C4
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000C9DD
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 1000C9E6
                                                      • rand.MSVCRT ref: 1000CA23
                                                      • WriteFile.KERNEL32(00000000,?,00000400,00000000,00000000), ref: 1000CA55
                                                      • CloseHandle.KERNEL32(00000000), ref: 1000CA62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleLibraryLoadPointerSizeWriterand
                                                      • String ID: KERNEL32.dll
                                                      • API String ID: 4180104731-254546324
                                                      • Opcode ID: 2eb6df22c94bb8d320018805df85f29ae02bf5fcde4a2f8be9d69b8f3af7c5af
                                                      • Instruction ID: 363160233cbba4bdbf5164b264ae026e4aab9b3f9b291e32225bcd650f94b804
                                                      • Opcode Fuzzy Hash: 2eb6df22c94bb8d320018805df85f29ae02bf5fcde4a2f8be9d69b8f3af7c5af
                                                      • Instruction Fuzzy Hash: 15213D793803297FF310DB64CC89FAB3B98EB84B84F108224FF52A61D1CA7459098659
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintfwsprintf$FileModuleName
                                                      • String ID: %s:%d
                                                      • API String ID: 2407558147-1029262843
                                                      • Opcode ID: a77d58deffefb5e773a2d0cbb0d5c6b2355ae7b4356d8c02d1b717e7aeeddea6
                                                      • Instruction ID: 293e291833a65e9dc39294c9fefbe289423a078ec6efedfc22c1ef3b734b21dd
                                                      • Opcode Fuzzy Hash: a77d58deffefb5e773a2d0cbb0d5c6b2355ae7b4356d8c02d1b717e7aeeddea6
                                                      • Instruction Fuzzy Hash: 2421B3764082096BD224D724DC85FEB73ECEB88300F45891DFA9853140EBF475868BA2
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100225C6
                                                      • lstrcatA.KERNEL32(?,?), ref: 100225D8
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 100225F5
                                                      • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10022606
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10022623
                                                      • CloseHandle.KERNEL32(00000000), ref: 1002262A
                                                      • LocalFree.KERNEL32(?), ref: 1002265A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                                                      • String ID: p
                                                      • API String ID: 3379061965-2181537457
                                                      • Opcode ID: 0448c0b931146a8c36397459a33dc16f4ec4fcd6be4f3791ac0fe111e6f4aa32
                                                      • Instruction ID: 830bdd5a37aca25b5db47bd58d1b075b1b8376053e8957c8ffc8c3b5572035f6
                                                      • Opcode Fuzzy Hash: 0448c0b931146a8c36397459a33dc16f4ec4fcd6be4f3791ac0fe111e6f4aa32
                                                      • Instruction Fuzzy Hash: 4221AE75144315ABE304DF50CC85FEBB7E8FBC8705F008A0DF68196290D774AA098BA2
                                                      APIs
                                                        • Part of subcall function 10024920: GetCurrentProcess.KERNEL32(00000028), ref: 10024930
                                                        • Part of subcall function 10024920: OpenProcessToken.ADVAPI32(00000000), ref: 10024937
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 10024A5A
                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 10024A6B
                                                      • OpenThread.KERNEL32(001F03FF,00000000,?,?,?,00000000,0000001C,00000004,00000000), ref: 10024AA0
                                                      • SuspendThread.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10024AA5
                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10024AA8
                                                      • Thread32Next.KERNEL32(00000000,?), ref: 10024AB4
                                                      • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000004,00000000), ref: 10024AC0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextSnapshotSuspendTokenToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 3882456823-2896544425
                                                      • Opcode ID: 41f8234be86a0e6329ecff16ca3db6cd7f35fb4f44d7ceefe697632872ad6ab8
                                                      • Instruction ID: 64c37f8667ca0752ba7e96fd820784caa2203b5eb2348ec5176212dbbb36879d
                                                      • Opcode Fuzzy Hash: 41f8234be86a0e6329ecff16ca3db6cd7f35fb4f44d7ceefe697632872ad6ab8
                                                      • Instruction Fuzzy Hash: F401A135241324BFE200DB159C81F6FB3E8EFC5700F81491CFA4057240DB71AD058BAA
                                                      APIs
                                                      • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020510
                                                      • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020530
                                                      • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020544
                                                      • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020558
                                                      • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 1002056B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeMemory$InformationQuerySession
                                                      • String ID: Console$ICA$RDP
                                                      • API String ID: 2964284127-2419630658
                                                      • Opcode ID: 169c33a2dd8e105fbb8594344e31f4156ac540e91333a65d8315f3fe57515fcf
                                                      • Instruction ID: f07eb4cdcb9ce89c6d976fc07c5deb833dbe8419acdb8c8d8ec998c8d3d62e73
                                                      • Opcode Fuzzy Hash: 169c33a2dd8e105fbb8594344e31f4156ac540e91333a65d8315f3fe57515fcf
                                                      • Instruction Fuzzy Hash: EB01F5B662427167C500EB5C7C4189BBAD9FB90A55F84443EF94897201D130EE1CC7F6
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 100265F2
                                                      • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 10026613
                                                      • RegCloseKey.ADVAPI32(?), ref: 1002661E
                                                      • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002662B
                                                        • Part of subcall function 10026300: lstrcatA.KERNEL32(00000000,?), ref: 10026356
                                                        • Part of subcall function 10026300: lstrcatA.KERNEL32(00000000,\*.*), ref: 10026365
                                                        • Part of subcall function 10026300: FindFirstFileA.KERNEL32(00000000,?), ref: 10026381
                                                        • Part of subcall function 10026300: FindNextFileA.KERNEL32(?,?), ref: 10026560
                                                        • Part of subcall function 10026300: FindClose.KERNEL32(?), ref: 1002656F
                                                      • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 10026660
                                                      Strings
                                                      • P, xrefs: 100265D8
                                                      • Favorites, xrefs: 1002660D
                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 100265E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$AllocCloseFileLocallstrcat$FirstNextOpenQueryValue
                                                      • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                      • API String ID: 4098999320-2418616894
                                                      • Opcode ID: d38f954dffb21e116ecf76efb4b1a33598bd86147cc245a8f687d18b0dcbf1eb
                                                      • Instruction ID: 207ce911c8bdc5724ef97e225e2c39c068d07c00de13f2cd5441e6dface86ce0
                                                      • Opcode Fuzzy Hash: d38f954dffb21e116ecf76efb4b1a33598bd86147cc245a8f687d18b0dcbf1eb
                                                      • Instruction Fuzzy Hash: C2118FB4118341BFE304DF64CC85FAB7BE4FB88704F508A1CFA45962A0D7B8A409CB56
                                                      APIs
                                                        • Part of subcall function 10024920: GetCurrentProcess.KERNEL32(00000028), ref: 10024930
                                                        • Part of subcall function 10024920: OpenProcessToken.ADVAPI32(00000000), ref: 10024937
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 100249D7
                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 100249E4
                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 100249FF
                                                      • OpenThread.KERNEL32(001F03FF,00000000,?,00000004,00000000), ref: 10024A12
                                                      • ResumeThread.KERNEL32(00000000), ref: 10024A1B
                                                      • CloseHandle.KERNEL32(00000000), ref: 10024A22
                                                      • CloseHandle.KERNEL32(00000000,00000004,00000000), ref: 10024A25
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextResumeSnapshotTokenToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2312015761-2896544425
                                                      • Opcode ID: 212339e381941f1e9338dd63efee5a897b25ea0d59f106ceb46212220bc015bd
                                                      • Instruction ID: 5cfd9d6da9324f17a227d953a047530901ea066d352d4c92ab753f005bb5279a
                                                      • Opcode Fuzzy Hash: 212339e381941f1e9338dd63efee5a897b25ea0d59f106ceb46212220bc015bd
                                                      • Instruction Fuzzy Hash: C901D139240210BFE210EB18AC85FBF77A8EFC1B51F914518FE4086141DBB4AD098BBB
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10012B51
                                                      • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 10012B87
                                                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 10012BDB
                                                      • malloc.MSVCRT ref: 10012C1C
                                                      • malloc.MSVCRT ref: 10012C29
                                                      • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,?,?,?), ref: 10012CB7
                                                      • free.MSVCRT ref: 10012D58
                                                      • free.MSVCRT ref: 10012D5F
                                                      • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10012D68
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocLocalfreemalloc$EnumInfoOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 1291067549-0
                                                      • Opcode ID: d550d9ee9e3699891c1c5dbc412b36672c3213317d5e397b029b1026c3602a03
                                                      • Instruction ID: 122c7d371d13828660c71b410bcdbf87df14b7d682a8353d972002f3f7da5d43
                                                      • Opcode Fuzzy Hash: d550d9ee9e3699891c1c5dbc412b36672c3213317d5e397b029b1026c3602a03
                                                      • Instruction Fuzzy Hash: 1F716AB02083459FD708CF28D890A6BB7E5FBC8744F548A2DFA89D7350D774EA458B92
                                                      APIs
                                                      • CreateRectRgnIndirect.GDI32(?), ref: 100151C6
                                                      • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001525A
                                                      • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001525F
                                                      • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10015270
                                                      • DeleteObject.GDI32(?), ref: 10015277
                                                      • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,100144BA), ref: 10015287
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                                                      • String ID:
                                                      • API String ID: 643377033-0
                                                      • Opcode ID: 6cd3a40624aaf2b3a70f4f21656276c2c61fbd1c74dd23bc6e4d59d29cf7c9eb
                                                      • Instruction ID: 51e7224ae3624a2980f9e7a68c6af005ed2f82c84f400dcefa22d485ddae3dba
                                                      • Opcode Fuzzy Hash: 6cd3a40624aaf2b3a70f4f21656276c2c61fbd1c74dd23bc6e4d59d29cf7c9eb
                                                      • Instruction Fuzzy Hash: 88519FB66083019FD314DF29D880A1BB7E6EFC8750F19892DF485CB301E775E9498B56
                                                      APIs
                                                      • GetWindowTextA.USER32(?,?,000003FF), ref: 10025714
                                                      • IsWindowVisible.USER32 ref: 10025723
                                                      • lstrlenA.KERNEL32(?), ref: 1002573C
                                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 1002574F
                                                      • LocalSize.KERNEL32 ref: 1002575F
                                                      • lstrlenA.KERNEL32(?), ref: 1002577D
                                                      • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10025789
                                                      • GetWindowThreadProcessId.USER32(?), ref: 10025796
                                                      • lstrlenA.KERNEL32(?,?,?,?,00000042), ref: 100257A4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                      • String ID:
                                                      • API String ID: 925664022-0
                                                      • Opcode ID: 5d086fe3937d838b90e67041d79722ebd9b443406b06677e66d77e433def714f
                                                      • Instruction ID: 7d19a4c73dd60ce49c1d08fb9ed81b9060044fd37b04de75dff91a7ad7e4940d
                                                      • Opcode Fuzzy Hash: 5d086fe3937d838b90e67041d79722ebd9b443406b06677e66d77e433def714f
                                                      • Instruction Fuzzy Hash: 1321BD7A144342AFE720DB20EC84BEBB7E8EB85751F80851CEE4697240DB75A806CB65
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 10013ECD
                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 10013ED8
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,100945B6,000000FF,1000B8EB), ref: 10013EE9
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,100945B6,000000FF,1000B8EB), ref: 10013EF4
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,100945B6,000000FF,1000B8EB), ref: 10013F03
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,100945B6,000000FF,1000B8EB), ref: 10013F0C
                                                      • ReleaseDC.USER32(00000000,?), ref: 10013F17
                                                        • Part of subcall function 10014120: sprintf.MSVCRT ref: 1001416F
                                                        • Part of subcall function 10014120: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 100141B0
                                                        • Part of subcall function 10014120: RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 100141CF
                                                        • Part of subcall function 10014120: RegCloseKey.ADVAPI32(?), ref: 100141DE
                                                      • BlockInput.USER32(00000000,?,?,?,?,?,?,00000000,100945B6,000000FF,1000B8EB), ref: 10013F2D
                                                      • DestroyCursor.USER32(00000000), ref: 10013F6A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close$ExchangeHandleInterlockedObjectSingleWait$BlockCursorDestroyInputOpenReleaseValuesprintf
                                                      • String ID:
                                                      • API String ID: 1142494416-0
                                                      • Opcode ID: 0449286d2ce46b128ea4dacae328818e4f96a182dab5f714108b3ee59561b191
                                                      • Instruction ID: 662aeabcf7a8d43a7825d323204febdae68ceab55c211afaa812d5c94dab5496
                                                      • Opcode Fuzzy Hash: 0449286d2ce46b128ea4dacae328818e4f96a182dab5f714108b3ee59561b191
                                                      • Instruction Fuzzy Hash: E3216D75240704ABD214DB68CC81BD6B7E8FF88720F214B1DF56697390CBB4B901CB91
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 10027CD2
                                                      • GetThreadDesktop.USER32(00000000), ref: 10027CD9
                                                      • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10027D0C
                                                      • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 10027D17
                                                      • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10027D3E
                                                      • lstrcmpiA.KERNEL32(?,?), ref: 10027D4D
                                                      • SetThreadDesktop.USER32(00000000), ref: 10027D58
                                                      • CloseDesktop.USER32(00000000), ref: 10027D70
                                                      • CloseDesktop.USER32(00000000), ref: 10027D73
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                      • String ID:
                                                      • API String ID: 3718465862-0
                                                      • Opcode ID: b10ff40d347c3e9402ac5b198a951d79dbbbe12e5a2aa720b07101de37e6787c
                                                      • Instruction ID: 11ea776aadb7b60b235ff4a15c673386d14dfcf12f6fd3a592f0755f96464019
                                                      • Opcode Fuzzy Hash: b10ff40d347c3e9402ac5b198a951d79dbbbe12e5a2aa720b07101de37e6787c
                                                      • Instruction Fuzzy Hash: 8111AB75204319ABF720DF64DC46FEB77ACEB84701F104929FB4592191EFB4A90987A2
                                                      APIs
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E8C1
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E8CF
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E8DC
                                                      • #541.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E8E9
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E8F6
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E903
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E910
                                                      • #540.MFC42(?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E91D
                                                      • #540.MFC42(?,?,?,?,?,?,100940C1,000000FF,1000784C,10125614,00000000,00000000), ref: 1000E940
                                                        • Part of subcall function 1000EA80: #2614.MFC42(00000000,?), ref: 1000EAA5
                                                        • Part of subcall function 1000EA80: #2614.MFC42(00000000,?), ref: 1000EAAD
                                                        • Part of subcall function 1000EA80: #6143.MFC42(00000000,000000FF,00000000,?), ref: 1000EAC0
                                                        • Part of subcall function 1000EA80: #2614.MFC42(00000000,000000FF,00000000,?), ref: 1000EACC
                                                        • Part of subcall function 1000EA80: #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 1000EAE7
                                                        • Part of subcall function 1000EA80: PathGetArgsA.SHLWAPI(00000000,?), ref: 1000EB13
                                                        • Part of subcall function 1000EA80: #860.MFC42(00000000), ref: 1000EB1D
                                                        • Part of subcall function 1000EA80: PathRemoveArgsA.SHLWAPI(00000000), ref: 1000EB27
                                                        • Part of subcall function 1000EA80: PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 1000EB32
                                                        • Part of subcall function 1000EA80: _splitpath.MSVCRT ref: 1000EB66
                                                        • Part of subcall function 1000EA80: #860.MFC42(?,?,?,?,?), ref: 1000EB77
                                                        • Part of subcall function 1000EA80: #860.MFC42(?,?,?,?,?,?), ref: 1000EB89
                                                        • Part of subcall function 1000EA80: #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 1000EB94
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540$#860$#2614Path$Args$#541#6143#6876RemoveSpacesUnquote_splitpath
                                                      • String ID:
                                                      • API String ID: 882339912-0
                                                      • Opcode ID: 2d44f0e329ec7c9f990248deb90f8e86e85bdcc042852c4932b94cfd79cb84ae
                                                      • Instruction ID: 955ab4e65c7ed6e67d480115b34a384b8243ecc6609476e014410d82cf188a0d
                                                      • Opcode Fuzzy Hash: 2d44f0e329ec7c9f990248deb90f8e86e85bdcc042852c4932b94cfd79cb84ae
                                                      • Instruction Fuzzy Hash: 1621E7780097818ED324CF59D555B5AFBE4FFA8A10F80494DF4DA53A81DF74B608CB62
                                                      APIs
                                                      • wsprintfA.USER32 ref: 100166DF
                                                        • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                                                        • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                                                        • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                                                        • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823$AddressLibraryLoadProcwsprintf
                                                      • String ID: E$M$T$Y$\$c$l$t
                                                      • API String ID: 398864417-1479156189
                                                      • Opcode ID: 839f9f33b092c3a3ef27cdf20dafac7ff5c0948866d149cddd004d82c26508e2
                                                      • Instruction ID: d161b109e26757c0e016afd906964d12d4c74bbfde226435cfd698c4430c68b1
                                                      • Opcode Fuzzy Hash: 839f9f33b092c3a3ef27cdf20dafac7ff5c0948866d149cddd004d82c26508e2
                                                      • Instruction Fuzzy Hash: C8118E6110C3C0AEE311CA28C854B9BBFD59BA9208F48895DF6C843382C2B5960CC777
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(10126498), ref: 1001E8EA
                                                      • LeaveCriticalSection.KERNEL32(10126498), ref: 1001E900
                                                        • Part of subcall function 1001E790: _strnicmp.MSVCRT ref: 1001E7A4
                                                      • send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 1001E99C
                                                      • send.WS2_32(?,?,00000000,00000000), ref: 1001EA18
                                                      • CreateThread.KERNEL32(00000000,00000000,1001F950,?,00000000,?), ref: 1001EA47
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 1001EA54
                                                        • Part of subcall function 1001E700: atoi.MSVCRT(?), ref: 1001E739
                                                        • Part of subcall function 1001EF40: htons.WS2_32 ref: 1001EF63
                                                        • Part of subcall function 1001EF40: inet_addr.WS2_32(?), ref: 1001EF79
                                                        • Part of subcall function 1001EF40: inet_addr.WS2_32(?), ref: 1001EF97
                                                        • Part of subcall function 1001EF40: socket.WS2_32(00000002,00000001,00000006), ref: 1001EFA3
                                                        • Part of subcall function 1001EF40: setsockopt.WS2_32 ref: 1001EFCE
                                                        • Part of subcall function 1001EF40: connect.WS2_32(?,?,00000010), ref: 1001EFDE
                                                        • Part of subcall function 1001EF40: closesocket.WS2_32 ref: 1001EFEC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSectioninet_addrsend$CreateEnterLeaveObjectSingleThreadWait_strnicmpatoiclosesocketconnecthtonssetsockoptsocket
                                                      • String ID: HTTP/1.0 200 OK
                                                      • API String ID: 599367761-2989790534
                                                      • Opcode ID: 86adcff7a54c5968a216a6938d58bb5d1752ffa30aec60fded7af567922c5b44
                                                      • Instruction ID: acf031ef23eb53b3cf814af3e175b7e474511f8b1faaac66bffe3887119eef7f
                                                      • Opcode Fuzzy Hash: 86adcff7a54c5968a216a6938d58bb5d1752ffa30aec60fded7af567922c5b44
                                                      • Instruction Fuzzy Hash: 4C419E766042416FD720CB25CC84BAFB7E8FF89750F544A29F98597280E634FD468BA2
                                                      APIs
                                                      • FindWindowA.USER32(?,00000000), ref: 10016FC0
                                                      • GetWindowTextA.USER32(00000000,?,00000104), ref: 10016FFA
                                                      • GetWindow.USER32(00000000,00000002), ref: 1001707E
                                                      • GetClassNameA.USER32(00000000,?,00000104), ref: 1001708D
                                                      • CloseHandle.KERNEL32(00000000), ref: 1001709D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$ClassCloseFindHandleNameText
                                                      • String ID: CTXOPConntion_Class$NULL
                                                      • API String ID: 1576580817-2462333376
                                                      • Opcode ID: 84460c65c10c73015c6bad8fb07f4b18ca60cc3892b77f7ae50796059e07dc1b
                                                      • Instruction ID: 98c564a148275c6948b67cfdec68716823ad63f75ce693ba9b98ebef735a3936
                                                      • Opcode Fuzzy Hash: 84460c65c10c73015c6bad8fb07f4b18ca60cc3892b77f7ae50796059e07dc1b
                                                      • Instruction Fuzzy Hash: A34137351047485BE328CA38C8417EB77D6FBC8310F500A2CFA96AB2D1DEB4E9498792
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10093FE6,000000FF), ref: 1000FEB5
                                                      • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000FEC3
                                                      • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10093FE6,000000FF), ref: 1000FF02
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10093FE6,000000FF), ref: 1000FF0D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                                      • String ID: closesocket$ws2_32.dll$#v
                                                      • API String ID: 1041861973-1647892672
                                                      • Opcode ID: df48dc37e36c12852e6e03b50c1e2fa64f76bfd82a5a797ec5d8ba3d4093ed72
                                                      • Instruction ID: 0da20812a3bedd6d56e98dba78f70a74085fd5da36c9754b5cdee253c46b2daf
                                                      • Opcode Fuzzy Hash: df48dc37e36c12852e6e03b50c1e2fa64f76bfd82a5a797ec5d8ba3d4093ed72
                                                      • Instruction Fuzzy Hash: C711CE755042959FD310CF28CC48B9AFBE8FF48760F100B2EF869D36A1D778A8048BA1
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(user32.dll), ref: 1000ADAD
                                                      • GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 1000ADBB
                                                      • strstr.MSVCRT ref: 1000ADF4
                                                      • FreeLibrary.KERNEL32(00000000), ref: 1000AE10
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProcstrstr
                                                      • String ID: GetWindowTextA$user32.dll$#v
                                                      • API String ID: 1147820842-860439444
                                                      • Opcode ID: b6abe02754e21369429a1ff354f02c4f641f5a5bbc0f61ed63567efcae978b57
                                                      • Instruction ID: 5bb882d552c4b51e36290a098307656d1dfd2abcec60627708b90b88d1667a2e
                                                      • Opcode Fuzzy Hash: b6abe02754e21369429a1ff354f02c4f641f5a5bbc0f61ed63567efcae978b57
                                                      • Instruction Fuzzy Hash: 0DF068395052607BE322D718CC84FEB7BE8EFC4341F10CA29FD4592260D7B99545CA95
                                                      APIs
                                                        • Part of subcall function 1000FF40: EnterCriticalSection.KERNEL32(?,?,?,1000FE4B,?,00000001,?,?,?,00000000,10094418,000000FF,1000CC4A), ref: 1000FF4B
                                                        • Part of subcall function 1000FF40: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,10094418,000000FF,1000CC4A), ref: 1000FF65
                                                      • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000FFD6
                                                      • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000FFE4
                                                      • FreeLibrary.KERNEL32(00000000), ref: 1000FFF9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                      • String ID: $$closesocket$ws2_32.dll$#v
                                                      • API String ID: 2819327233-741210711
                                                      • Opcode ID: 4ab54be846edb9a7e1bf87ed64770ce8fe41e178a2290951c24777749235d5af
                                                      • Instruction ID: 413894dd210bc291a5ade8bf06e165a8e9e4808dc39bb6fe64583d1e2c2afd3f
                                                      • Opcode Fuzzy Hash: 4ab54be846edb9a7e1bf87ed64770ce8fe41e178a2290951c24777749235d5af
                                                      • Instruction Fuzzy Hash: 2BF0A73A0052226BD311DB28AC88DDFB7D8EF89311F044629FE4092205CB34D518C7B2
                                                      APIs
                                                      • _CxxThrowException.MSVCRT(?,100F17A0), ref: 10004533
                                                      • #823.MFC42(100043EC,?,00000004,00000000,00000004,100043FB,00000004,?,00000003,00000003,00000000,?,100043FB,?,00000000,?), ref: 100045A7
                                                      • #823.MFC42(00000000,?,?,?,00000000,10093BC0,000000FF,761B23A0,100043FB,?,00000000), ref: 100045B8
                                                      • #825.MFC42(00000000,00000000,?,?,?), ref: 1000461E
                                                      • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004624
                                                      • _CxxThrowException.MSVCRT(?), ref: 10004641
                                                      • #825.MFC42(?,?,?,?,?,00000000,10093BC0,000000FF,761B23A0,100043FB,?,00000000), ref: 1000464E
                                                      • #825.MFC42(10093BC0,?,?,?,?,00000000,10093BC0,000000FF,761B23A0,100043FB,?,00000000), ref: 1000465E
                                                        • Part of subcall function 10004710: _ftol.MSVCRT ref: 1000474F
                                                        • Part of subcall function 10004710: #823.MFC42(00000000), ref: 10004759
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$#823$ExceptionThrow$_ftol
                                                      • String ID:
                                                      • API String ID: 3722084872-0
                                                      • Opcode ID: 7b6c839bc1f1c7eeed4faadeb398d1d7556b8d00bb047abc290883428f9721fe
                                                      • Instruction ID: 37ce7ba9c98554e48ddb0bc7efc9b065fca5e2527d8adf9451804a4ee83aff98
                                                      • Opcode Fuzzy Hash: 7b6c839bc1f1c7eeed4faadeb398d1d7556b8d00bb047abc290883428f9721fe
                                                      • Instruction Fuzzy Hash: 1951A6B5A002495BEF00DF64C891BEE77B9EF496D0F414029F909AB385DF34FA058BA5
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5440#5450#6383#6394#825
                                                      • String ID:
                                                      • API String ID: 2595762273-0
                                                      • Opcode ID: a6033499c22b507075e1f8cd1d7494bda64ed40fc7e62a8c388d7529811b15aa
                                                      • Instruction ID: 413050f04705f8f57d5610351fbd329b2dac020cfe0f5cbd082ae5933bdaa0b2
                                                      • Opcode Fuzzy Hash: a6033499c22b507075e1f8cd1d7494bda64ed40fc7e62a8c388d7529811b15aa
                                                      • Instruction Fuzzy Hash: A151D4F5B006008BEB04DF18D89053AB3D6EB84290B19856EED49DF74AEB31FD45DBA1
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100129C1
                                                      • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 100129F7
                                                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 10012A32
                                                      • #823.MFC42(?,?,?,?,00000000,000F003F,?), ref: 10012A6F
                                                      • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 10012AC6
                                                      • #825.MFC42(00000000), ref: 10012AF2
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 10012AFF
                                                      • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10012B0D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocLocal$#823#825CloseEnumInfoOpenQuery
                                                      • String ID:
                                                      • API String ID: 601778281-0
                                                      • Opcode ID: fd1e34e50d82fea266e1fc5c1b01704fe39dd1a7de260ce9e5529a49082e74b3
                                                      • Instruction ID: c521b4b457004e3b8d6e63033e6bc845fd9fcd445f6f595a76ea0640fba4ed8d
                                                      • Opcode Fuzzy Hash: fd1e34e50d82fea266e1fc5c1b01704fe39dd1a7de260ce9e5529a49082e74b3
                                                      • Instruction Fuzzy Hash: A0418EB43043426FE304DF29DC90B6BB7E9FB88640F54462CFA89D7340D631E9058B62
                                                      APIs
                                                      • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10093E31,000000FF,10008BE6,-00000008,?,?,?,?,?), ref: 1000986F
                                                      • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10093E31,000000FF,10008BE6,-00000008,?,?,?,?,?), ref: 10009877
                                                      • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10093E31,000000FF,10008BE6,-00000008,?,?,?,?,?), ref: 10009899
                                                      • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 100098AB
                                                      • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 100098B8
                                                      • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10093E31,000000FF,10008BE6,-00000008,?,?,?,?,?,?,00000000,00000065), ref: 100098C0
                                                      • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10093E31,000000FF,10008BE6,-00000008,?,?,?,?,?), ref: 100098F7
                                                      • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10093E31,000000FF,10008BE6,-00000008,?,?,?), ref: 10009938
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                      • String ID:
                                                      • API String ID: 1074130261-0
                                                      • Opcode ID: bfddaed0e4cb25b33ba6653246a876a7c108432347d2a1adbbeee28cc2f6d0fc
                                                      • Instruction ID: d6cdc50ef3b2a9b6c6ca59afb1b00fc41ccb819eaf17adf6a72b64df869a932a
                                                      • Opcode Fuzzy Hash: bfddaed0e4cb25b33ba6653246a876a7c108432347d2a1adbbeee28cc2f6d0fc
                                                      • Instruction Fuzzy Hash: 1E41E035640754AFDB01CF18C8C46AEBBE5FB88AA0F54C62DEC9A87351DB359D04CB40
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _strnicmp
                                                      • String ID: CONNECT $GET $HEAD $POST
                                                      • API String ID: 2635805826-4031508290
                                                      • Opcode ID: 93138a8ce70166d2e555019417cd724c68339df3a3b5bb599bcff5081d5a5623
                                                      • Instruction ID: daba4ceaa9776cde7dddb0fd9b392e0e7d50ac99e23fad51604f21fc9a4dfe64
                                                      • Opcode Fuzzy Hash: 93138a8ce70166d2e555019417cd724c68339df3a3b5bb599bcff5081d5a5623
                                                      • Instruction Fuzzy Hash: 43015E363006519BE3019A2DEC01BCEB7D8EFC5726F864462FA40DB281E7B9D9858B95
                                                      APIs
                                                      • OpenClipboard.USER32(00000000), ref: 1001495A
                                                      • GetClipboardData.USER32(00000001), ref: 10014966
                                                      • GlobalSize.KERNEL32(00000000), ref: 10014984
                                                      • GlobalLock.KERNEL32(00000000), ref: 1001498E
                                                      • #823.MFC42(00000001), ref: 10014997
                                                      • GlobalUnlock.KERNEL32(?), ref: 100149BE
                                                      • CloseClipboard.USER32 ref: 100149C4
                                                      • #825.MFC42(00000000), ref: 100149D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ClipboardGlobal$#823#825CloseDataLockOpenSizeUnlock
                                                      • String ID:
                                                      • API String ID: 3656091822-0
                                                      • Opcode ID: 1c9a921898299100173c1b423a18b621be7c73f02627fda3d02ad85490999ca7
                                                      • Instruction ID: 0148d247c2a738529a2cae49d379f6e29a25a6761aac89a156446c69960e7e42
                                                      • Opcode Fuzzy Hash: 1c9a921898299100173c1b423a18b621be7c73f02627fda3d02ad85490999ca7
                                                      • Instruction Fuzzy Hash: DB01F979504724AFE710EB34AC8A6DB7798FF45651F408628FD06D7310EA79DD04C7A1
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintf$floor
                                                      • String ID: %.0f
                                                      • API String ID: 389794084-4293663076
                                                      • Opcode ID: 7ccd3b92bbac42b763a2ad79f483a76ff8b4e97a6daef8b763983b906cb2aeaa
                                                      • Instruction ID: 0b5ab0f8ae05cc736f461bd1cbd55a9dec5afe7fb7ff7e3707d3778c599be75b
                                                      • Opcode Fuzzy Hash: 7ccd3b92bbac42b763a2ad79f483a76ff8b4e97a6daef8b763983b906cb2aeaa
                                                      • Instruction Fuzzy Hash: 79416AB5A00615A3F211CB49FD496CB736CFB863D2F1083A1FF8482194DB32A860C7E2
                                                      APIs
                                                      • mbstowcs.MSVCRT ref: 10020CDC
                                                      • NetUserGetLocalGroups.NETAPI32(00000000,?,00000000,00000001,?,000000FF,?,?,000000FF,76230440,101267C8), ref: 10020D02
                                                      • wcslen.MSVCRT ref: 10020D42
                                                      • malloc.MSVCRT ref: 10020D4A
                                                      • wsprintfA.USER32 ref: 10020D5C
                                                      • strncpy.MSVCRT ref: 10020D6D
                                                      • free.MSVCRT ref: 10020D74
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: GroupsLocalUserfreemallocmbstowcsstrncpywcslenwsprintf
                                                      • String ID:
                                                      • API String ID: 4292357205-0
                                                      • Opcode ID: fea4e6f4af8dc328ef96ff8420dc6124bf0b95cd2227dfa6256725d9ba848e67
                                                      • Instruction ID: c4e84625cf2db45240530296902417522a5b21783232cd1808d2e9b1eeacec2c
                                                      • Opcode Fuzzy Hash: fea4e6f4af8dc328ef96ff8420dc6124bf0b95cd2227dfa6256725d9ba848e67
                                                      • Instruction Fuzzy Hash: 293104355093526BD315CF64DC40AEBBBE9FBC8710F500A2DF995C3281DB74AA49CB92
                                                      APIs
                                                      • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10028180
                                                      • __WSAFDIsSet.WS2_32(?,00000001), ref: 10028194
                                                      • recv.WS2_32(?,?,00002000,00000000), ref: 100281AD
                                                      • __WSAFDIsSet.WS2_32(?,00000001), ref: 100281D5
                                                      • recv.WS2_32(?,?,00002000,00000000), ref: 100281EE
                                                      • closesocket.WS2_32 ref: 10028224
                                                      • closesocket.WS2_32(?), ref: 10028227
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: closesocketrecv$select
                                                      • String ID:
                                                      • API String ID: 2008065562-0
                                                      • Opcode ID: 37af3d6b040336431061d56ed504c05db64c9d4f8946455ae64c9fe786210e88
                                                      • Instruction ID: 1d9cce2d7163427c8f217063053e670333ba9fc9f935424b0d8e83eac20c16c0
                                                      • Opcode Fuzzy Hash: 37af3d6b040336431061d56ed504c05db64c9d4f8946455ae64c9fe786210e88
                                                      • Instruction Fuzzy Hash: D831B739545355ABE320CB249C89BDBB7DCEB44780F910819FA49D7182D774FA09CBA2
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 10025882
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10025889
                                                      • _ftol.MSVCRT ref: 1002598D
                                                      • Sleep.KERNEL32(000003E8), ref: 100259BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleModuleProcSleep_ftol
                                                      • String ID: NtQuerySystemInformation$ntdll
                                                      • API String ID: 720640769-3593917365
                                                      • Opcode ID: f383d08cf0a19fe44463990d77288436d225f5ff6b78e9aa60713355be49483a
                                                      • Instruction ID: 35ce93474915d1b771c639b2f03ecc7444cc7ac843ede20b2d88a3183141f77f
                                                      • Opcode Fuzzy Hash: f383d08cf0a19fe44463990d77288436d225f5ff6b78e9aa60713355be49483a
                                                      • Instruction Fuzzy Hash: 8841A2B5A08301EFE310DF65D885A8BB7E4FBC8751F518D1DF98A92210EF31A9448B92
                                                      APIs
                                                        • Part of subcall function 10004690: setsockopt.WS2_32(?,0000FFFF,00000080,00001F99), ref: 100046BA
                                                        • Part of subcall function 10004690: CancelIo.KERNEL32(?), ref: 100046C7
                                                        • Part of subcall function 10004690: InterlockedExchange.KERNEL32(?,00000000), ref: 100046D6
                                                        • Part of subcall function 10004690: closesocket.WS2_32(?), ref: 100046E3
                                                        • Part of subcall function 10004690: SetEvent.KERNEL32(00001F99), ref: 100046F0
                                                      • ResetEvent.KERNEL32(00001F99,00000000,00001F99), ref: 100041E3
                                                      • socket.WS2_32 ref: 100041F6
                                                      • gethostbyname.WS2_32(?), ref: 10004216
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                                      • String ID:
                                                      • API String ID: 513860241-0
                                                      • Opcode ID: 560da0ad1e09394bb61a1ea4ebc2176ed548f9340fdc13da60b428493df4eb36
                                                      • Instruction ID: cde73489f8ded7fcc43a664061ca7f37ba7fa19947b49e51f62f8624d830cfe1
                                                      • Opcode Fuzzy Hash: 560da0ad1e09394bb61a1ea4ebc2176ed548f9340fdc13da60b428493df4eb36
                                                      • Instruction Fuzzy Hash: E131BEB5204301BFE310DF28CC85FDBB7E5BF89314F508A1DF6999A290D7B1A4888B52
                                                      APIs
                                                      • CloseHandle.KERNEL32(?,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 1000890B
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50), ref: 10008924
                                                      • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008947
                                                      • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008952
                                                      • LocalAlloc.KERNEL32(00000040,-0000000A,?,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008960
                                                      • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 1000898E
                                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 100089B6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                                      • String ID:
                                                      • API String ID: 2793549963-0
                                                      • Opcode ID: b5afa74874c66085ba6aae2a6e01e264d4f93449b85507c592d054fad66a9a1b
                                                      • Instruction ID: eb148dbd117788c58cf9a31645e01fae9b948d8d69b22449dc17684e14345dfe
                                                      • Opcode Fuzzy Hash: b5afa74874c66085ba6aae2a6e01e264d4f93449b85507c592d054fad66a9a1b
                                                      • Instruction Fuzzy Hash: 862122317003106FEB04DF28EC95B96B7D9FB88710F548639FA46DB390DA74A808C761
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10006CCB
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?), ref: 10006D2E
                                                      • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?), ref: 10006D43
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 10006D60
                                                      • CloseHandle.KERNEL32(00000000,?,?), ref: 10006D67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateDirectoryHandlePointerSystemWrite
                                                      • String ID: p
                                                      • API String ID: 3459705013-2181537457
                                                      • Opcode ID: 3c71d8bda9b36a03b3f91f0bec3609bd4209d4b2e9bc561036b1298628e82cef
                                                      • Instruction ID: b3bddcddc3f1e004d8d65502822138ced29defc08e981ec28d145e73f2b00e0b
                                                      • Opcode Fuzzy Hash: 3c71d8bda9b36a03b3f91f0bec3609bd4209d4b2e9bc561036b1298628e82cef
                                                      • Instruction Fuzzy Hash: D331CE75244305ABE314CB28CC45AABB7E9FBC8325F008B1DF965972D1DB70AA098B95
                                                      APIs
                                                      • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000), ref: 1000F068
                                                      • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000), ref: 1000F079
                                                      • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F08B
                                                      • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F097
                                                      • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F0CA
                                                      • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F0DF
                                                        • Part of subcall function 1000F110: #540.MFC42 ref: 1000F137
                                                        • Part of subcall function 1000F110: #2818.MFC42(00000000, %c%s,?,?), ref: 1000F160
                                                        • Part of subcall function 1000F110: #2763.MFC42(00000020), ref: 1000F17D
                                                        • Part of subcall function 1000F110: #537.MFC42(100F5B4C,00000000,00000020), ref: 1000F195
                                                        • Part of subcall function 1000F110: #537.MFC42(100F617C,100F5B4C,00000000,00000020), ref: 1000F1AA
                                                        • Part of subcall function 1000F110: #922.MFC42(?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1BB
                                                        • Part of subcall function 1000F110: #922.MFC42(?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1CC
                                                        • Part of subcall function 1000F110: #939.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1DB
                                                        • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1E9
                                                        • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1F7
                                                        • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F205
                                                        • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F213
                                                        • Part of subcall function 1000F110: #535.MFC42(00000000), ref: 1000F270
                                                        • Part of subcall function 1000F110: #800.MFC42(00000000), ref: 1000F286
                                                      • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F0EF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                                                      • String ID:
                                                      • API String ID: 37758464-0
                                                      • Opcode ID: 43a720adb34fa7b72872a061643b73973f38b0b6103dcf7fcbc3da43ebf69690
                                                      • Instruction ID: 9ba243b2a72519bdef91ec6ba025c3f528ee63e4f3c78ca14cc9a5259ab4c7a6
                                                      • Opcode Fuzzy Hash: 43a720adb34fa7b72872a061643b73973f38b0b6103dcf7fcbc3da43ebf69690
                                                      • Instruction Fuzzy Hash: F421D53A2086408BD724CB19C880A2FF3D5FB886A4F910A2CF55A97B46CA34FE459B41
                                                      APIs
                                                      • lstrlenA.KERNEL32(00000000), ref: 10021229
                                                        • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001FFDE
                                                        • Part of subcall function 1001FFC0: #823.MFC42(00000002,?,00000000,00000000), ref: 1001FFEB
                                                        • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10020007
                                                      • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 10021258
                                                      • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 1002128D
                                                      • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 10021295
                                                      • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 100212A2
                                                      • NetApiBufferFree.NETAPI32(?), ref: 100212D1
                                                      • LocalFree.KERNEL32(?), ref: 100212DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                                                      • String ID:
                                                      • API String ID: 1574401665-0
                                                      • Opcode ID: 46735f53a2903c6d7e492f2955271c51c61b6edf0f377a20ffdd2ac6339c8558
                                                      • Instruction ID: d399105d514aca8900d070816a0f4a2e5108d89dd4e60ff2f78bd32616ee1468
                                                      • Opcode Fuzzy Hash: 46735f53a2903c6d7e492f2955271c51c61b6edf0f377a20ffdd2ac6339c8558
                                                      • Instruction Fuzzy Hash: E921CFB9508301AFD310DF68AC85D5BBBECEF95A44F00092DF54897252EA74ED4D8BA2
                                                      APIs
                                                      • htons.WS2_32 ref: 1001EF63
                                                      • inet_addr.WS2_32(?), ref: 1001EF79
                                                      • inet_addr.WS2_32(?), ref: 1001EF97
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 1001EFA3
                                                      • setsockopt.WS2_32 ref: 1001EFCE
                                                      • connect.WS2_32(?,?,00000010), ref: 1001EFDE
                                                      • closesocket.WS2_32 ref: 1001EFEC
                                                        • Part of subcall function 1001ED30: gethostbyname.WS2_32(?), ref: 1001ED35
                                                        • Part of subcall function 1001ED30: inet_ntoa.WS2_32(00000000), ref: 1001ED48
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: inet_addr$closesocketconnectgethostbynamehtonsinet_ntoasetsockoptsocket
                                                      • String ID:
                                                      • API String ID: 1372979013-0
                                                      • Opcode ID: 81534a3f04dfec04d34a6815d56e74a6589d9079e54b49c8ae5a124c15ecb453
                                                      • Instruction ID: 1de2c1a93f358004d2b4c3ee2566f76d6288aad6ef0a06bf2f8016d796b1493f
                                                      • Opcode Fuzzy Hash: 81534a3f04dfec04d34a6815d56e74a6589d9079e54b49c8ae5a124c15ecb453
                                                      • Instruction Fuzzy Hash: 60118175504351ABE310DF288C85A9FB7E4EF88364F608E2DF894D62D0E770D8458B52
                                                      APIs
                                                      • Sleep.KERNEL32(00000064,?,?), ref: 100284C1
                                                      • wsprintfA.USER32 ref: 100284EC
                                                      • closesocket.WS2_32(00000000), ref: 10028504
                                                      • TerminateThread.KERNEL32(?,00000000), ref: 1002853C
                                                      • CloseHandle.KERNEL32(101281A0), ref: 10028543
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                                                      • String ID: nsocket-di:%d
                                                      • API String ID: 1790861966-355283319
                                                      • Opcode ID: d738ad8e917f7a3b746703ee66ea95e36dc3f124e81ced7bea38bb7d44f674ae
                                                      • Instruction ID: fdbfb397e925a873915e35bb2c60bbb03b2a1e3ab5f3a653bc80193b1a98e8eb
                                                      • Opcode Fuzzy Hash: d738ad8e917f7a3b746703ee66ea95e36dc3f124e81ced7bea38bb7d44f674ae
                                                      • Instruction Fuzzy Hash: CC111938602222AFE710DB2DDCC9B527BE5EB443A4FA40205FD08976E4D37DA967CB50
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32 ref: 100227B6
                                                      • lstrcatA.KERNEL32(?,?), ref: 100227C8
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100227E5
                                                      • CloseHandle.KERNEL32(00000000), ref: 1002280D
                                                      • LocalFree.KERNEL32(?), ref: 10022826
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryFileFreeHandleLocalSystemlstrcat
                                                      • String ID: p
                                                      • API String ID: 3845662661-2181537457
                                                      • Opcode ID: 360983da1dba87eddf3ce4209fc1d081b8d67444aed54e77390c085efffd211f
                                                      • Instruction ID: 76c0ca7e168083ab8e7b56479baba7c7bd685732b753ecaec25c40b1d91f927f
                                                      • Opcode Fuzzy Hash: 360983da1dba87eddf3ce4209fc1d081b8d67444aed54e77390c085efffd211f
                                                      • Instruction Fuzzy Hash: 4A019275404311BFE310DF64DC8AFDB77E8AB88714F508E0DF695961E0E7B8A5488B52
                                                      APIs
                                                      • GetSystemMetrics.USER32(00000000), ref: 1000C90F
                                                      • GetSystemMetrics.USER32(00000001), ref: 1000C913
                                                      • ChangeDisplaySettingsA.USER32 ref: 1000C949
                                                      • ChangeDisplaySettingsA.USER32(?,00000001), ref: 1000C956
                                                      • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 1000C966
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ChangeDisplaySettings$MetricsSystem
                                                      • String ID:
                                                      • API String ID: 840903655-3916222277
                                                      • Opcode ID: c77e656dd18fdfb4ebc8b4899aea03d0e6d1d63caf2da3385abf3b57937cc670
                                                      • Instruction ID: 053c49719d85a196c76f6ee9153ca12a4a553254b275c42fb40e390951d789a9
                                                      • Opcode Fuzzy Hash: c77e656dd18fdfb4ebc8b4899aea03d0e6d1d63caf2da3385abf3b57937cc670
                                                      • Instruction Fuzzy Hash: 32F09A30958324AAF320EB749D45F8B7BE4AF44B48F50080DB658961C0E3B5A4088F93
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(ntdll.dll,?,00001F99,1001713F,?,?,?), ref: 100168E9
                                                      • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                                                      • FreeLibrary.KERNEL32(00000000), ref: 10016922
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: RtlGetNtVersionNumbers$ntdll.dll$#v
                                                      • API String ID: 145871493-3809132452
                                                      • Opcode ID: c449b7dd001459c79670ac304c37124fb354c925596d64b8a171dfed53781a7c
                                                      • Instruction ID: ad9545e095db50680b72f3060b66d3436de7a5d47c017a663631abcd74ef5f78
                                                      • Opcode Fuzzy Hash: c449b7dd001459c79670ac304c37124fb354c925596d64b8a171dfed53781a7c
                                                      • Instruction Fuzzy Hash: 84E06D3A3022216BD2148B25DC48D9B7BAAEFC8712B118518F81497300CB38D84686A2
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep$atoi$CloseHandle
                                                      • String ID:
                                                      • API String ID: 3951340052-0
                                                      • Opcode ID: aa9359f932d660711f9899074e644ea17092b6b0dc32b1ac732ffe73607f6b3d
                                                      • Instruction ID: 00c677a1e56c77a172047a4b8c4669ce562aae35e1aa3c39e12fde649147ef05
                                                      • Opcode Fuzzy Hash: aa9359f932d660711f9899074e644ea17092b6b0dc32b1ac732ffe73607f6b3d
                                                      • Instruction Fuzzy Hash: CA41D83B30462027C194F329B855FEFAB55EBF5721F81442FF1858A186CA106C9B83B5
                                                      APIs
                                                        • Part of subcall function 10001EF0: EnterCriticalSection.KERNEL32(?,75BF7310,762283C0,10004727,75BF7310,762283C0,762323A0,00000000,?,?,?,?,?,?,?,00000100), ref: 10001EF8
                                                        • Part of subcall function 10001EF0: LeaveCriticalSection.KERNEL32(?,00000400,?,?,?,?,?,?,?,00000100), ref: 10001F11
                                                      • _ftol.MSVCRT ref: 1000474F
                                                      • #823.MFC42(00000000), ref: 10004759
                                                      • #825.MFC42(00000000,?,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 1000478E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$#823#825EnterLeave_ftol
                                                      • String ID:
                                                      • API String ID: 2982282317-0
                                                      • Opcode ID: 383ef655ac8f6fedcca7d9934e41858ffce3b41d39233b38587a54daa4e1965a
                                                      • Instruction ID: 151cba10dd302cfdd08b685247497689396b72e64293b537d4334c1f2e96d35a
                                                      • Opcode Fuzzy Hash: 383ef655ac8f6fedcca7d9934e41858ffce3b41d39233b38587a54daa4e1965a
                                                      • Instruction Fuzzy Hash: 5141F4B97443045BE204EF249C52BAFB3D9EBC8690F41452DFA0597386DE34FA098766
                                                      APIs
                                                      • CreateDIBSection.GDI32(?,00000000,00000000,751E5D50,00000000,00000000), ref: 10015321
                                                      • SelectObject.GDI32(00000000,00000000), ref: 1001532F
                                                      • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001534E
                                                      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001536F
                                                      • DeleteObject.GDI32(?), ref: 100153C5
                                                      • free.MSVCRT ref: 100153D4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Object$CreateDeleteSectionSelectfree
                                                      • String ID:
                                                      • API String ID: 2595996717-0
                                                      • Opcode ID: 887497eaceb188f058d34d4869c424205da7e7f5aed0cf582579a54abdd03fb3
                                                      • Instruction ID: 0c043ad52958cd3b14dae1ff8ff7b18953000f6685b449f3fdc92eb6ecbc4a7c
                                                      • Opcode Fuzzy Hash: 887497eaceb188f058d34d4869c424205da7e7f5aed0cf582579a54abdd03fb3
                                                      • Instruction Fuzzy Hash: BE4124B5200705AFD714DF69CD94E6BB7EAEF88600F14891CFA868B790D670FE448B61
                                                      APIs
                                                      • BlockInput.USER32(00000000), ref: 100142A6
                                                      • BlockInput.USER32(?,?,?), ref: 100142C9
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 100142E0
                                                      • BlockInput.USER32(?,?,?), ref: 100142E9
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 10014300
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 10014319
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: BlockExchangeInputInterlocked
                                                      • String ID:
                                                      • API String ID: 3466551546-0
                                                      • Opcode ID: e5828a2dd93037858442616e4caf3bd3ce8519f10e178e18d8f9e38ffa49e733
                                                      • Instruction ID: 17d1c2bafebc0ce83059b9f736f966c6318352bbbbab30d7eddd310a63ab96de
                                                      • Opcode Fuzzy Hash: e5828a2dd93037858442616e4caf3bd3ce8519f10e178e18d8f9e38ffa49e733
                                                      • Instruction Fuzzy Hash: BB31353B30856117D284E738B852EEFA759EBD5321F05893BF5958B245CE20AC8683F0
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: malloc$realloc$strstr
                                                      • String ID:
                                                      • API String ID: 686937093-0
                                                      • Opcode ID: 8b35c05d70219b54721860a3610fab8309798a92f769752a16b656059f55b80b
                                                      • Instruction ID: 44be1ea29c0e8b7c64a2e1e30ed6f8924ce9ea29ff36ce5f4753977188a169ca
                                                      • Opcode Fuzzy Hash: 8b35c05d70219b54721860a3610fab8309798a92f769752a16b656059f55b80b
                                                      • Instruction Fuzzy Hash: 123124756043424FD300CF2CAC806ABFBD5EBCA211F144A7CE99587351DB76E90ACBA2
                                                      APIs
                                                      • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10014C42,?,?,?,?,?,?,00000000), ref: 100155EB
                                                      • GetDC.USER32(00000000), ref: 10015646
                                                      • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10015653
                                                      • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10015666
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 1001566F
                                                      • DeleteObject.GDI32(00000000), ref: 10015676
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                      • String ID:
                                                      • API String ID: 1489246511-0
                                                      • Opcode ID: c1846dc3492ed7490e41e3b8efee52bb51f45bcde56b8ce4b2a4ec49df6fd671
                                                      • Instruction ID: 5656d7b1f0fdb8729cb8ec7308b8b8dafa7dccdb65a81c0c0b83e1d1b9a22dae
                                                      • Opcode Fuzzy Hash: c1846dc3492ed7490e41e3b8efee52bb51f45bcde56b8ce4b2a4ec49df6fd671
                                                      • Instruction Fuzzy Hash: 983113712017018FD324CF68CC94B5AFBE6FF95305F188A6DE4868F2A1E7B1A508CB90
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strncmp
                                                      • String ID: false$null$true
                                                      • API String ID: 1114863663-2913297407
                                                      • Opcode ID: ecc0b428a2c2ed0db5afa2c03423e300ae65427ee83c9f9322cfee98358508f9
                                                      • Instruction ID: 4d7bf8d3ed8d1cae6c79ee991d12821b6b952933c9106ce2bdf9ead7433171e5
                                                      • Opcode Fuzzy Hash: ecc0b428a2c2ed0db5afa2c03423e300ae65427ee83c9f9322cfee98358508f9
                                                      • Instruction Fuzzy Hash: 4121A67AA052146AE350DA19BC41ACF77D8DFC52B4F06C47AF98886209E734E9478BD1
                                                      APIs
                                                      • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10007968), ref: 100079D5
                                                      • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10007968), ref: 100079DC
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10007968), ref: 10007A09
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10007968), ref: 10007A1C
                                                      • #825.MFC42(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10007968), ref: 10007A6A
                                                      • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10007968), ref: 10007A8D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$CloseHandle$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                      • String ID:
                                                      • API String ID: 2070391518-0
                                                      • Opcode ID: eb58a456df5aca80187a2f7d7782234eaeebbc6881bbc545edf266de0de9da70
                                                      • Instruction ID: 2cce7ce0eaa81150a881a9e7c56ef9d5cfc1a02a2c8641e206b55930d0c1f0ac
                                                      • Opcode Fuzzy Hash: eb58a456df5aca80187a2f7d7782234eaeebbc6881bbc545edf266de0de9da70
                                                      • Instruction Fuzzy Hash: 88416B75A007459BD308CF29C881ACAF7E0FB49750F50462DE5A987391DB35BA54CFD1
                                                      APIs
                                                      • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,10008B80,00000001,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008F2A
                                                      • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,10008B80,00000001,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008F3B
                                                      • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,10008B80,00000001,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008F4C
                                                      • #825.MFC42(?,?,?,?,00000000,?,10008B80,00000001,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008F75
                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,10008B80,00000001,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008FAA
                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,10008B80,00000001,?,?,00000000,00000065,000000FF,10007C50,00000001,00000001), ref: 10008FBD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$CloseHandle$#825
                                                      • String ID:
                                                      • API String ID: 3981934315-0
                                                      • Opcode ID: 04b0b94eed701456877168e5516c2db6fc140d80edc5a39a05a9cfe539758165
                                                      • Instruction ID: b57430962cddef4abb850dc320ea85bae23cb60be970d846b90292edd8af79dc
                                                      • Opcode Fuzzy Hash: 04b0b94eed701456877168e5516c2db6fc140d80edc5a39a05a9cfe539758165
                                                      • Instruction Fuzzy Hash: F33184747006029FE744CF29C880966B7EAFF45790B14867DE999CB395EB30ED11CB60
                                                      APIs
                                                      • _snprintf.MSVCRT ref: 100283AF
                                                        • Part of subcall function 100282B0: inet_addr.WS2_32(?), ref: 100282BA
                                                      • recv.WS2_32(00000000,?,00000002,00000000), ref: 10028411
                                                      • CreateThread.KERNEL32(00000000,00000000,100282D0,?,00000000,?), ref: 10028460
                                                      • CloseHandle.KERNEL32(00000000), ref: 10028474
                                                      • Sleep.KERNEL32(000003E8), ref: 1002847D
                                                      • closesocket.WS2_32(00000000), ref: 10028491
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                                                      • String ID:
                                                      • API String ID: 1576220768-0
                                                      • Opcode ID: 00eadbeaeb201012b0927691c094c3a5161020362d1214b6b27fedf7c57495dc
                                                      • Instruction ID: 497dff6657eaaf77b9defc5f611267720a89ff3c3d4cd293dfab77866c2f2ac2
                                                      • Opcode Fuzzy Hash: 00eadbeaeb201012b0927691c094c3a5161020362d1214b6b27fedf7c57495dc
                                                      • Instruction Fuzzy Hash: 8031D678105352AFE310DF14DC84BAB77E9EFC5750F50891CFA8897290D775A906CB51
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: malloc$Tablefree
                                                      • String ID:
                                                      • API String ID: 2903114640-0
                                                      • Opcode ID: 28e37d4da508f8d2d058f11b67623aa510d39478e0795e9589a828142d561b05
                                                      • Instruction ID: 392ca506e9d3a2c1924250b0f5a6a0c487a71deac8f3964ff9532963557b40af
                                                      • Opcode Fuzzy Hash: 28e37d4da508f8d2d058f11b67623aa510d39478e0795e9589a828142d561b05
                                                      • Instruction Fuzzy Hash: B91148736026142BE315CA0EBC81BDFF3D9EBC4660F51052AF901CB200DB21FE8587A2
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,762332F0,00000074), ref: 100228F7
                                                      • Module32First.KERNEL32(00000000,00000000), ref: 1002290C
                                                      • lstrcmpiA.KERNEL32(?,?), ref: 1002292B
                                                      • Module32Next.KERNEL32(00000000,00000000), ref: 10022937
                                                      • CloseHandle.KERNEL32(00000000), ref: 10022941
                                                      • CloseHandle.KERNEL32(00000000), ref: 10022959
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleModule32$CreateFirstNextSnapshotToolhelp32lstrcmpi
                                                      • String ID:
                                                      • API String ID: 4074050396-0
                                                      • Opcode ID: 3aed810f1dceb868152b19e2ade68c1675eb6771ee397e8287ec4e62e48fae9a
                                                      • Instruction ID: 468ed0c823eb547f2719f969fa4206f79c2c6876ff274be5f6ee3ed5e8cac001
                                                      • Opcode Fuzzy Hash: 3aed810f1dceb868152b19e2ade68c1675eb6771ee397e8287ec4e62e48fae9a
                                                      • Instruction Fuzzy Hash: BC0196352013557BE310EF94EC489FBB7DCFF85250F804629FD4492240DB75AA0987A2
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100275F1
                                                      • Process32First.KERNEL32(00000000,00000000), ref: 1002760B
                                                      • _stricmp.MSVCRT(?,?,00000002,00000000), ref: 10027627
                                                      • Process32Next.KERNEL32(00000000,?), ref: 10027636
                                                      • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 10027640
                                                      • CloseHandle.KERNEL32(00000000,?,75C39E60), ref: 10027653
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_stricmp
                                                      • String ID:
                                                      • API String ID: 1332747125-0
                                                      • Opcode ID: fd99c215672c8caa1d25ccd81968c825ecf160c7ffbb80c7e0cc659d646a0bb4
                                                      • Instruction ID: 4b4bec2270871bc9508021c82bd67cafa7db8a1a7ddde656dc61282940e99d29
                                                      • Opcode Fuzzy Hash: fd99c215672c8caa1d25ccd81968c825ecf160c7ffbb80c7e0cc659d646a0bb4
                                                      • Instruction Fuzzy Hash: B10192391056107FE350DB28EC45ADB73D8EF85361F808928FD1882280DB38E91986A6
                                                      APIs
                                                      • wsprintfA.USER32 ref: 10020B1A
                                                        • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                                                        • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                                                        • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                                                        • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                                                      • lstrlenA.KERNEL32(?), ref: 10020B46
                                                      • lstrlenA.KERNEL32(?), ref: 10020B52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823lstrlen$AddressLibraryLoadProcwsprintf
                                                      • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                      • API String ID: 2676723305-3034822107
                                                      • Opcode ID: 5a056dae62dc678aec7db7bfac7ba84f6f21525e0ac1ce5bf995af7bf924be5d
                                                      • Instruction ID: 6ab4f81dac7f1fdd91cc56884be3d15f552388db74e4c255a3597e46efb3eadd
                                                      • Opcode Fuzzy Hash: 5a056dae62dc678aec7db7bfac7ba84f6f21525e0ac1ce5bf995af7bf924be5d
                                                      • Instruction Fuzzy Hash: 520126B23002143BE3249224CC52FEB77DAEFC8314F808939FB14A7240D679AD55C6A6
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 10016347
                                                      • CoCreateInstance.OLE32(100E6B40,00000000,00000001,100E6B20,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001635F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInitializeInstance
                                                      • String ID: FriendlyName
                                                      • API String ID: 3519745914-3623505368
                                                      • Opcode ID: c9b7d0305d722346b35be157ceed7fd0cb712297c628feb38cc64e36833bea2d
                                                      • Instruction ID: 815dfca348a4872d2d48d528abea59a0c072ecb8b509b37909914934ed124131
                                                      • Opcode Fuzzy Hash: c9b7d0305d722346b35be157ceed7fd0cb712297c628feb38cc64e36833bea2d
                                                      • Instruction Fuzzy Hash: 2631E674204202AFD604CF65CC88F5BB7E9FF88744F108A58F959DB250EB75E84ACB62
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: getenvmallocsscanf
                                                      • String ID: %ld%c$JPEGMEM$x
                                                      • API String ID: 677315340-3402169052
                                                      • Opcode ID: 62af2b69e509589036c47950a32d76909bed77f08b24af29a78d592b9fc8387c
                                                      • Instruction ID: e6181e85d8409ceba35bfe4c1a4d54b00b709ddf62a34e0fcbbbcff1310ffdb1
                                                      • Opcode Fuzzy Hash: 62af2b69e509589036c47950a32d76909bed77f08b24af29a78d592b9fc8387c
                                                      • Instruction Fuzzy Hash: 38415CB04047468FD720CF19E880957FBF4FF45394B914A2EE09A8B611E776E959CF81
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E2B8
                                                      • Sleep.KERNEL32(000004D2), ref: 1000E362
                                                      • DeleteFileA.KERNEL32(?), ref: 1000E323
                                                        • Part of subcall function 1000E160: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E192
                                                        • Part of subcall function 1000E160: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000E209
                                                        • Part of subcall function 1000E160: GetFileSize.KERNEL32(00000000,00000000), ref: 1000E218
                                                        • Part of subcall function 1000E160: #823.MFC42(00000000), ref: 1000E221
                                                        • Part of subcall function 1000E160: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000E234
                                                        • Part of subcall function 1000E160: #825.MFC42(00000000), ref: 1000E25C
                                                        • Part of subcall function 1000E160: CloseHandle.KERNEL32(00000000), ref: 1000E265
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                                                      • String ID: .key$6gkIBfkS+qY=
                                                      • API String ID: 3115437274-3577161720
                                                      • Opcode ID: 52d5c34fec1058b21deb3f8e7361faa1260aab5b3d716f31b033e2faa6641d6a
                                                      • Instruction ID: 8b295e50c60843580cfd6389b87f51f9169854e69fc94e39db10b536c9611ff5
                                                      • Opcode Fuzzy Hash: 52d5c34fec1058b21deb3f8e7361faa1260aab5b3d716f31b033e2faa6641d6a
                                                      • Instruction Fuzzy Hash: C62177356042910BF725DB38CC9479A7FC4FB853A0F044729F496A72DADBB49D48C352
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006137,00000000), ref: 10006570
                                                      • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006137,00000000), ref: 10006597
                                                      • GetProcessHeap.KERNEL32(00000000,10006137,?,10006137,00000000), ref: 100065A0
                                                      • HeapFree.KERNEL32(00000000), ref: 100065A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Free$Heap$LibraryProcessVirtual
                                                      • String ID: #v
                                                      • API String ID: 548792435-554117064
                                                      • Opcode ID: 4fb1001e4b1a7667773ce3d2e8efbcb68924b30b108a7091f8a1800d45f00e20
                                                      • Instruction ID: c47dd3a19aa23738afc325b14044b90395af6d826a36c0f12a94c81f5f5cde2b
                                                      • Opcode Fuzzy Hash: 4fb1001e4b1a7667773ce3d2e8efbcb68924b30b108a7091f8a1800d45f00e20
                                                      • Instruction Fuzzy Hash: 74115735600B119BE720CF69CC84F57B3E9AF88691F218A18F55AC7298CB30F8418B60
                                                      APIs
                                                        • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                                                        • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                                                        • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                                                        • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                                                      • lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F99,762323A0), ref: 100167A7
                                                      • gethostname.WS2_32(?,?), ref: 100167AF
                                                      • lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F99,762323A0), ref: 100167B6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823lstrlen$AddressLibraryLoadProcgethostname
                                                      • String ID: Host$SYSTEM\Setup
                                                      • API String ID: 3998130814-2058306683
                                                      • Opcode ID: 56e7420ec7e53d1e6086bdcf6c58d7f673946b10884cd24e3a049a0a59ebb871
                                                      • Instruction ID: 89e900fceae59ac8d3f09e9af1364124967943dc5bc78569f875330dc368f6ce
                                                      • Opcode Fuzzy Hash: 56e7420ec7e53d1e6086bdcf6c58d7f673946b10884cd24e3a049a0a59ebb871
                                                      • Instruction Fuzzy Hash: 2001C4756042546FE314CB18DC90BABBBE9EBC8245F14453CFB4493391D7729A05CBA2
                                                      APIs
                                                        • Part of subcall function 10057480: GetModuleHandleW.KERNEL32(ntdll.dll,RtlDosPathNameToRelativeNtPathName_U,?,?,10057536,?,1001802F,1012644C,00000000), ref: 100574A1
                                                        • Part of subcall function 10057480: GetProcAddress.KERNEL32(00000000), ref: 100574A4
                                                        • Part of subcall function 10057480: GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 100574AF
                                                      • CreateFileW.KERNEL32(1001802F,C0000000,00000000,00000000,00000003,00000080,00000000,?,1001802F,1012644C,00000000), ref: 10057561
                                                      • GetLastError.KERNEL32(?,1001802F,1012644C,00000000), ref: 1005756E
                                                      • malloc.MSVCRT ref: 10057580
                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 1005758D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorHandleLast$AddressCloseCreateFileModuleProcmalloc
                                                      • String ID: \\.\QAssist
                                                      • API String ID: 3918230743-1620305513
                                                      • Opcode ID: c74637825da1256f0bc27f790e83a9fe10c173631bf399fe062de42ba4e07804
                                                      • Instruction ID: 2617bb851b5f1441201b4be41023a6116d41d176203a3ef9fd8cf81c813fd235
                                                      • Opcode Fuzzy Hash: c74637825da1256f0bc27f790e83a9fe10c173631bf399fe062de42ba4e07804
                                                      • Instruction Fuzzy Hash: B5014C79B406202BF314D738BC017CA26D5EB84720F12C230F985EB2D4FEB0A8455280
                                                      APIs
                                                      • ShellExecuteExA.SHELL32 ref: 10009321
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009332
                                                      • CloseHandle.KERNEL32(?), ref: 1000933D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseExecuteHandleObjectShellSingleWait
                                                      • String ID: <$@
                                                      • API String ID: 3837156514-1426351568
                                                      • Opcode ID: 1b34141c0c47c6f06558b0f2ed81d179a17c353eb6c44df50b52a01acea419f1
                                                      • Instruction ID: 373787d667dad42a9a598f5b4b60ee5f53bdce74bc95899c6e3054471be14af9
                                                      • Opcode Fuzzy Hash: 1b34141c0c47c6f06558b0f2ed81d179a17c353eb6c44df50b52a01acea419f1
                                                      • Instruction Fuzzy Hash: 9AF06971508311ABD704DF18C848A9FBBE4FFC4350F108A1DF699972A0DB76D6048B96
                                                      APIs
                                                      • RegCreateKeyA.ADVAPI32(80000002,SYSTEM\Setup), ref: 1000C530
                                                      • RegSetValueExA.ADVAPI32(?,Host,00000000,00000001,?), ref: 1000C557
                                                      • RegCloseKey.ADVAPI32(?), ref: 1000C562
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: Host$SYSTEM\Setup
                                                      • API String ID: 1818849710-2058306683
                                                      • Opcode ID: 5f9fed053b9cfa91d4caa8739edf0f7e93f4ee06f2d893e362b26cb805fc1c5a
                                                      • Instruction ID: 9c6b50d5ac1e52a42a9b9ebb4716c63bfcb5adcd7a01533ca98fdfbb8b9501c1
                                                      • Opcode Fuzzy Hash: 5f9fed053b9cfa91d4caa8739edf0f7e93f4ee06f2d893e362b26cb805fc1c5a
                                                      • Instruction Fuzzy Hash: 18E06D7A214204BBE308D761CC88EAB77BDEFC8A52F20860DFB1682190DA70D9009620
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10014540,?,?,?,?,?,100945F0,000000FF), ref: 1000E55D
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000E564
                                                      • Sleep.KERNEL32(00000096,?,?,?,?,?,100945F0,000000FF), ref: 1000E577
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProcSleep
                                                      • String ID: KERNEL32.dll$WaitForSingleObject
                                                      • API String ID: 188063004-3889371928
                                                      • Opcode ID: 6f1913b75059fcdeb32e1ab937262be6e57ad583bf31aca0cc1f484719355a3e
                                                      • Instruction ID: 62ce2c8e92499c9444195fa3867bf8a19e8f497ea87849b71b601687cd9eea2b
                                                      • Opcode Fuzzy Hash: 6f1913b75059fcdeb32e1ab937262be6e57ad583bf31aca0cc1f484719355a3e
                                                      • Instruction Fuzzy Hash: 0FD0C979104231BBEA2467B0AC5CDDB7B18EB483327218704FA22922E0CE669840CB90
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49e1a3441f48fd08871a00606a187dde43cc83fe5c9fb3bd3fdf33e5fbf61024
                                                      • Instruction ID: 21c3bced292d153852bad5432d3ee80454c38e9ea06e495423d8ed335e1c25ce
                                                      • Opcode Fuzzy Hash: 49e1a3441f48fd08871a00606a187dde43cc83fe5c9fb3bd3fdf33e5fbf61024
                                                      • Instruction Fuzzy Hash: 7D41E4B27003056FE754DF689C81B67B7D9EB883A5F24402AFA05C7686DBB1F80487A0
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 10013FCA
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,100945E1,000000FF), ref: 10013FD5
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,100945E1,000000FF), ref: 10013FE2
                                                      • #823.MFC42 ref: 1001400B
                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 100140B0
                                                        • Part of subcall function 10014A70: LoadCursorA.USER32(00000000,00007F8A), ref: 10014B4A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExchangeInterlocked$#823CloseCursorHandleLoadObjectSingleWait
                                                      • String ID:
                                                      • API String ID: 3818894934-0
                                                      • Opcode ID: d39fb31834e960f0c77ee551e30d775ad3c2b5e58c235cc15ee4cd0a76679730
                                                      • Instruction ID: 8db4edd24828b8d6543c00c287abaa3dcd4977562c69ef9a7aee89012ae2a67c
                                                      • Opcode Fuzzy Hash: d39fb31834e960f0c77ee551e30d775ad3c2b5e58c235cc15ee4cd0a76679730
                                                      • Instruction Fuzzy Hash: 5031BE74684700ABE721CB358C86F9AB7D5FB48B50F110A1CF69A9E2D1CBB1F4808756
                                                      APIs
                                                        • Part of subcall function 100049A0: #823.MFC42 ref: 100049CB
                                                        • Part of subcall function 100049A0: #823.MFC42(?), ref: 100049DA
                                                      • lstrlenA.KERNEL32(?), ref: 10024CCB
                                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 10024CE8
                                                      • lstrlenA.KERNEL32(?), ref: 10024D22
                                                      • LocalSize.KERNEL32(00000000), ref: 10024D66
                                                      • LocalFree.KERNEL32(00000000), ref: 10024D78
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$#823lstrlen$AllocFreeSize
                                                      • String ID:
                                                      • API String ID: 933119475-0
                                                      • Opcode ID: 554934a4d37e72a789cfb2dc0e11c58d71e8cf53df8c271f231214194a42f271
                                                      • Instruction ID: aae179914c36bfa88dca8a91faacc61921645f308602a7a01db2f0488922670a
                                                      • Opcode Fuzzy Hash: 554934a4d37e72a789cfb2dc0e11c58d71e8cf53df8c271f231214194a42f271
                                                      • Instruction Fuzzy Hash: 133187792083468FD300CF28D884B1BBBE4FB89754F520A1DF996973A0DB34E905CB92
                                                      APIs
                                                      • #825.MFC42(?,?), ref: 1001D0FD
                                                      • #825.MFC42(?), ref: 1001D15A
                                                      • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 1001D16E
                                                      • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 1001D191
                                                      • #825.MFC42(00000000), ref: 1001D19C
                                                        • Part of subcall function 1001E380: #825.MFC42(?,?,10126460,?,1001D0FA,?), ref: 1001E3A2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$Lockit@std@@$??0_??1_
                                                      • String ID:
                                                      • API String ID: 3320149174-0
                                                      • Opcode ID: 248e721a4bb1f933bcf7608b263b7d299fc8c9d368e6bfa2f33e42661512f62b
                                                      • Instruction ID: 7c720292ba65290974d9ff8836e0303b4dfe883974515ec1d759db98d0b56278
                                                      • Opcode Fuzzy Hash: 248e721a4bb1f933bcf7608b263b7d299fc8c9d368e6bfa2f33e42661512f62b
                                                      • Instruction Fuzzy Hash: 04315AB5600751AFC710EF68D88481AB7E5FB88650760881EE89A8B740EB34FD86CB95
                                                      APIs
                                                        • Part of subcall function 1000E390: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F99,1001A69F,?,00000000,00001F99), ref: 1000E3B0
                                                        • Part of subcall function 1000E390: GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                                                      • malloc.MSVCRT ref: 10006605
                                                      • free.MSVCRT ref: 10006635
                                                      • LocalAlloc.KERNEL32(00000040,00000005), ref: 1000664F
                                                      • SetEvent.KERNEL32(?), ref: 1000667E
                                                      • LocalFree.KERNEL32(?), ref: 10006696
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$AddressAllocEventFreeLibraryLoadProcfreemalloc
                                                      • String ID:
                                                      • API String ID: 2989931879-0
                                                      • Opcode ID: a49bb198e7a3050c482c45dde1c8e5cdea98da9e81467423ad6cbd069d21f764
                                                      • Instruction ID: 0565bafc2cb9ca33cc0fc730bac9966ee2cdbcd20a5ac2973ab713c03d52ec4f
                                                      • Opcode Fuzzy Hash: a49bb198e7a3050c482c45dde1c8e5cdea98da9e81467423ad6cbd069d21f764
                                                      • Instruction Fuzzy Hash: E331F1752046449FD304CF288840AABBBE9FB89760F144B2CF94697385CB79AD05CB91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InternetOpen
                                                      • String ID: y$y
                                                      • API String ID: 2038078732-2085659379
                                                      • Opcode ID: 1511636889105b7b4ece37f4309da6395ac4234c7bb70a15faa6c0cfd8e6a53f
                                                      • Instruction ID: 56625c480b4158ec2fd4c5dff48b05de219e24d7b19525f148bfc21f4c62e671
                                                      • Opcode Fuzzy Hash: 1511636889105b7b4ece37f4309da6395ac4234c7bb70a15faa6c0cfd8e6a53f
                                                      • Instruction Fuzzy Hash: DE21467AA042141BD710DB68AC416BF7BC9EFC42A0F444439FD0AD7341DAA9EE0C82E7
                                                      APIs
                                                      • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08,00000000,1000EE43,00000000,00000000,00000000), ref: 1000F382
                                                      • #4278.MFC42(1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08,00000000,1000EE43), ref: 1000F39E
                                                      • #6883.MFC42(?,00000000,1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08), ref: 1000F3B2
                                                      • #800.MFC42(?,00000000,1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08), ref: 1000F3C3
                                                      • #6662.MFC42(0000005C,00000001,?,00000000,1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8), ref: 1000F3D0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #6662$#4278#6883#800
                                                      • String ID:
                                                      • API String ID: 2113711092-0
                                                      • Opcode ID: c7df3eec0f518cdf2e194ceeaf08541b6e181717fc26662f3cc93f22c61436f8
                                                      • Instruction ID: cd484a30cec0716906a840a730b6a7f9eb33a4c2b287cb289a584b9fdff61532
                                                      • Opcode Fuzzy Hash: c7df3eec0f518cdf2e194ceeaf08541b6e181717fc26662f3cc93f22c61436f8
                                                      • Instruction Fuzzy Hash: DF11F03A3056159FE714CF299C45FBE7795EB806B0F41072CB82A972C1DB34AD0587A0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77ae1d77ff302f87e947e1b301cab608dbed24b39418c2de0f205de2c59c2756
                                                      • Instruction ID: 8cf64a20c1f2f6a44a23a2f895a73804392533790a12d626c6bd70b126c45778
                                                      • Opcode Fuzzy Hash: 77ae1d77ff302f87e947e1b301cab608dbed24b39418c2de0f205de2c59c2756
                                                      • Instruction Fuzzy Hash: 83112562B086A60BD711E6B96CD067FBBECCFC50E2B0A857BE5C4C7500E512C80086A0
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 1000A9D6
                                                      • GetWindowTextA.USER32(00000000,101256F8,00000400), ref: 1000A9EC
                                                      • lstrlenA.KERNEL32(101256F8), ref: 1000AA21
                                                      • GetLocalTime.KERNEL32(?), ref: 1000AA34
                                                      • wsprintfA.USER32 ref: 1000AA89
                                                        • Part of subcall function 1000A8A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000A8B4
                                                        • Part of subcall function 1000A8A0: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000A92D
                                                        • Part of subcall function 1000A8A0: GetFileSize.KERNEL32 ref: 1000A940
                                                        • Part of subcall function 1000A8A0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000A954
                                                        • Part of subcall function 1000A8A0: lstrlenA.KERNEL32(?), ref: 1000A962
                                                        • Part of subcall function 1000A8A0: #823.MFC42(00000000), ref: 1000A96B
                                                        • Part of subcall function 1000A8A0: lstrlenA.KERNEL32(?,?,00000000), ref: 1000A991
                                                        • Part of subcall function 1000A8A0: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000A99A
                                                        • Part of subcall function 1000A8A0: CloseHandle.KERNEL32(00000000), ref: 1000A9A1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$lstrlen$Window$#823CloseCreateDirectoryForegroundHandleLocalPointerSizeSystemTextTimeWritewsprintf
                                                      • String ID:
                                                      • API String ID: 2024509201-0
                                                      • Opcode ID: 5810ce0034d83d01e23c29ccbcbd36924422134cdbd114e14924c0ec13995f27
                                                      • Instruction ID: 6624dac46b90b333c8c9a30fd215da0a3411ca5dc730126249e9c35652f050a0
                                                      • Opcode Fuzzy Hash: 5810ce0034d83d01e23c29ccbcbd36924422134cdbd114e14924c0ec13995f27
                                                      • Instruction Fuzzy Hash: 0E21B075604613ABE304CB28DCC5AA777A5EF88310FF44A38F612D3B94D63998498762
                                                      APIs
                                                      • SetFilePointer.KERNEL32(?,?,00000001,00000000,?,?,00000065,10007C5E,00000001,00000001,?,00000001,00000001,00000001), ref: 100089FE
                                                      • LocalAlloc.KERNEL32(00000040,00019000,?,?,00000065,10007C5E), ref: 10008A13
                                                      • ReadFile.KERNEL32(?,00000009,00018FF7,?,00000000,?,?,00000065,10007C5E), ref: 10008A40
                                                      • LocalFree.KERNEL32(00000000,?,?,00000065,10007C5E), ref: 10008A5D
                                                      • LocalFree.KERNEL32(00000000,?,?,00000065,10007C5E), ref: 10008A75
                                                        • Part of subcall function 10008A90: CloseHandle.KERNEL32(?,00000000,10008A70,?,?,00000065,10007C5E), ref: 10008A9F
                                                        • Part of subcall function 10008A90: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000001,00000000,10008A70,?,?,00000065,10007C5E), ref: 10008ACC
                                                        • Part of subcall function 10008A90: #825.MFC42(00000001,?,?,00000065,10007C5E), ref: 10008AD3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$FileFree$#825AllocCloseD@2@@std@@D@std@@HandlePointerReadTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                      • String ID:
                                                      • API String ID: 1358099757-0
                                                      • Opcode ID: cab6f67849a3ef0359b1a4d1d7f11e01d401a6e2abbe04560c4e7ee80bd9f556
                                                      • Instruction ID: 08d594c3aaffc655e88384c35782946caca6cd461b73c5278f801e5b870a85c2
                                                      • Opcode Fuzzy Hash: cab6f67849a3ef0359b1a4d1d7f11e01d401a6e2abbe04560c4e7ee80bd9f556
                                                      • Instruction Fuzzy Hash: 1E11727A301752AFE310DF64CC44A97B7E8FB88361F14862AFAA5C7290D730E915C765
                                                      APIs
                                                        • Part of subcall function 1000E550: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10014540,?,?,?,?,?,100945F0,000000FF), ref: 1000E55D
                                                        • Part of subcall function 1000E550: GetProcAddress.KERNEL32(00000000), ref: 1000E564
                                                        • Part of subcall function 1000E550: Sleep.KERNEL32(00000096,?,?,?,?,?,100945F0,000000FF), ref: 1000E577
                                                        • Part of subcall function 100149F0: GetDeviceCaps.GDI32(?,00000076), ref: 10014A20
                                                        • Part of subcall function 100149F0: GetDeviceCaps.GDI32(?,00000075), ref: 10014A33
                                                      • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 100145D9
                                                      • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 100145EC
                                                      • Sleep.KERNEL32(000000C8), ref: 10014629
                                                        • Part of subcall function 10013FA0: InterlockedExchange.KERNEL32(?,00000000), ref: 10013FCA
                                                        • Part of subcall function 10013FA0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,100945E1,000000FF), ref: 10013FD5
                                                        • Part of subcall function 10013FA0: CloseHandle.KERNEL32(?,?,?,?,?,?,100945E1,000000FF), ref: 10013FE2
                                                        • Part of subcall function 10013FA0: #823.MFC42 ref: 1001400B
                                                        • Part of subcall function 10013FA0: InterlockedExchange.KERNEL32(?,00000001), ref: 100140B0
                                                      • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10014608
                                                      • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1001461B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                                                      • String ID:
                                                      • API String ID: 2254935227-0
                                                      • Opcode ID: 8760591bd120a5b02d52516be488a531dd52d958b1f6bc4b874968caca00d7d7
                                                      • Instruction ID: fa78f8423a7644211b4eda94b890ede5bfb66b04f670d2af04a0538561e8c090
                                                      • Opcode Fuzzy Hash: 8760591bd120a5b02d52516be488a531dd52d958b1f6bc4b874968caca00d7d7
                                                      • Instruction Fuzzy Hash: B811E93438439976FA60DB344C02FAA37958F95B54F220528BA05AF1E3CDF0F9889559
                                                      APIs
                                                      • #823.MFC42(00000018,?,?,?,?,1001D095,1001D075,?,?,1001D075), ref: 1001DECE
                                                      • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,1001D075), ref: 1001DEE8
                                                      • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,1001D075), ref: 1001DF1A
                                                      • #825.MFC42(00000000,?,?,?,?,?,1001D075), ref: 1001DF25
                                                      • #823.MFC42(00000018,?,?,?,?,?,1001D075), ref: 1001DF35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823Lockit@std@@$#825??0_??1_
                                                      • String ID:
                                                      • API String ID: 2469163743-0
                                                      • Opcode ID: 01f0f5d6eb130a1bc90cc45914996b65b6704d44c54d157f472d147183e8e947
                                                      • Instruction ID: f9222dea60670273c6f2a39080d9b3f82d610333c95799f471f04ad897a1240f
                                                      • Opcode Fuzzy Hash: 01f0f5d6eb130a1bc90cc45914996b65b6704d44c54d157f472d147183e8e947
                                                      • Instruction Fuzzy Hash: 5D118BB55053819FC300DF69D8C4846FBE4FB68300B64C46EF08A87762DB74E94ACB95
                                                      APIs
                                                      • WTSQuerySessionInformationW.WTSAPI32 ref: 10020464
                                                      • lstrcpyW.KERNEL32(?,00000000,00000000), ref: 10020484
                                                      • WTSFreeMemory.WTSAPI32(?), ref: 1002048F
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 100204C8
                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 100204DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                                                      • String ID:
                                                      • API String ID: 2394411120-0
                                                      • Opcode ID: c2ce9788b441f8bbf1360f39e8dda1561a80994daea6b1d25e3998bcc48103bb
                                                      • Instruction ID: f44f65743c4aa95c1b0d8f835a528bed897c216a2caf1a45d4846aad5cd6d694
                                                      • Opcode Fuzzy Hash: c2ce9788b441f8bbf1360f39e8dda1561a80994daea6b1d25e3998bcc48103bb
                                                      • Instruction Fuzzy Hash: C11161792183417BE710CB54DC46FFB73ECBBC8B04F508A1CFA98961C0E674A5088B62
                                                      APIs
                                                      • strstr.MSVCRT ref: 100165EA
                                                      • lstrcatA.KERNEL32(10126040,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00001F99,?,762323A0), ref: 1001660B
                                                      • lstrcatA.KERNEL32(10126040,100F54AC,?,?,?,?,?,?,?,?,?,?,00000000,00001F99,?,762323A0), ref: 10016617
                                                      • strstr.MSVCRT ref: 10016628
                                                      • lstrcatA.KERNEL32(10126040,10119D9C,?,?,?,?,?,?,?,?,00000000,00001F99,?,762323A0), ref: 1001663B
                                                        • Part of subcall function 100275D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100275F1
                                                        • Part of subcall function 100275D0: Process32First.KERNEL32(00000000,00000000), ref: 1002760B
                                                        • Part of subcall function 100275D0: _stricmp.MSVCRT(?,?,00000002,00000000), ref: 10027627
                                                        • Part of subcall function 100275D0: Process32Next.KERNEL32(00000000,?), ref: 10027636
                                                        • Part of subcall function 100275D0: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 10027640
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$Process32strstr$CloseCreateFirstHandleNextSnapshotToolhelp32_stricmp
                                                      • String ID:
                                                      • API String ID: 2904590524-0
                                                      • Opcode ID: f7137ac66cda5ec32b092cc6e9faadf80d3ff30cec51e9382e580b5db92c5ee3
                                                      • Instruction ID: 5774f1ecba56e453be5a0a45c60184a0c1984639b62fdeee2dd82b6a72a6d4d3
                                                      • Opcode Fuzzy Hash: f7137ac66cda5ec32b092cc6e9faadf80d3ff30cec51e9382e580b5db92c5ee3
                                                      • Instruction Fuzzy Hash: F5F0F62170024027D6A0EB65AC41ECB6299DFCC1267A54835FE49B7240D73EF9806575
                                                      APIs
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,10023ED2), ref: 10022BE7
                                                      • OpenServiceA.ADVAPI32(00000000,?,00010010,?,00000065), ref: 10022C00
                                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000065), ref: 10022C17
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 10022C1E
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 10022C21
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandleOpen$ManagerStart
                                                      • String ID:
                                                      • API String ID: 1485051382-0
                                                      • Opcode ID: eb8428ef20d160348693f1ea2bff3b88d238e8ce2e3a57c5cdd25172a8d28a32
                                                      • Instruction ID: 5312dce52206496eb9be39d4d7c11ed1945476c11083ddbae13424b42aded7d3
                                                      • Opcode Fuzzy Hash: eb8428ef20d160348693f1ea2bff3b88d238e8ce2e3a57c5cdd25172a8d28a32
                                                      • Instruction Fuzzy Hash: 33E0D83A3456207BF2226754ACD9FEF6768DF89F90F314304FE0056280CE60DC014A69
                                                      APIs
                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,00001F99), ref: 100046BA
                                                      • CancelIo.KERNEL32(?), ref: 100046C7
                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 100046D6
                                                      • closesocket.WS2_32(?), ref: 100046E3
                                                      • SetEvent.KERNEL32(00001F99), ref: 100046F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                      • String ID:
                                                      • API String ID: 1486965892-0
                                                      • Opcode ID: bd36ccd5c4a115f5ddb7f7bfb82cff20287f85f718eb939da8920a339c863b65
                                                      • Instruction ID: dcb14e28207f84cddf8b536a38434a622c525def06c45350d6b94f45d0ddf033
                                                      • Opcode Fuzzy Hash: bd36ccd5c4a115f5ddb7f7bfb82cff20287f85f718eb939da8920a339c863b65
                                                      • Instruction Fuzzy Hash: 46F01275214711FFE6148B60CC88FD777A8AF49711F20CB1DFA9A46290DB70A4488755
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 100052F6
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100052FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: KERNEL32.dll$WideCharToMultiByte
                                                      • API String ID: 2574300362-2634761684
                                                      • Opcode ID: ffd90f7185964eb556eeb9edbbcc56fdcfe4513e25a79eef093bbb327f4e5d8d
                                                      • Instruction ID: a60fc2479c5358919289a22d77369d577414e2d4bd87a39acfcaa8f0c898c8ef
                                                      • Opcode Fuzzy Hash: ffd90f7185964eb556eeb9edbbcc56fdcfe4513e25a79eef093bbb327f4e5d8d
                                                      • Instruction Fuzzy Hash: 904160701087868FD324CF1CC894DABBBE5EBD1385F15897CE0D187225EA71994ECB91
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32 ref: 10006E09
                                                      • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10006E69
                                                      • CloseHandle.KERNEL32(00000000), ref: 10006E8C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryFileHandleSystem
                                                      • String ID: p
                                                      • API String ID: 1277589315-2181537457
                                                      • Opcode ID: dd7a952f80a68ae76fce63fc649ab6e9df93226e9eb915c29670a1cb88c65aaa
                                                      • Instruction ID: e8e8bbcb3c9e1dd45ca3e139e740b2b919d1379254e11a4ae95986e5f3b1151e
                                                      • Opcode Fuzzy Hash: dd7a952f80a68ae76fce63fc649ab6e9df93226e9eb915c29670a1cb88c65aaa
                                                      • Instruction Fuzzy Hash: E81105756042045BD314CF78AC45AEABB95FB84370F104B2EFE66971D1DAB55808C791
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000CD08
                                                        • Part of subcall function 1000CCA0: GetVersionExA.KERNEL32 ref: 1000CCB3
                                                      • ShellExecuteExA.SHELL32(0000003C), ref: 1000CDA7
                                                      • ExitProcess.KERNEL32 ref: 1000CDB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                      • String ID: <
                                                      • API String ID: 984616556-4251816714
                                                      • Opcode ID: b053251a19a3ed45b162c358d78e13ed6dd9c768c72ac4d7250cb05551b6ff49
                                                      • Instruction ID: 38226a7d1cbc36c07722d624247b2eb7ef1b6f6f5115ae9e9116eebf37325c34
                                                      • Opcode Fuzzy Hash: b053251a19a3ed45b162c358d78e13ed6dd9c768c72ac4d7250cb05551b6ff49
                                                      • Instruction Fuzzy Hash: C421C6711083446FE714DB24C81579BB7D5FBC8354F404A2EFB5A972D0DB75A908CB42
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 10001425
                                                        • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                        • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                        • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                        • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                        • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                        • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: WINMM.dll$waveOutWrite
                                                      • API String ID: 2574300362-665518901
                                                      • Opcode ID: 3f99c050e077f9e98bebad0164ceaaba35ab4ae573f71ae4a5201268694d7833
                                                      • Instruction ID: d05ae801d7ea020541401e5570a31778a76b5d6f40a75ca6236e8c94c424c07f
                                                      • Opcode Fuzzy Hash: 3f99c050e077f9e98bebad0164ceaaba35ab4ae573f71ae4a5201268694d7833
                                                      • Instruction Fuzzy Hash: 7A1170752043059FDB18DF68D8C89A7BBE5FB88391B118559FE428B34AD772EC04DB60
                                                      APIs
                                                      • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 1000920A
                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009226
                                                      • SetFilePointer.KERNEL32 ref: 10009244
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Pointer$Write
                                                      • String ID: p
                                                      • API String ID: 3847668363-2181537457
                                                      • Opcode ID: 75688e670bcdd66ab78c35ec944d7351c0487d13a171b597d89c89cde9d5bf71
                                                      • Instruction ID: f6b3447963bd255bb56c3963be1272a6af8da02ba4e9acce5704280961eb2dd2
                                                      • Opcode Fuzzy Hash: 75688e670bcdd66ab78c35ec944d7351c0487d13a171b597d89c89cde9d5bf71
                                                      • Instruction Fuzzy Hash: 931139B5648341ABE314DF28CC85F9BB7E9FBD8714F108A0DF598A3380D674A9058BA1
                                                      APIs
                                                        • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(?,?,1000404A,76232EE0), ref: 10001B98
                                                      • WSAStartup.WS2_32(00000202,?), ref: 1000408D
                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000409B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateCriticalEventInitializeSectionStartup
                                                      • String ID: h$x
                                                      • API String ID: 1327880603-380853026
                                                      • Opcode ID: cd2f43bb82de0894d478c275c663b103e14a8962e8b3a3c55ebc20eddf32244e
                                                      • Instruction ID: 8377cd8f58e14501c21d6e2f82e5b3f2157d71346e3eaa906f78fddc55f0e5a8
                                                      • Opcode Fuzzy Hash: cd2f43bb82de0894d478c275c663b103e14a8962e8b3a3c55ebc20eddf32244e
                                                      • Instruction Fuzzy Hash: 78115E74108780DEE321DB24C856BD6BBE4EF5AB54F408A5DE5E9472C1DB796008CB23
                                                      APIs
                                                      • #823.MFC42(00000014,?,00000000), ref: 10020B67
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 10020B8B
                                                      • wsprintfA.USER32 ref: 10020BAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823GlobalMemoryStatuswsprintf
                                                      • String ID: @
                                                      • API String ID: 1983843647-2766056989
                                                      • Opcode ID: fd88a4ef20ad07c1389189c7679d375ead2924c0f90ebbebd10c904c64b3a387
                                                      • Instruction ID: faa29c30046c1d9c235d4c452e1b6b8dddce0cd57cdbb40bd785b84c2a127c62
                                                      • Opcode Fuzzy Hash: fd88a4ef20ad07c1389189c7679d375ead2924c0f90ebbebd10c904c64b3a387
                                                      • Instruction Fuzzy Hash: 51F0A7B56003146BF3049B28DC55BAB7B95FBC0340F848938FA5697350E674E91886A7
                                                      APIs
                                                      • #823.MFC42(00000014,75BE0450,00000000), ref: 100216F7
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002171B
                                                      • wsprintfA.USER32 ref: 1002173E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823GlobalMemoryStatuswsprintf
                                                      • String ID: @
                                                      • API String ID: 1983843647-2766056989
                                                      • Opcode ID: 46dc55f5b98e696617ab8079e0c77226f6130b37173b7205a49c53343c9f1ca2
                                                      • Instruction ID: 3e936a1e200515495c8cea8328abc2345836dd2880be01d12b45e091b1464d36
                                                      • Opcode Fuzzy Hash: 46dc55f5b98e696617ab8079e0c77226f6130b37173b7205a49c53343c9f1ca2
                                                      • Instruction Fuzzy Hash: 2CF0A7B5A003146BF3049B28CC55BAB7B95FBC0350F84C938FA5697350E674E91886A7
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 10027C71
                                                      • GetThreadDesktop.USER32(00000000,?,10014295), ref: 10027C78
                                                        • Part of subcall function 10027720: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,100274E9,00000000), ref: 1002773B
                                                        • Part of subcall function 10027720: GetProcAddress.KERNEL32(00000000), ref: 10027744
                                                      • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 10027CA4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Thread$AddressCurrentDesktopLibraryLoadMessagePostProc
                                                      • String ID: Winlogon
                                                      • API String ID: 133172028-744610081
                                                      • Opcode ID: fab4c70cb017b0b5d1716955a76e949165352c059c8e6595af1ff7b87c13e2dc
                                                      • Instruction ID: 21e61c08c4b605a641d4d6a0130392e019539870b4195e9cb0879e9ccefef10d
                                                      • Opcode Fuzzy Hash: fab4c70cb017b0b5d1716955a76e949165352c059c8e6595af1ff7b87c13e2dc
                                                      • Instruction Fuzzy Hash: B6E0CD77E4077137F56157747D4FBDA3348DF01745F654130FD05AA182D754A98141D1
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F99,1001A69F,?,00000000,00001F99), ref: 1000E3B0
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: CreateEventA$KERNEL32.dll
                                                      • API String ID: 2574300362-2476775342
                                                      • Opcode ID: d1aee5a0c2cb95afd97f5869f5ce86433af31bfaf4b8ea3e7604a51556e75fa9
                                                      • Instruction ID: 4433b7f29ceb8eb465cc27936b5adbe35b564cc54e27e4844f722fd9a3aa1455
                                                      • Opcode Fuzzy Hash: d1aee5a0c2cb95afd97f5869f5ce86433af31bfaf4b8ea3e7604a51556e75fa9
                                                      • Instruction Fuzzy Hash: C8E08CB96843206BE660DBA88C45F86BB98EF48701F20C81EF359D7290CAB0A4408B58
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1001A7C6), ref: 1000E403
                                                      • GetProcAddress.KERNEL32(00000000), ref: 1000E40A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: CloseHandle$KERNEL32.dll
                                                      • API String ID: 2574300362-2295661983
                                                      • Opcode ID: b12305895c39fb8a578c61ce6f0b1b1bf635014e5a2edb01bb1321b15cc69922
                                                      • Instruction ID: 9ffa4301cfdacd456a4514ca358e47358afde2af3e8bab39a8f1d49bdc8766b9
                                                      • Opcode Fuzzy Hash: b12305895c39fb8a578c61ce6f0b1b1bf635014e5a2edb01bb1321b15cc69922
                                                      • Instruction Fuzzy Hash: B5C012B90442316FD6249BA0EC5C8C6BB58EF482013248509FA5283310CF759C408B90
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100277CA
                                                      • GetProcAddress.KERNEL32(00000000), ref: 100277D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: KERNEL32.dll$lstrlenA
                                                      • API String ID: 2574300362-1796993502
                                                      • Opcode ID: 1d78dd3e200d6a8313e6b890d9a033281a626efcdf01ca56fd69e71b7549a069
                                                      • Instruction ID: ad4c4cb0ffc1f5063c4aa17eb72008f4b6d4272c756a57cc1d9ff03e21511702
                                                      • Opcode Fuzzy Hash: 1d78dd3e200d6a8313e6b890d9a033281a626efcdf01ca56fd69e71b7549a069
                                                      • Instruction Fuzzy Hash: F7C092B8801625BBEA009BB08C8C9893F68FB083037608205FB05D1224CB354001AAA4
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintfstrchr
                                                      • String ID: $u%04x
                                                      • API String ID: 3926751878-2846719512
                                                      • Opcode ID: 59a3ee7d22408da155a935dc3c1bcec3913e2d73694d07933f946e5b4d5e681a
                                                      • Instruction ID: 9e8019c15bb1d7b6dc78768d7052d73fa4e38179e00cfcef8603f4317d08308e
                                                      • Opcode Fuzzy Hash: 59a3ee7d22408da155a935dc3c1bcec3913e2d73694d07933f946e5b4d5e681a
                                                      • Instruction Fuzzy Hash: BE513B355093C69FF712CF2D9C907ABBBD9DF931C0F18856DE9C18720ADB2299498361
                                                      APIs
                                                      • #825.MFC42(1000FB70,00000000,?,?,?,1000EADD,00000000,000000FF,00000000,000000FF,00000000,?), ref: 1000FBCD
                                                      • #823.MFC42(00000000,00000000,?,?,?,1000EADD,00000000,000000FF,00000000,000000FF,00000000,?), ref: 1000FBF2
                                                        • Part of subcall function 1000FD40: #540.MFC42(00000000,1000FB70,100B37B4,00000000), ref: 1000FD92
                                                        • Part of subcall function 1000FD40: #540.MFC42(00000000,1000FB70,100B37B4,00000000), ref: 1000FD9F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540$#823#825
                                                      • String ID:
                                                      • API String ID: 3261958014-0
                                                      • Opcode ID: a17d90e0317efaec01e3e3d83eb8991cef2d938025a27ed64913a62def98c4cb
                                                      • Instruction ID: 05b3b767da9609b3a5423e95127fd0f51e63c05c02c8f3be5e011e9ab4b123c5
                                                      • Opcode Fuzzy Hash: a17d90e0317efaec01e3e3d83eb8991cef2d938025a27ed64913a62def98c4cb
                                                      • Instruction Fuzzy Hash: 844194B2A001088BF704DF18D88543AF7D5EB902A1B19C5AEED45DF64AD632EC45DBA0
                                                      APIs
                                                      • #825.MFC42(00000000), ref: 10013653
                                                      • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,100944F8), ref: 10013667
                                                      • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,100944F8), ref: 100135F8
                                                        • Part of subcall function 10012F70: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10013058
                                                      • #825.MFC42(00000000), ref: 100136E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825$Open
                                                      • String ID:
                                                      • API String ID: 2004829228-0
                                                      • Opcode ID: 0de5211dc44e890c3dc87d3755b260a281ac556e9c1c692f8e82f94a007063dd
                                                      • Instruction ID: 89362631d8e78c7febd73ad45292bc80626d278808fcd6d93b45305f0b436328
                                                      • Opcode Fuzzy Hash: 0de5211dc44e890c3dc87d3755b260a281ac556e9c1c692f8e82f94a007063dd
                                                      • Instruction Fuzzy Hash: 3C4100796042016BC708DF29C89166FB7E6FB88650F84853DF90687351DB36E989CB92
                                                      APIs
                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 1000639E
                                                      • LoadLibraryA.KERNEL32(?), ref: 100063BA
                                                        • Part of subcall function 10005FD0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 10005FE0
                                                        • Part of subcall function 10005FD0: HeapReAlloc.KERNEL32(00000000), ref: 10005FE7
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 10006423
                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 1000644A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                                                      • String ID:
                                                      • API String ID: 2932169029-0
                                                      • Opcode ID: 633fddb2be50c1640b41213723373eab1b4f536cc2e1ea8b73a8a377c803b268
                                                      • Instruction ID: a27f7b3a91ca4c6fae8aa7f8d74547ba7c7fa7db50f7c2e3242cac358f1b5b32
                                                      • Opcode Fuzzy Hash: 633fddb2be50c1640b41213723373eab1b4f536cc2e1ea8b73a8a377c803b268
                                                      • Instruction Fuzzy Hash: 5131A0727002169FE310CF19DC80A16F7E9FF893A4B22862AE955C7351EB31F8158B90
                                                      APIs
                                                      • LocalSize.KERNEL32(00000000), ref: 1001341E
                                                      • LocalFree.KERNEL32(00000000), ref: 1001342A
                                                      • LocalSize.KERNEL32(00000000), ref: 10013445
                                                      • LocalFree.KERNEL32(00000000), ref: 10013451
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$FreeSize
                                                      • String ID:
                                                      • API String ID: 2726095061-0
                                                      • Opcode ID: aaccef850a459a913de49db2cc7268e570c88ae9b1177bf81f9497e23b4d07ff
                                                      • Instruction ID: edeec14e4cc59e26010fbe5352bb8f3fa6d62ab776fe34c3a72966264372e779
                                                      • Opcode Fuzzy Hash: aaccef850a459a913de49db2cc7268e570c88ae9b1177bf81f9497e23b4d07ff
                                                      • Instruction Fuzzy Hash: 7731CFB9104641ABD311DF24C885BAFF7D9FF84250F04CA19F8A58B291CF34E88986A6
                                                      APIs
                                                      • ceil.MSVCRT ref: 10001D8C
                                                      • _ftol.MSVCRT ref: 10001D95
                                                      • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 10001DA9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocVirtual_ftolceil
                                                      • String ID:
                                                      • API String ID: 3317677364-0
                                                      • Opcode ID: db3109134e0dd1b074cf1a6a2bcb92a074c120706bfad9bebacfd547bdbcb084
                                                      • Instruction ID: 6a02b08ecb513daa83518765fdbb4a183cbd4e8acd957765743c5ed009b33113
                                                      • Opcode Fuzzy Hash: db3109134e0dd1b074cf1a6a2bcb92a074c120706bfad9bebacfd547bdbcb084
                                                      • Instruction Fuzzy Hash: 8711D2397483049BE704DF28AC8675AB7E4EB802A1F10C53EFD458B385DA75A808CA65
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _ftolceil
                                                      • String ID:
                                                      • API String ID: 2006273141-0
                                                      • Opcode ID: b1cc1dec3e418fae9e7db1890ea245d95f3f3feb7796523aa2fdfc281f2208be
                                                      • Instruction ID: d0175bc4f4a34512d873607b7a3a5f5d08c3c65deb06d00e0a9ef8e2861c4c77
                                                      • Opcode Fuzzy Hash: b1cc1dec3e418fae9e7db1890ea245d95f3f3feb7796523aa2fdfc281f2208be
                                                      • Instruction Fuzzy Hash: 7F11A2756483049BE704EF24EC8676FBBD1EB84791F10C53DFD498B344DA35A818C666
                                                      APIs
                                                      • mbstowcs.MSVCRT ref: 10020BF7
                                                      • NetUserSetInfo.NETAPI32(00000000,?,000003F0,?,00000000,?,?,?), ref: 10020C2E
                                                      • Sleep.KERNEL32(00000064,00000000,?,000003F0,?,00000000,?,?,?), ref: 10020C4F
                                                        • Part of subcall function 100210A0: LocalSize.KERNEL32(00000000), ref: 100210B0
                                                        • Part of subcall function 100210A0: LocalFree.KERNEL32(00000000,?,1002159A,00000001,?,00000000,00000001,?,?), ref: 100210C0
                                                      • LocalFree.KERNEL32(?,?,?,?), ref: 10020C61
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$Free$InfoSizeSleepUsermbstowcs
                                                      • String ID:
                                                      • API String ID: 2733533-0
                                                      • Opcode ID: 829cc17d891d7a009ea603dd523741c406f579c94ae7f0b4ced94b3e205aa593
                                                      • Instruction ID: 8a0e8bc7b7c7ca04763c8623102f79d86d2cb973aca5680dbec21e2fc8fb2751
                                                      • Opcode Fuzzy Hash: 829cc17d891d7a009ea603dd523741c406f579c94ae7f0b4ced94b3e205aa593
                                                      • Instruction Fuzzy Hash: 71110C356083407BD314DB28CC85FDB77D9AFD8710F008B2CB595922D1DBB4A54C86A3
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10093BAC,000000FF,1001A7DA), ref: 1000414C
                                                      • CloseHandle.KERNEL32(?), ref: 1000416F
                                                      • CloseHandle.KERNEL32(?), ref: 10004178
                                                      • WSACleanup.WS2_32 ref: 1000417A
                                                        • Part of subcall function 10004690: setsockopt.WS2_32(?,0000FFFF,00000080,00001F99), ref: 100046BA
                                                        • Part of subcall function 10004690: CancelIo.KERNEL32(?), ref: 100046C7
                                                        • Part of subcall function 10004690: InterlockedExchange.KERNEL32(?,00000000), ref: 100046D6
                                                        • Part of subcall function 10004690: closesocket.WS2_32(?), ref: 100046E3
                                                        • Part of subcall function 10004690: SetEvent.KERNEL32(00001F99), ref: 100046F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                                      • String ID:
                                                      • API String ID: 136543108-0
                                                      • Opcode ID: 3c31ecc3efc9b7a95a06bdecb3c519a04da91a893abd3ff5a1b2600400951ae3
                                                      • Instruction ID: 07a29b8234a850fa379c3b3bc20d63775bdbb319667b4160076f0621524ca994
                                                      • Opcode Fuzzy Hash: 3c31ecc3efc9b7a95a06bdecb3c519a04da91a893abd3ff5a1b2600400951ae3
                                                      • Instruction Fuzzy Hash: E0118278108B41DFD314DF24C844796B7E8EF95660F108B0DF4AA432D1DBB8A4058B63
                                                      APIs
                                                      • #537.MFC42(?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F827
                                                      • #940.MFC42(?,?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F85E
                                                      • #535.MFC42(?,?,?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F86F
                                                      • #800.MFC42(?,?,?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F885
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #535#537#800#940
                                                      • String ID:
                                                      • API String ID: 1382806170-0
                                                      • Opcode ID: a67a41b0cfc148ec8c8e9a3f9276604de8997e82962922074fa98d43e7c6a1f2
                                                      • Instruction ID: 7ef697e53fde7206ed55e2e9f33ed6a6957419e653b5ee056a74f682a86ecc0b
                                                      • Opcode Fuzzy Hash: a67a41b0cfc148ec8c8e9a3f9276604de8997e82962922074fa98d43e7c6a1f2
                                                      • Instruction Fuzzy Hash: B201AD795087419FE304DF14C8A0BABBBE4EB85764F408A0CF4A587391CB74A90ACB92
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 10022A95
                                                      • Process32First.KERNEL32(00000000,?), ref: 10022AA2
                                                      • CloseHandle.KERNEL32(00000000,00000000,?), ref: 10022AEB
                                                        • Part of subcall function 100228D0: CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,762332F0,00000074), ref: 100228F7
                                                        • Part of subcall function 100228D0: Module32First.KERNEL32(00000000,00000000), ref: 1002290C
                                                        • Part of subcall function 100228D0: lstrcmpiA.KERNEL32(?,?), ref: 1002292B
                                                        • Part of subcall function 100228D0: Module32Next.KERNEL32(00000000,00000000), ref: 10022937
                                                        • Part of subcall function 100228D0: CloseHandle.KERNEL32(00000000), ref: 10022941
                                                      • Process32Next.KERNEL32(00000000,?), ref: 10022AE0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateFirstHandleModule32NextProcess32SnapshotToolhelp32$lstrcmpi
                                                      • String ID:
                                                      • API String ID: 2919294073-0
                                                      • Opcode ID: a15fb80e47adfe34b38c89ff5dccbf8a92c4ae00366219e9a26ee8ee913ad456
                                                      • Instruction ID: 780367d7b75f0361d150bd492c392be3d9f31ff92f100a46db02e518b479f483
                                                      • Opcode Fuzzy Hash: a15fb80e47adfe34b38c89ff5dccbf8a92c4ae00366219e9a26ee8ee913ad456
                                                      • Instruction Fuzzy Hash: 31F0A47A5012113BE320DA60AC86EBB77ACEFC1691F410528FD04C6141EA28DD4487B2
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #536#537#800#922
                                                      • String ID:
                                                      • API String ID: 1475696894-0
                                                      • Opcode ID: 8a18b5d4dc0a9b31dcc06102f229be9198864deb47fcd1eb5b27903d283c6292
                                                      • Instruction ID: d0ed385982ad1732d9b0214eee90db09e1a4840f6888357c984cca6a606981b1
                                                      • Opcode Fuzzy Hash: 8a18b5d4dc0a9b31dcc06102f229be9198864deb47fcd1eb5b27903d283c6292
                                                      • Instruction Fuzzy Hash: 7301D479205650EFD304DF08D801B9BF7E4FB88B18F40892DF989A7381C779A905CB92
                                                      APIs
                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 1002824A
                                                      • htons.WS2_32 ref: 10028272
                                                      • connect.WS2_32(00000000,?,00000010), ref: 10028285
                                                      • closesocket.WS2_32(00000000), ref: 10028291
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: closesocketconnecthtonssocket
                                                      • String ID:
                                                      • API String ID: 3817148366-0
                                                      • Opcode ID: 8db1c2852fbf6de43b2290949b5900205c27bc44c2949a0c7132525fa41f41c7
                                                      • Instruction ID: 22dca3e1e4bfc97464a196a2ebd19a3bb14afc07c97539a9e126fe182ba36b14
                                                      • Opcode Fuzzy Hash: 8db1c2852fbf6de43b2290949b5900205c27bc44c2949a0c7132525fa41f41c7
                                                      • Instruction Fuzzy Hash: FEF068385146316BE700EB789C897DA77E0EF84324FD08B49F968922D1E27595044786
                                                      APIs
                                                      • WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?), ref: 10027A3C
                                                      • #823.MFC42(00000100,?,00000000,000000FF,00000005,?,?), ref: 10027A4B
                                                      • lstrcpyA.KERNEL32(00000000,?,?), ref: 10027A5B
                                                      • WTSFreeMemory.WTSAPI32(?), ref: 10027A66
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823FreeInformationMemoryQuerySessionlstrcpy
                                                      • String ID:
                                                      • API String ID: 3008764780-0
                                                      • Opcode ID: 4a4716e641b1811a7944843c1f083ea8d00bc88efccd16b5449f2bafa7676faa
                                                      • Instruction ID: 4623df3cd4e59db09e54146d2afa1ad2f47fe0ec18c79b3b6d92289ad395e6bc
                                                      • Opcode Fuzzy Hash: 4a4716e641b1811a7944843c1f083ea8d00bc88efccd16b5449f2bafa7676faa
                                                      • Instruction Fuzzy Hash: 0AF082B96042116BD700DB78AC4696B76E8EB84651F404A2CF84CC2280F634EE08C7A2
                                                      APIs
                                                      • Process32First.KERNEL32(?,00000128), ref: 1000A847
                                                      • Process32Next.KERNEL32(?,00000128), ref: 1000A864
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$FirstNext
                                                      • String ID: ???
                                                      • API String ID: 1173892470-1053719742
                                                      • Opcode ID: c5725fc35cb2127f6888e7c873e7c678f614333cb2b889901834d9d56c215bc0
                                                      • Instruction ID: 7fdd1e057b841c57d20d95c5c8de72bfc86eb8d441659d790c34153d9fc0cf2b
                                                      • Opcode Fuzzy Hash: c5725fc35cb2127f6888e7c873e7c678f614333cb2b889901834d9d56c215bc0
                                                      • Instruction Fuzzy Hash: B201B53560A3825FE351CA2CD8505EBB7D8EF86390F94857DF884C3204DE34D94AC792
                                                      APIs
                                                        • Part of subcall function 1000E390: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F99,1001A69F,?,00000000,00001F99), ref: 1000E3B0
                                                        • Part of subcall function 1000E390: GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                                                        • Part of subcall function 1000E550: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10014540,?,?,?,?,?,100945F0,000000FF), ref: 1000E55D
                                                        • Part of subcall function 1000E550: GetProcAddress.KERNEL32(00000000), ref: 1000E564
                                                        • Part of subcall function 1000E550: Sleep.KERNEL32(00000096,?,?,?,?,?,100945F0,000000FF), ref: 1000E577
                                                      • CreateThread.KERNEL32(00000000,00000000,10002060,?,00000000,00000000), ref: 10001FE7
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 10001FF2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc$CloseCreateHandleSleepThread
                                                      • String ID: t
                                                      • API String ID: 3180453614-2238339752
                                                      • Opcode ID: dd82490486ac52e0f7de39ec667471f02be61896579e8c78a087c22752829348
                                                      • Instruction ID: 97e76e5d7fde0daea4ea1dae18701b3f987458eb8821c74a8c75a227027c82c8
                                                      • Opcode Fuzzy Hash: dd82490486ac52e0f7de39ec667471f02be61896579e8c78a087c22752829348
                                                      • Instruction Fuzzy Hash: 6E018675248751BBE314CF18CC45B9BBBD8EB44B90F104A1DF655A73D1C7B86900C7A6
                                                      APIs
                                                        • Part of subcall function 100284B0: Sleep.KERNEL32(00000064,?,?), ref: 100284C1
                                                        • Part of subcall function 100284B0: wsprintfA.USER32 ref: 100284EC
                                                        • Part of subcall function 100284B0: closesocket.WS2_32(00000000), ref: 10028504
                                                        • Part of subcall function 100284B0: TerminateThread.KERNEL32(?,00000000), ref: 1002853C
                                                        • Part of subcall function 100284B0: CloseHandle.KERNEL32(101281A0), ref: 10028543
                                                      • gethostbyname.WS2_32(10125F08), ref: 10020038
                                                      • inet_ntoa.WS2_32(?), ref: 1002005B
                                                        • Part of subcall function 10028370: _snprintf.MSVCRT ref: 100283AF
                                                        • Part of subcall function 10028370: recv.WS2_32(00000000,?,00000002,00000000), ref: 10028411
                                                        • Part of subcall function 10028370: CreateThread.KERNEL32(00000000,00000000,100282D0,?,00000000,?), ref: 10028460
                                                        • Part of subcall function 10028370: CloseHandle.KERNEL32(00000000), ref: 10028474
                                                        • Part of subcall function 10028370: closesocket.WS2_32(00000000), ref: 10028491
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleThreadclosesocket$CreateSleepTerminate_snprintfgethostbynameinet_ntoarecvwsprintf
                                                      • String ID: 127.0.0.1
                                                      • API String ID: 4129115345-3619153832
                                                      • Opcode ID: 3127bca142eeb0dee729590faca30ecd951611b2bafa03f8443dbabea8c94e0b
                                                      • Instruction ID: 026e4382940332dfb88badba6c530e3eb84783eef4c7ac35e136fe66c6fb16fa
                                                      • Opcode Fuzzy Hash: 3127bca142eeb0dee729590faca30ecd951611b2bafa03f8443dbabea8c94e0b
                                                      • Instruction Fuzzy Hash: 6BE06DBA210100ABC304DB68D884DEBB3E5EBCC710B04C519F84AD7310C634B841C760
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,10004573,?,00000003,00000003,00000000,?,100043FB,?,00000000,?), ref: 10001C8E
                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,10004573,?,00000003,00000003,00000000,?,100043FB,?,00000000,?), ref: 10001CA4
                                                      • memmove.MSVCRT(?,?,00000000,?,?,?,?,10004573,?,00000003,00000003,00000000,?,100043FB,?,00000000), ref: 10001CF5
                                                      • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10004573,?,00000003,00000003,00000000,?,100043FB,?,00000000,?), ref: 10001D1B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$Leave$Entermemmove
                                                      • String ID:
                                                      • API String ID: 72348100-0
                                                      • Opcode ID: 4f5d37c5fd6f3bd35dc56517dfde9bce3a367fc2da355d19b682b76a479845c4
                                                      • Instruction ID: 471337bdfc65450ae45664b7506611b10b7040f41babf06c3cd548fba69436df
                                                      • Opcode Fuzzy Hash: 4f5d37c5fd6f3bd35dc56517dfde9bce3a367fc2da355d19b682b76a479845c4
                                                      • Instruction Fuzzy Hash: C8118F3A3042194BAB08EF749C958EFB799EF44190704853EFD03DB746EB75ED0886A1
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2094893254.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                      • Associated: 00000000.00000002.2094878043.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100C4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100D4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2094947570.00000000100E6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095026147.00000000100F5000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000000.00000002.2095063640.0000000010193000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                      • String ID:
                                                      • API String ID: 3289936468-0
                                                      • Opcode ID: f25c1ef3e8a2eba0b68aa78ba478baa73bd1d66d9d94a0b089bad4060156b0bd
                                                      • Instruction ID: 697266b808c3206918620827d64b652db48c6f4b66aa4d9005afdd3c27907971
                                                      • Opcode Fuzzy Hash: f25c1ef3e8a2eba0b68aa78ba478baa73bd1d66d9d94a0b089bad4060156b0bd
                                                      • Instruction Fuzzy Hash: 5A0180B5C04666AFEB51DF188C44BEABFE8FB096D0F144265F859A3304C73859018BE1