Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583451
MD5:b00f13f32231a2de38e2086dd297e250
SHA1:3b00864299513546759a102186b1b894f7920884
SHA256:00ef210a88f26be8dc6998d53a5eda9158f71842f590eea13d913f8ff3327cb7
Tags:exeGh0stRATuser-jstrosch
Infos:

Detection

GhostRat, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
Yara detected Nitol
AI detected suspicious sample
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Creates autostart registry keys to launch java
Deletes itself after installation
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Self deletion via cmd or bat file
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B00F13F32231A2DE38E2086DD297E250)
    • cmd.exe (PID: 7988 cmdline: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • javaw.exe (PID: 7712 cmdline: C:\ProgramData\javaw.exe MD5: B00F13F32231A2DE38E2086DD297E250)
    • javaw.exe (PID: 7960 cmdline: C:\ProgramData\javaw.exe Win7 MD5: B00F13F32231A2DE38E2086DD297E250)
    • javaw.exe (PID: 8000 cmdline: C:\ProgramData\javaw.exe Win7 MD5: B00F13F32231A2DE38E2086DD297E250)
    • WerFault.exe (PID: 8108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 568 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 8024 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 8072 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7712 -ip 7712 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NitolYara detected NitolJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.javaw.exe.408050.1.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              2.2.javaw.exe.408050.1.unpackJoeSecurity_NitolYara detected NitolJoe Security
                2.2.javaw.exe.408050.1.unpackMALWARE_Win_ZegostDetects ZegostditekSHen
                • 0x1c8b0:$s1: rtvscan.exe
                • 0x1c8cc:$s2: ashDisp.exe
                • 0x1ca40:$s3: KvMonXP.exe
                • 0x1c924:$s4: egui.exe
                • 0x1c8e0:$s5: avcenter.exe
                • 0x1c828:$s6: K7TSecurity.exe
                • 0x1c8f8:$s7: TMBMSRV.exe
                • 0x1ca2c:$s8: RavMonD.exe
                • 0x1cac8:$s9: kxetray.exe
                • 0x1c9f8:$s10: mssecess.exe
                • 0x1ca14:$s11: QUHLPSVC.EXE
                • 0x1caf4:$s12: 360tray.exe
                • 0x1ca90:$s13: QQPCRTP.exe
                • 0x1c90c:$s14: knsdtray.exe
                • 0x1c9ac:$s15: V3Svc.exe
                • 0x1ba28:$s16: ??1_Winit@std@@QAE@XZ
                • 0x1b3a2:$s17: ClearEventLogA
                • 0x1c2d4:$s18: SeShutdownPrivilege
                • 0x1c144:$s19: %s\shell\open\command
                2.2.javaw.exe.10000000.2.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  2.2.javaw.exe.10000000.2.unpackJoeSecurity_NitolYara detected NitolJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 8024, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T20:09:00.997407+010020368611Malware Command and Control Activity Detected192.168.2.450014198.98.57.1887722TCP
                    2025-01-02T20:10:00.645899+010020368611Malware Command and Control Activity Detected192.168.2.449747198.98.57.1887722TCP
                    2025-01-02T20:10:20.828065+010020368611Malware Command and Control Activity Detected192.168.2.449747198.98.57.1887722TCP
                    2025-01-02T20:10:22.061717+010020368611Malware Command and Control Activity Detected192.168.2.449887198.98.57.1887722TCP
                    2025-01-02T20:10:42.814413+010020368611Malware Command and Control Activity Detected192.168.2.449887198.98.57.1887722TCP
                    2025-01-02T20:10:44.063664+010020368611Malware Command and Control Activity Detected192.168.2.450008198.98.57.1887722TCP
                    2025-01-02T20:11:04.830146+010020368611Malware Command and Control Activity Detected192.168.2.450008198.98.57.1887722TCP
                    2025-01-02T20:11:12.217745+010020368611Malware Command and Control Activity Detected192.168.2.450009198.98.57.1887722TCP
                    2025-01-02T20:11:26.609583+010020368611Malware Command and Control Activity Detected192.168.2.450009198.98.57.1887722TCP
                    2025-01-02T20:11:32.601465+010020368611Malware Command and Control Activity Detected192.168.2.450010198.98.57.1887722TCP
                    2025-01-02T20:11:48.161259+010020368611Malware Command and Control Activity Detected192.168.2.450010198.98.57.1887722TCP
                    2025-01-02T20:11:55.733950+010020368611Malware Command and Control Activity Detected192.168.2.450011198.98.57.1887722TCP
                    2025-01-02T20:12:09.630499+010020368611Malware Command and Control Activity Detected192.168.2.450011198.98.57.1887722TCP
                    2025-01-02T20:12:15.241803+010020368611Malware Command and Control Activity Detected192.168.2.450012198.98.57.1887722TCP
                    2025-01-02T20:12:31.003568+010020368611Malware Command and Control Activity Detected192.168.2.450012198.98.57.1887722TCP
                    2025-01-02T20:12:37.705395+010020368611Malware Command and Control Activity Detected192.168.2.450013198.98.57.1887722TCP
                    2025-01-02T20:12:52.441492+010020368611Malware Command and Control Activity Detected192.168.2.450013198.98.57.1887722TCP
                    2025-01-02T20:12:58.888721+010020368611Malware Command and Control Activity Detected192.168.2.450014198.98.57.1887722TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\ProgramData\javaw.exeAvira: detection malicious, Label: HEUR/AGEN.1332102
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\javaw.exeReversingLabs: Detection: 65%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 65%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\ProgramData\javaw.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: Binary string: iphlpapi.pdbUGP source: file.exe, 00000000.00000002.2179866462.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.000000000133D000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.00000000026AD000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdb source: file.exe, 00000000.00000002.2165801588.0000000002348000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768894308.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244437631.0000000000FDF000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1952143656.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2190607026.000000000231A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359241247.000000000235E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2198617482.00000000021FF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: iphlpapi.pdb source: file.exe, 00000000.00000002.2179866462.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.000000000133D000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.00000000026AD000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: advapi32.pdbUGP source: file.exe, 00000000.00000002.2179866462.0000000002640000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.0000000002640000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdb source: file.exe, 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359647070.000000000287F000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: file.exe, 00000000.00000003.1756248227.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1937623553.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244667746.0000000001120000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2174087603.000000000247A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2179702027.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359403442.0000000002496000.00000040.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000000.00000003.1756248227.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, javaw.exe, 00000002.00000003.1937623553.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244667746.0000000001120000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2174087603.000000000247A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2179702027.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359403442.0000000002496000.00000040.00000020.00020000.00000000.sdmp
                    Source: Binary string: wuser32.pdb source: file.exe, 00000000.00000002.2186795336.0000000002AAC000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2245207048.0000000001733000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1961116443.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2199732002.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359805485.0000000002AAE000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2207798149.0000000002642000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdbUGP source: file.exe, 00000000.00000002.2165801588.0000000002348000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768894308.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244437631.0000000000FDF000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1952143656.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2190607026.000000000231A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359241247.000000000235E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2198617482.00000000021FF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdbUGP source: file.exe, 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359647070.000000000287F000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: advapi32.pdb source: file.exe, 00000000.00000002.2179866462.0000000002640000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.0000000002640000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: wuser32.pdbUGP source: file.exe, 00000000.00000002.2186795336.0000000002AAC000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2245207048.0000000001733000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1961116443.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2199732002.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359805485.0000000002AAE000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2207798149.0000000002642000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\ProgramData\javaw.exeFile opened: z:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: x:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: v:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: t:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: r:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: p:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: n:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: l:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: j:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: h:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: f:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: b:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: y:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: w:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: u:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: s:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: q:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: o:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: m:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: k:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: i:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: g:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: e:Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: c:Jump to behavior
                    Source: C:\ProgramData\javaw.exeFile opened: [:Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B870 lstrlen,FindFirstFileA,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileA,FindClose,0_2_0040B870
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B090 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,0_2_0040B090
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BBD0 FindFirstFileA,FindClose,FindClose,0_2_0040BBD0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BC90 FindFirstFileA,FindClose,CreateFileA,CloseHandle,0_2_0040BC90
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A64D FindFirstFileA,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,0_2_0040A64D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A680 FindFirstFileA,FindNextFileA,FindClose,0_2_0040A680
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003820 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,0_2_10003820
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003040 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10003040
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003230 wsprintfA,wsprintfA,FindFirstFileA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10003230
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003B80 FindFirstFileA,FindClose,FindClose,0_2_10003B80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003C40 FindFirstFileA,FindClose,CreateFileA,CloseHandle,0_2_10003C40
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10002630 FindFirstFileA,_strupr,_strupr,_strupr,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,0_2_10002630
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040B870 lstrlen,FindFirstFileA,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileA,FindClose,2_2_0040B870
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040B090 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,2_2_0040B090
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040BBD0 FindFirstFileA,FindClose,FindClose,2_2_0040BBD0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040BC90 FindFirstFileA,FindClose,CreateFileA,CloseHandle,2_2_0040BC90
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040A64D FindFirstFileA,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,2_2_0040A64D
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040A680 FindFirstFileA,FindNextFileA,FindClose,2_2_0040A680
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003820 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,2_2_10003820
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003040 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,2_2_10003040
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003230 wsprintfA,wsprintfA,FindFirstFileA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_10003230
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003B80 FindFirstFileA,FindClose,FindClose,2_2_10003B80
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003C40 FindFirstFileA,FindClose,CreateFileA,CloseHandle,2_2_10003C40
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10002630 FindFirstFileA,_strupr,_strupr,_strupr,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,2_2_10002630
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AED0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_0040AED0
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi0_2_00412414
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then inc esp0_2_0040A64D
                    Source: C:\ProgramData\javaw.exeCode function: 4x nop then push esi2_2_00412414
                    Source: C:\ProgramData\javaw.exeCode function: 4x nop then inc esp2_2_0040A64D

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:49747 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:49887 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50013 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50012 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50008 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50011 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50014 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50010 -> 198.98.57.188:7722
                    Source: Network trafficSuricata IDS: 2036861 - Severity 1 - ET MALWARE Gh0st RAT Backdoor Checkin : 192.168.2.4:50009 -> 198.98.57.188:7722
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: e.0000o.xyz
                    Source: global trafficTCP traffic: 192.168.2.4:49747 -> 198.98.57.188:7722
                    Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416610 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,0_2_00416610
                    Source: global trafficDNS traffic detected: DNS query: e.0000o.xyz
                    Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture and log keystrokes
                    Source: C:\Users\user\Desktop\file.exeCode function: [Esc]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Esc]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [F1]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [F1]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [F2]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [F2]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Scroll Lock]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Scroll Lock]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Caps Lock]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Caps Lock]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Backspace]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Backspace]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Enter]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Enter]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Tab]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Tab]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Ctrl]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Ctrl]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [CTRL]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [CTRL]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Alt]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Alt]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Insert]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Insert]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Delete]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Delete]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Home]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Home]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [End]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [End]0_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: [Esc]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Esc]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [F1]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [F1]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [F2]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [F2]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Scroll Lock]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Scroll Lock]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Caps Lock]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Caps Lock]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Backspace]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Backspace]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Enter]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Enter]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Tab]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Tab]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Ctrl]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Ctrl]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [CTRL]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [CTRL]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Alt]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Alt]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Insert]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Insert]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Delete]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Delete]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Home]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [Home]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [End]0_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: [End]0_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Esc]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Esc]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [F1]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [F1]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [F2]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [F2]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Scroll Lock]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Scroll Lock]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Caps Lock]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Caps Lock]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Backspace]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Backspace]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Enter]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Enter]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Tab]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Tab]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Ctrl]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Ctrl]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [CTRL]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [CTRL]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Alt]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Alt]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Insert]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Insert]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Delete]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Delete]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Home]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Home]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [End]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [End]2_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: [Esc]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Esc]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [F1]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [F1]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [F2]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [F2]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Scroll Lock]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Scroll Lock]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Caps Lock]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Caps Lock]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Backspace]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Backspace]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Enter]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Enter]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Tab]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Tab]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Ctrl]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Ctrl]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [CTRL]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [CTRL]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Alt]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Alt]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Insert]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Insert]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Delete]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Delete]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Home]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [Home]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [End]2_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: [End]2_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411F40 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_00411F40
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411F40 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_00411F40
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10009EF0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_10009EF0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00411F40 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,2_2_00411F40
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10009EF0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,2_2_10009EF0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411FB0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,0_2_00411FB0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040FCC0 Sleep,lstrlen,printf,GetAsyncKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_0040FCC0
                    Source: file.exe, 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_eb7bc85b-0
                    Source: file.exe, 00000000.00000002.2186795336.0000000002B53000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputDatamemstr_4311ee4e-6
                    Source: Yara matchFile source: 00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2359647070.000000000287F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 7712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 7960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 8000, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.javaw.exe.408050.1.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 2.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 7.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 0.2.file.exe.408050.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 7.2.javaw.exe.408050.1.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 0.2.file.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 0.2.file.exe.408050.1.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 7.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    Source: 2.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Zegost Author: ditekSHen
                    PE file has a writeable .text section
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: javaw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\ProgramData\javaw.exeProcess Stats: CPU usage > 49%
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_01227112 NtQueryVirtualMemory,2_2_01227112
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100051A0: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_100051A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415850 OpenSCManagerA,OpenServiceA,GetLastError,QueryServiceStatus,ControlService,DeleteService,Sleep,0_2_00415850
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413F40 GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,FreeLibrary,0_2_00413F40
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E080 ExitWindowsEx,0_2_0040E080
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D1F0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040D1F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10006030 ExitWindowsEx,0_2_10006030
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100051A0 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_100051A0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040E080 ExitWindowsEx,2_2_0040E080
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040D1F0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_0040D1F0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10006030 ExitWindowsEx,2_2_10006030
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100051A0 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_100051A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040385D0_2_0040385D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040307F0_2_0040307F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D0800_2_0041D080
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043F16B0_2_0043F16B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A9200_2_0041A920
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B9800_2_0041B980
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B2700_2_0041B270
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CB000_2_0041CB00
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E4900_2_0040E490
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A4B00_2_0041A4B0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417D690_2_00417D69
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041ADD00_2_0041ADD0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043FDA40_2_0043FDA4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004175AF0_2_004175AF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041765B0_2_0041765B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B6F00_2_0041B6F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419FC00_2_00419FC0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100150300_2_10015030
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100110300_2_10011030
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100128D00_2_100128D0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100139300_2_10013930
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100132200_2_10013220
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000FA6E0_2_1000FA6E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10014AB00_2_10014AB0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000F3600_2_1000F360
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100064400_2_10006440
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100124600_2_10012460
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000FD190_2_1000FD19
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10012D800_2_10012D80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100136A00_2_100136A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10011F700_2_10011F70
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023140AC0_2_023140AC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023194F00_2_023194F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023018170_2_02301817
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231581F0_2_0231581F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE8780_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318E510_2_02318E51
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC30_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DC30D0_2_024DC30D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE20_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024ED22D0_2_024ED22D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258C2360_2_0258C236
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258D2230_2_0258D223
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024E72CD0_2_024E72CD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025472DF0_2_025472DF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254329D0_2_0254329D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025842840_2_02584284
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE2AD0_2_024CE2AD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0250B2A60_2_0250B2A6
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E3620_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256A3CC0_2_0256A3CC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024BE39F0_2_024BE39F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D004D0_2_024D004D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025980530_2_02598053
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D303D0_2_024D303D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025850F30_2_025850F3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258D0F60_2_0258D0F6
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256B1590_2_0256B159
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257B1730_2_0257B173
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025411190_2_02541119
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025881ED0_2_025881ED
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040385D2_2_0040385D
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040307F2_2_0040307F
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041D0802_2_0041D080
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0043F16B2_2_0043F16B
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041A9202_2_0041A920
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041B9802_2_0041B980
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041B2702_2_0041B270
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041CB002_2_0041CB00
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040E4902_2_0040E490
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041A4B02_2_0041A4B0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00417D692_2_00417D69
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041ADD02_2_0041ADD0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0043FDA42_2_0043FDA4
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_004175AF2_2_004175AF
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041765B2_2_0041765B
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0041B6F02_2_0041B6F0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00419FC02_2_00419FC0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100150302_2_10015030
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100110302_2_10011030
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100128D02_2_100128D0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100139302_2_10013930
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100132202_2_10013220
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_1000FA6E2_2_1000FA6E
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10014AB02_2_10014AB0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_1000F3602_2_1000F360
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100064402_2_10006440
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100124602_2_10012460
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_1000FD192_2_1000FD19
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10012D802_2_10012D80
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100136A02_2_100136A0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10011F702_2_10011F70
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00F960E02_2_00F960E0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00FAD0872_2_00FAD087
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00F9907F2_2_00F9907F
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00FB06B92_2_00FB06B9
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00FBF62B2_2_00FBF62B
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00FAB9142_2_00FAB914
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_00FB0D582_2_00FB0D58
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0114E1422_2_0114E142
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0115F5052_2_0115F505
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_01162D102_2_01162D10
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0116DC302_2_0116DC30
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0122A13B2_2_0122A13B
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0119413C2_2_0119413C
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011E71282_2_011E7128
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012131722_2_01213172
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121F17A2_2_0121F17A
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0122117E2_2_0122117E
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121719C2_2_0121719C
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121E0B02_2_0121E0B0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012160B92_2_012160B9
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0120E09C2_2_0120E09C
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011F90E82_2_011F90E8
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121F3B62_2_0121F3B6
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012033F02_2_012033F0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0117A2902_2_0117A290
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012002BD2_2_012002BD
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0117C2C02_2_0117C2C0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012102FD2_2_012102FD
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121F5612_2_0121F561
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012165412_2_01216541
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011FC5802_2_011FC580
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012285932_2_01228593
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121E40F2_2_0121E40F
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0120D4C62_2_0120D4C6
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0115B7902_2_0115B790
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121E7802_2_0121E780
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011CC7D02_2_011CC7D0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011A46002_2_011A4600
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0121069C2_2_0121069C
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0117A9202_2_0117A920
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_012299762_2_01229976
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011619702_2_01161970
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_011649602_2_01164960
                    Source: C:\ProgramData\javaw.exeCode function: String function: 00F83A1B appears 50 times
                    Source: C:\ProgramData\javaw.exeCode function: String function: 011A6E24 appears 31 times
                    Source: C:\ProgramData\javaw.exeCode function: String function: 00442F72 appears 41 times
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 022EC1B3 appears 50 times
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00442F72 appears 40 times
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7712 -ip 7712
                    Source: file.exe, 00000000.00000002.2174306563.00000000025BA000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs file.exe
                    Source: file.exe, 00000000.00000002.2165801588.0000000002348000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs file.exe
                    Source: file.exe, 00000000.00000002.2179866462.00000000026AD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs file.exe
                    Source: file.exe, 00000000.00000002.2179866462.00000000026AD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs file.exe
                    Source: file.exe, 00000000.00000003.1768894308.00000000021EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs file.exe
                    Source: file.exe, 00000000.00000002.2186795336.0000000002B53000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs file.exe
                    Source: file.exe, 00000000.00000003.1787686318.0000000002823000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejava.exeN vs file.exe
                    Source: file.exe, 00000000.00000002.2179987936.0000000002A5B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs file.exe
                    Source: file.exe, 00000000.00000002.2147210790.000000000087F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejavaU vs file.exe
                    Source: file.exe, 00000000.00000000.1670643159.00000000004FD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejava.exeN vs file.exe
                    Source: file.exe, 00000000.00000003.1768894308.000000000227E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs file.exe
                    Source: file.exe, 00000000.00000002.2165801588.0000000002398000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs file.exe
                    Source: file.exe, 00000000.00000003.1756248227.00000000023FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs file.exe
                    Source: file.exe, 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs file.exe
                    Source: file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs file.exe
                    Source: file.exe, 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejava.exeN vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenamejava.exeN vs file.exe
                    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 2.2.javaw.exe.408050.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 2.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 7.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 0.2.file.exe.408050.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 7.2.javaw.exe.408050.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 0.2.file.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 0.2.file.exe.408050.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 7.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: 2.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Zegost author = ditekSHen, description = Detects Zegost
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: javaw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/9@1/1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E0D8 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_0040E0D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D1F0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040D1F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10006088 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_10006088
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100051A0 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_100051A0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040E0D8 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,2_2_0040E0D8
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040D1F0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_0040D1F0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10006088 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,2_2_10006088
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100051A0 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_100051A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AED0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_0040AED0
                    Source: C:\Users\user\Desktop\file.exeCode function: GetModuleFileNameA,sprintf,strncmp,CopyFileA,SetFileAttributesA,Sleep,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,0_2_00414B40
                    Source: C:\Users\user\Desktop\file.exeCode function: Sleep,GetModuleFileNameA,sprintf,strncmp,CopyFileA,SetFileAttributesA,Sleep,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,0_2_1000CAF0
                    Source: C:\ProgramData\javaw.exeCode function: GetModuleFileNameA,sprintf,strncmp,CopyFileA,SetFileAttributesA,Sleep,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,2_2_00414B40
                    Source: C:\ProgramData\javaw.exeCode function: Sleep,GetModuleFileNameA,sprintf,strncmp,CopyFileA,SetFileAttributesA,Sleep,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,2_2_1000CAF0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004162B0 CreateToolhelp32Snapshot,??2@YAPAXI@Z,Process32First,_strcmpi,??3@YAXPAX@Z,Process32Next,lstrcmpiA,Process32Next,CloseHandle,??3@YAXPAX@Z,0_2_004162B0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413010 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00413010
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004148A0 GetModuleHandleA,GetModuleFileNameA,StartServiceCtrlDispatcherA,sprintf,exit,SHGetSpecialFolderPathA,GetFileAttributesA,DefineDosDeviceA,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,0_2_004148A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004148A0 GetModuleHandleA,GetModuleFileNameA,StartServiceCtrlDispatcherA,sprintf,exit,SHGetSpecialFolderPathA,GetFileAttributesA,DefineDosDeviceA,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,0_2_004148A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_1000C850 wsprintfA,GetModuleHandleA,GetModuleFileNameA,Sleep,StartServiceCtrlDispatcherA,Sleep,Sleep,sprintf,exit,Sleep,Sleep,SHGetSpecialFolderPathA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,Sleep,wsprintfA,DefineDosDeviceA,Sleep,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,Sleep,Sleep,Sleep,0_2_1000C850
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_004148A0 GetModuleHandleA,GetModuleFileNameA,StartServiceCtrlDispatcherA,sprintf,exit,SHGetSpecialFolderPathA,GetFileAttributesA,DefineDosDeviceA,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,2_2_004148A0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_1000C850 wsprintfA,GetModuleHandleA,GetModuleFileNameA,Sleep,StartServiceCtrlDispatcherA,Sleep,Sleep,sprintf,exit,Sleep,Sleep,SHGetSpecialFolderPathA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,Sleep,wsprintfA,DefineDosDeviceA,Sleep,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,Sleep,Sleep,Sleep,2_2_1000C850
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess7712
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:8072:64:WilError_03
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\78719b4c-bcf5-460d-80bb-7f5d7fb0bce7Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: unknownProcess created: C:\ProgramData\javaw.exe C:\ProgramData\javaw.exe
                    Source: C:\ProgramData\javaw.exeProcess created: C:\ProgramData\javaw.exe C:\ProgramData\javaw.exe Win7
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nul
                    Source: C:\ProgramData\javaw.exeProcess created: C:\ProgramData\javaw.exe C:\ProgramData\javaw.exe Win7
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7712 -ip 7712
                    Source: C:\ProgramData\javaw.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 568
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nulJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess created: C:\ProgramData\javaw.exe C:\ProgramData\javaw.exe Win7Jump to behavior
                    Source: C:\ProgramData\javaw.exeProcess created: C:\ProgramData\javaw.exe C:\ProgramData\javaw.exe Win7Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7712 -ip 7712Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 568Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: devenum.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msdmo.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\javaw.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: Binary string: iphlpapi.pdbUGP source: file.exe, 00000000.00000002.2179866462.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.000000000133D000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.00000000026AD000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdb source: file.exe, 00000000.00000002.2165801588.0000000002348000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768894308.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244437631.0000000000FDF000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1952143656.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2190607026.000000000231A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359241247.000000000235E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2198617482.00000000021FF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: iphlpapi.pdb source: file.exe, 00000000.00000002.2179866462.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.000000000133D000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.00000000026AD000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: advapi32.pdbUGP source: file.exe, 00000000.00000002.2179866462.0000000002640000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.0000000002640000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdb source: file.exe, 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359647070.000000000287F000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: file.exe, 00000000.00000003.1756248227.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1937623553.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244667746.0000000001120000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2174087603.000000000247A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2179702027.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359403442.0000000002496000.00000040.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000000.00000003.1756248227.00000000022D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, javaw.exe, 00000002.00000003.1937623553.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244667746.0000000001120000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2174087603.000000000247A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2179702027.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359403442.0000000002496000.00000040.00000020.00020000.00000000.sdmp
                    Source: Binary string: wuser32.pdb source: file.exe, 00000000.00000002.2186795336.0000000002AAC000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2245207048.0000000001733000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1961116443.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2199732002.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359805485.0000000002AAE000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2207798149.0000000002642000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdbUGP source: file.exe, 00000000.00000002.2165801588.0000000002348000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768894308.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244437631.0000000000FDF000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1952143656.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2190607026.000000000231A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359241247.000000000235E000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2198617482.00000000021FF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdbUGP source: file.exe, 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359647070.000000000287F000.00000040.00000020.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: advapi32.pdb source: file.exe, 00000000.00000002.2179866462.0000000002640000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2244872774.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359552887.0000000002640000.00000040.00000800.00020000.00000000.sdmp
                    Source: Binary string: wuser32.pdbUGP source: file.exe, 00000000.00000002.2186795336.0000000002AAC000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2245207048.0000000001733000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1961116443.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.2199732002.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2359805485.0000000002AAE000.00000040.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000003.2207798149.0000000002642000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
                    Source: C:\ProgramData\javaw.exeUnpacked PE file: 2.2.javaw.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
                    Source: C:\ProgramData\javaw.exeUnpacked PE file: 7.2.javaw.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410030 LoadLibraryA,GetProcAddress,RtlDeleteCriticalSection,FreeLibrary,0_2_00410030
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
                    Source: file.exeStatic PE information: section name: .sedata
                    Source: file.exeStatic PE information: section name: .sedata
                    Source: javaw.exe.0.drStatic PE information: section name: .sedata
                    Source: javaw.exe.0.drStatic PE information: section name: .sedata
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407867 push ebx; ret 0_2_00407868
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F7026 push ecx; mov dword ptr [esp], ebp0_2_004F702F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004218CC push ebp; retf 0_2_00421A8C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004080D7 push ebp; retf 0_2_004080D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004080DB push ebp; retf 0_2_004080DC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F975 push dword ptr [esp+08h]; retn 000Ch0_2_0044F9DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F102 push ecx; ret 0_2_0044F0AE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408127 push ebp; retf 0_2_00408128
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F98B push dword ptr [esp+08h]; retn 000Ch0_2_0044F9DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004201B4 push cs; iretd 0_2_0042028A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F221 push dword ptr [esp+08h]; retn 000Ch0_2_0044F20F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049FAE8 push ebx; ret 0_2_0049FAF4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004202B6 push cs; iretd 0_2_0042028A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F5362 push eax; mov dword ptr [esp], ecx0_2_004F547F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F5378 push eax; mov dword ptr [esp], ecx0_2_004F547F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F3EE push dword ptr [esp+24h]; retn 0028h0_2_0044F3FB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401BB0 push eax; ret 0_2_00401BCE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F53B0 push eax; mov dword ptr [esp], ecx0_2_004F547F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420466 push ebx; ret 0_2_00420467
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F414 push dword ptr [esp+1Ch]; retn 0020h0_2_0044F446
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4C15 push ebp; mov dword ptr [esp], esp0_2_004F4C39
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F4F8 push dword ptr [esp+08h]; retn 000Ch0_2_0044F4FF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466544 push dword ptr [esp+1Ch]; retn 0020h0_2_004665BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466565 push dword ptr [esp+1Ch]; retn 0020h0_2_004665BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466575 push dword ptr [esp+1Ch]; retn 0020h0_2_004665BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B85CC push dword ptr [esp+10h]; retn 0014h0_2_004B864A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F586 pushfd ; mov dword ptr [esp], edx0_2_0044F7B0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B8586 push dword ptr [esp+10h]; retn 0014h0_2_004B864A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B85A8 push dword ptr [esp+10h]; retn 0014h0_2_004B864A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B85A3 push dword ptr [esp+10h]; retn 0014h0_2_004B864A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A5656 push dword ptr [esp+10h]; retn 0014h0_2_004A565A
                    Source: file.exeStatic PE information: section name: .text entropy: 7.91448099637405
                    Source: file.exeStatic PE information: section name: .sedata entropy: 7.810988873579679
                    Source: javaw.exe.0.drStatic PE information: section name: .text entropy: 7.91448099637405
                    Source: javaw.exe.0.drStatic PE information: section name: .sedata entropy: 7.810988873579679

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\Desktop\file.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_100051A0
                    Source: C:\ProgramData\javaw.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE02_2_100051A0
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\javaw.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\javaw.exeJump to dropped file

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\Desktop\file.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_100051A0
                    Source: C:\ProgramData\javaw.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE02_2_100051A0
                    Creates autostart registry keys to launch java
                    Source: C:\Windows\SysWOW64\WerFault.exeRegistry value created or modified: \REGISTRY\A\{745657c6-d5d6-21d9-7c87-5528206df89a}\Root\InventoryApplicationFile\javaw.exe|4b9360abcb446ec8 LowerCaseLongPath c:\programdata\javaw.exeJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeRegistry value created or modified: \REGISTRY\A\{745657c6-d5d6-21d9-7c87-5528206df89a}\Root\InventoryApplicationFile\javaw.exe|4b9360abcb446ec8 LongPathHash javaw.exe|4b9360abcb446ec8Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeRegistry value created or modified: \REGISTRY\A\{745657c6-d5d6-21d9-7c87-5528206df89a}\Root\InventoryApplicationFile\javaw.exe|4b9360abcb446ec8 Name javaw.exeJump to behavior
                    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\ProgramData\javaw.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Java(TM) Platform Sa 8Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Java(TM) Platform Sa 8Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004148A0 GetModuleHandleA,GetModuleFileNameA,StartServiceCtrlDispatcherA,sprintf,exit,SHGetSpecialFolderPathA,GetFileAttributesA,DefineDosDeviceA,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,0_2_004148A0

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nul
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nulJump to behavior
                    Self deletion via cmd or bat file
                    Source: C:\Users\user\Desktop\file.exeProcess created: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nul
                    Source: C:\Users\user\Desktop\file.exeProcess created: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nulJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100050C0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_100050C0
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to detect hardware virtualization (CPUID execution measurement)
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F30D 0_2_0044F30D
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0044F30D 2_2_0044F30D
                    Contains functionality to detect sleep reduction / modifications
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10009B900_2_10009B90
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10009B902_2_10009B90
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 468C53
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 45DD44
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 4647BF
                    Source: C:\ProgramData\javaw.exeAPI/Special instruction interceptor: Address: 468C53
                    Source: C:\ProgramData\javaw.exeAPI/Special instruction interceptor: Address: 45DD44
                    Source: C:\ProgramData\javaw.exeAPI/Special instruction interceptor: Address: 4647BF
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAE3F second address: 4FAE0D instructions: 0x00000000 rdtsc 0x00000002 mov cl, E4h 0x00000004 mov cl, ah 0x00000006 jmp 00007FBD04BA4796h 0x00000008 bswap eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAE0D second address: 4FAE47 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 mov edi, edx 0x00000007 mov cx, D400h 0x0000000b lea ebp, dword ptr [esp+edx] 0x0000000e jmp 00007FBD04820EEAh 0x00000010 mov ebx, edx 0x00000012 lea esi, dword ptr [00000000h+ebp*4] 0x00000019 xchg cx, bp 0x0000001c mov bl, byte ptr [esp] 0x0000001f jmp 00007FBD04820F29h 0x00000021 mov edi, dword ptr [esp] 0x00000024 mov ecx, C7CA738Bh 0x00000029 mov ah, F9h 0x0000002b mov bp, word ptr [esp] 0x0000002f xchg cl, al 0x00000031 xchg ecx, edx 0x00000033 jmp 00007FBD04820F98h 0x00000038 xchg bx, cx 0x0000003b lea edx, dword ptr [B38AD51Bh] 0x00000041 mov esi, EE51B137h 0x00000046 mov ecx, dword ptr [esp] 0x00000049 lea eax, dword ptr [esp+ebp] 0x0000004c mov dh, bl 0x0000004e jmp 00007FBD04820EB6h 0x00000050 mov ecx, dword ptr [esp] 0x00000053 mov dh, byte ptr [esp] 0x00000056 xchg di, dx 0x00000059 not bl 0x0000005b xchg edx, ebp 0x0000005d lea ebx, dword ptr [eax+ebp] 0x00000060 jmp 00007FBD04820ED4h 0x00000062 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAE47 second address: 4FAE49 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44F5A7 second address: 44F43C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04820E93h 0x00000004 xchg ax, bx 0x00000006 call 00007FBD04820EB2h 0x0000000b mov dh, cl 0x0000000d sub esp, 14h 0x00000010 mov edx, dword ptr [esp+0Fh] 0x00000014 xchg dword ptr [esp+05h], edx 0x00000018 jmp 00007FBD04820E8Fh 0x0000001d xchg dword ptr [esp+14h], edx 0x00000021 shl ebx, 06h 0x00000024 mov ax, si 0x00000027 mov ebx, 17CE373Dh 0x0000002c sub esp, 05h 0x0000002f call 00007FBD04820EB6h 0x00000034 lea esp, dword ptr [esp+01h] 0x00000038 jmp 00007FBD04820EF6h 0x0000003a lea edx, dword ptr [edx+000000D3h] 0x00000040 stc 0x00000041 mov eax, edi 0x00000043 mov al, C7h 0x00000045 bswap ebx 0x00000047 jmp 00007FBD04820F35h 0x00000049 mov eax, 02C65B77h 0x0000004e xchg dword ptr [esp+1Ch], edx 0x00000052 xchg bx, dx 0x00000055 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44F43C second address: 44F5C1 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [esp+0Bh] 0x00000006 push dword ptr [esp+1Ch] 0x0000000a retn 0020h 0x0000000d mov dx, word ptr [esp] 0x00000011 jmp 00007FBD04BA45E0h 0x00000016 mov edx, 8724C233h 0x0000001b sub esp, 1Ah 0x0000001e jno 00007FBD04BA4837h 0x00000020 mov edx, ecx 0x00000022 mov dx, word ptr [esp] 0x00000026 lea esp, dword ptr [esp+02h] 0x0000002a lea esp, dword ptr [esp+18h] 0x0000002e neg ebp 0x00000030 mov bx, ax 0x00000033 mov dh, 56h 0x00000035 jmp 00007FBD04BA487Bh 0x0000003a sub esp, 10h 0x0000003d jnc 00007FBD04BA47B7h 0x0000003f bswap edx 0x00000041 lea esp, dword ptr [esp+07h] 0x00000045 jmp 00007FBD04BA4807h 0x00000047 pop eax 0x00000048 call 00007FBD04BA47E5h 0x0000004d lea esp, dword ptr [esp+01h] 0x00000051 lea esp, dword ptr [esp+08h] 0x00000055 xor ebp, 19DD69F3h 0x0000005b jmp 00007FBD04BA4793h 0x0000005d neg ax 0x00000060 jl 00007FBD04BA4837h 0x00000062 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44F5C1 second address: 44F6CE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4A18971Dh 0x00000007 jmp 00007FBD04820EF3h 0x00000009 xchg bx, ax 0x0000000c xor ah, ah 0x0000000e shr dh, 00000006h 0x00000011 jmp 00007FBD04820F27h 0x00000013 ror ebp, 00000000h 0x00000016 mov bx, 258Eh 0x0000001a or ebx, ebx 0x0000001c jc 00007FBD04821026h 0x00000022 jnc 00007FBD04820F9Bh 0x00000028 not bx 0x0000002b lea ebx, dword ptr [00000000h+esi*4] 0x00000032 inc bl 0x00000034 jmp 00007FBD04820F95h 0x00000039 jmp 00007FBD04820E40h 0x0000003e xor ebp, 4F446086h 0x00000044 shr ebx, cl 0x00000046 jbe 00007FBD04820EF2h 0x00000048 mov dl, byte ptr [esp] 0x0000004b jmp 00007FBD04820F16h 0x0000004d bswap eax 0x0000004f mov bh, byte ptr [esp] 0x00000052 mov bx, bp 0x00000055 jmp 00007FBD04820F16h 0x00000057 bts ebx, edi 0x0000005a call 00007FBD04820F52h 0x0000005f sub esp, 0Dh 0x00000062 not ebx 0x00000064 mov bx, word ptr [esp+08h] 0x00000069 lea esp, dword ptr [esp+01h] 0x0000006d xchg dword ptr [esp+0Ch], ebp 0x00000071 jmp 00007FBD04820EE8h 0x00000073 lea eax, dword ptr [00000000h+ecx*4] 0x0000007a setnl ah 0x0000007d call 00007FBD04820F30h 0x00000082 call 00007FBD04820F3Ch 0x00000087 lea ebp, dword ptr [ebp+67h] 0x0000008a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44F6CE second address: 44F8A9 instructions: 0x00000000 rdtsc 0x00000002 not dh 0x00000004 lea ebx, dword ptr [ecx+esi] 0x00000007 jmp 00007FBD04BA49A0h 0x0000000c xchg dword ptr [esp+14h], ebp 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D953 second address: 45D994 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 call 00007FBD04820F4Eh 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468C67 second address: 468C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA47B2h 0x00000004 setl dl 0x00000007 push bx 0x00000009 xchg byte ptr [esp], ah 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46227E second address: 4622CE instructions: 0x00000000 rdtsc 0x00000002 call 00007FBD04820EEBh 0x00000007 mov bl, 14h 0x00000009 stc 0x0000000a mov dh, bh 0x0000000c mov ax, word ptr [esp] 0x00000010 xchg dword ptr [esp], edx 0x00000013 jmp 00007FBD04820F45h 0x00000015 mov bh, byte ptr [esp] 0x00000018 mov bx, 3147h 0x0000001c mov ebx, DE4C7237h 0x00000021 mov ebx, dword ptr [esp] 0x00000024 lea edx, dword ptr [edx-0000004Dh] 0x0000002a bsr eax, esp 0x0000002d jmp 00007FBD04820EE2h 0x0000002f setne ah 0x00000032 inc bx 0x00000034 xchg dword ptr [esp], edx 0x00000037 bt edx, edi 0x0000003a mov dl, byte ptr [esp] 0x0000003d xchg al, ah 0x0000003f jmp 00007FBD04820F5Eh 0x00000041 mov ah, DEh 0x00000043 push dword ptr [esp] 0x00000046 retn 0004h 0x00000049 push ecx 0x0000004a shl al, cl 0x0000004c jno 00007FBD04820FA3h 0x00000052 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45DCF2 second address: 45DD44 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, dx 0x00000004 push esi 0x00000005 shr si, cl 0x00000008 jne 00007FBD04BA47B1h 0x0000000a jmp 00007FBD04BA4811h 0x0000000c neg dh 0x0000000e sub esp, 09h 0x00000011 mov word ptr [esp], bp 0x00000015 call 00007FBD04BA47ECh 0x0000001a not bx 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45DD44 second address: 45DFA9 instructions: 0x00000000 rdtsc 0x00000002 mov si, ax 0x00000005 mov ax, sp 0x00000008 xchg dword ptr [esp], ebx 0x0000000b jmp 00007FBD04820EECh 0x0000000d lea edx, dword ptr [eax+ebx] 0x00000010 mov dl, BAh 0x00000012 btc dx, bx 0x00000016 lea ebx, dword ptr [ebx+5Bh] 0x00000019 jmp 00007FBD04820F40h 0x0000001b mov si, F9BFh 0x0000001f lea esi, dword ptr [edi+72703053h] 0x00000025 mov dl, F5h 0x00000027 bsf ax, bx 0x0000002b xchg dword ptr [esp], ebx 0x0000002e mov al, ah 0x00000030 jmp 00007FBD04820EE5h 0x00000032 pushfd 0x00000033 mov eax, dword ptr [esp] 0x00000036 sub esp, 12h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d push dword ptr [esp+14h] 0x00000041 retn 0018h 0x00000044 lea esp, dword ptr [esp+01h] 0x00000048 jmp 00007FBD04820F22h 0x0000004a bsr ebx, edx 0x0000004d jnp 00007FBD0482110Eh 0x00000053 mov eax, 7A7AB50Dh 0x00000058 lea edx, dword ptr [00000000h+ebp*4] 0x0000005f push ecx 0x00000060 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4626B2 second address: 4626B4 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4614E1 second address: 44F5A7 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [ebx-000028E1h] 0x00000008 clc 0x00000009 jne 00007FBD04820EF1h 0x0000000b pop edi 0x0000000c jmp 00007FBD04820F32h 0x0000000e mov al, dl 0x00000010 sub esp, 17h 0x00000013 jmp 00007FBD04821002h 0x00000018 jp 00007FBD04820E24h 0x0000001e mov dx, 612Dh 0x00000022 xchg ah, bh 0x00000024 jmp 00007FBD04820E78h 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d jmp 00007FBD04820EE6h 0x0000002f add esp, 1Ch 0x00000032 jno 00007FBD04820EF7h 0x00000034 pop ebp 0x00000035 inc bh 0x00000037 jmp 00007FBD04820F7Eh 0x00000039 jne 00007FBD04820EBCh 0x0000003b shr al, 00000005h 0x0000003e bts edx, edx 0x00000041 jmp 00007FBD04820F45h 0x00000043 pop esi 0x00000044 jmp 00007FBD0480ED6Ah 0x00000049 mov ecx, ebp 0x0000004b bt ebx, edi 0x0000004e je 00007FBD04821135h 0x00000054 pushad 0x00000055 jmp 00007FBD048210D4h 0x0000005a add esp, 0Ah 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4643D2 second address: 464417 instructions: 0x00000000 rdtsc 0x00000002 mov dh, bl 0x00000004 mov dx, 8786h 0x00000008 shr eax, 00000000h 0x0000000b xchg dx, ax 0x0000000e jmp 00007FBD04BA47ACh 0x00000010 xchg dword ptr [esp], ebp 0x00000013 cmc 0x00000014 bsr dx, sp 0x00000018 not ah 0x0000001a bswap eax 0x0000001c bswap eax 0x0000001e jmp 00007FBD04BA4A4Ah 0x00000023 lea ebp, dword ptr [ebp-00000021h] 0x00000029 bswap edx 0x0000002b sete al 0x0000002e stc 0x0000002f mov dx, word ptr [esp] 0x00000033 xchg dword ptr [esp], ebp 0x00000036 jmp 00007FBD04BA467Eh 0x0000003b sbb eax, edx 0x0000003d mov edx, 2D87C49Bh 0x00000042 neg ax 0x00000045 bsf eax, ebp 0x00000048 sbb eax, 377E77FDh 0x0000004d push dword ptr [esp] 0x00000050 retn 0004h 0x00000053 mov al, ah 0x00000055 jmp 00007FBD04BA485Ch 0x0000005a mov dx, 1D8Dh 0x0000005e xchg dx, ax 0x00000061 xor dl, 00000062h 0x00000064 jnbe 00007FBD04BA47AAh 0x00000066 xchg ah, dh 0x00000068 jmp 00007FBD04BA47B8h 0x0000006a bsr dx, bx 0x0000006e lea eax, dword ptr [esp-3Bh] 0x00000072 mov ah, byte ptr [esp] 0x00000075 jmp 00007FBD04BA47DFh 0x00000077 lea edx, dword ptr [00000000h+esi*4] 0x0000007e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464417 second address: 4644C0 instructions: 0x00000000 rdtsc 0x00000002 rcr ah, 00000007h 0x00000005 jg 00007FBD04820FB4h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464765 second address: 4647BF instructions: 0x00000000 rdtsc 0x00000002 mov ax, 49FAh 0x00000006 mov dh, bh 0x00000008 jmp 00007FBD04BA47FBh 0x0000000a mov al, 24h 0x0000000c xchg dx, ax 0x0000000f lea eax, dword ptr [esi-43A12DA5h] 0x00000015 rol bl, 00000000h 0x00000018 bsf ax, bx 0x0000001c jmp 00007FBD04BA47FBh 0x0000001e jnp 00007FBD04BA477Dh 0x00000020 stc 0x00000021 sub esp, 1Eh 0x00000024 jmp 00007FBD04BA47B4h 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468CEE second address: 468C53 instructions: 0x00000000 rdtsc 0x00000002 setl dl 0x00000005 push bx 0x00000007 jmp 00007FBD04820E6Bh 0x0000000c xchg byte ptr [esp], ah 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46421C second address: 451FCF instructions: 0x00000000 rdtsc 0x00000002 rcl bl, 00000004h 0x00000005 jns 00007FBD04BA48D2h 0x0000000b shl ebx, cl 0x0000000d jmp 00007FBD04BA48B3h 0x00000012 neg bx 0x00000015 dec ax 0x00000017 jmp 00007FBD04BA47E9h 0x00000019 call 00007FBD04BA4896h 0x0000001e neg al 0x00000020 jp 00007FBD04BA4776h 0x00000022 jmp 00007FBD04BA47A3h 0x00000024 add esp, 04h 0x00000027 jnle 00007FBD04BA47A7h 0x00000029 pop ecx 0x0000002a jmp 00007FBD04B92453h 0x0000002f mov ecx, edi 0x00000031 xchg al, bl 0x00000033 xchg ah, dh 0x00000035 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4624DF second address: 4623B0 instructions: 0x00000000 rdtsc 0x00000002 setl bh 0x00000005 xor eax, eax 0x00000007 btr edx, ebx 0x0000000a jmp 00007FBD04820E0Bh 0x0000000f xchg dword ptr [esp], ebp 0x00000012 xchg dx, bx 0x00000015 sub bh, bl 0x00000017 clc 0x00000018 mov bh, 48h 0x0000001a xchg ebx, edx 0x0000001c jmp 00007FBD04820ED9h 0x0000001e lea ebp, dword ptr [ebp+00000197h] 0x00000024 bsf eax, edi 0x00000027 sub esp, 11h 0x0000002a and edx, ebp 0x0000002c xchg byte ptr [esp+0Ch], dl 0x00000030 sub esp, 0Eh 0x00000033 jmp 00007FBD04820EE5h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 xchg dword ptr [esp+1Ch], ebp 0x0000003d mov bx, ax 0x00000040 cmc 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4623B0 second address: 462465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA4848h 0x00000004 rcr eax, 08h 0x00000007 push dword ptr [esp+1Ch] 0x0000000b retn 0020h 0x0000000e push ebp 0x0000000f mov bl, cl 0x00000011 bsf bp, ax 0x00000015 jns 00007FBD04BA46B3h 0x0000001b call 00007FBD04BA4841h 0x00000020 pushad 0x00000021 not dh 0x00000023 not bl 0x00000025 bsf edx, ebp 0x00000028 xchg dword ptr [esp+20h], ebx 0x0000002c jmp 00007FBD04BA4794h 0x0000002e btc ebp, edx 0x00000031 mov eax, ecx 0x00000033 shl eax, cl 0x00000035 mov edx, dword ptr [esp] 0x00000038 xchg eax, ebp 0x00000039 lea ebx, dword ptr [ebx-0000001Bh] 0x0000003f jmp 00007FBD04BA47A9h 0x00000041 xchg ah, al 0x00000043 mov dl, 36h 0x00000045 xchg dl, dh 0x00000047 push bx 0x00000049 xchg bp, dx 0x0000004c lea esp, dword ptr [esp+02h] 0x00000050 jmp 00007FBD04BA47EAh 0x00000052 xchg dword ptr [esp+20h], ebx 0x00000056 mov bh, byte ptr [esp] 0x00000059 clc 0x0000005a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46E126 second address: 46E198 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edx-54A5BC8Bh] 0x00000008 jmp 00007FBD04820F21h 0x0000000a mov ax, word ptr [esp] 0x0000000e inc dh 0x00000010 jle 00007FBD04820F61h 0x00000012 jnle 00007FBD04820F5Fh 0x00000014 sub bl, cl 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46E50D second address: 46E55D instructions: 0x00000000 rdtsc 0x00000002 xchg dl, dh 0x00000004 jmp 00007FBD04BA4815h 0x00000006 ror bl, 00000000h 0x00000009 neg eax 0x0000000b jnle 00007FBD04BA4788h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6936 second address: 4C6938 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2CDA second address: 4A2CDF instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44F55C second address: 44F6CE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4A18971Dh 0x00000007 xchg bx, ax 0x0000000a xor ah, ah 0x0000000c jmp 00007FBD04820F88h 0x0000000e shr dh, 00000006h 0x00000011 jmp 00007FBD04820EF7h 0x00000013 ror ebp, 00000000h 0x00000016 mov bx, 258Eh 0x0000001a or ebx, ebx 0x0000001c jc 00007FBD04821026h 0x00000022 jnc 00007FBD04820F9Bh 0x00000028 not bx 0x0000002b lea ebx, dword ptr [00000000h+esi*4] 0x00000032 inc bl 0x00000034 jmp 00007FBD04820F95h 0x00000039 jmp 00007FBD04820E40h 0x0000003e xor ebp, 4F446086h 0x00000044 shr ebx, cl 0x00000046 jbe 00007FBD04820EF2h 0x00000048 mov dl, byte ptr [esp] 0x0000004b jmp 00007FBD04820F16h 0x0000004d bswap eax 0x0000004f mov bh, byte ptr [esp] 0x00000052 mov bx, bp 0x00000055 jmp 00007FBD04820F16h 0x00000057 bts ebx, edi 0x0000005a call 00007FBD04820F52h 0x0000005f sub esp, 0Dh 0x00000062 not ebx 0x00000064 mov bx, word ptr [esp+08h] 0x00000069 lea esp, dword ptr [esp+01h] 0x0000006d xchg dword ptr [esp+0Ch], ebp 0x00000071 jmp 00007FBD04820EE8h 0x00000073 lea eax, dword ptr [00000000h+ecx*4] 0x0000007a setnl ah 0x0000007d call 00007FBD04820F30h 0x00000082 call 00007FBD04820F3Ch 0x00000087 lea ebp, dword ptr [ebp+67h] 0x0000008a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49872B second address: 49872D instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49872D second address: 4987EF instructions: 0x00000000 rdtsc 0x00000002 not dl 0x00000004 not bl 0x00000006 jmp 00007FBD04820EC8h 0x00000008 xchg dword ptr [esp], edx 0x0000000b mov bx, word ptr [esp] 0x0000000f xchg ah, bh 0x00000011 lea edx, dword ptr [edx-00000118h] 0x00000017 bsr eax, eax 0x0000001a lea eax, dword ptr [00000000h+ebx*4] 0x00000021 jmp 00007FBD04820EE1h 0x00000023 inc bh 0x00000025 mov al, bl 0x00000027 xchg dword ptr [esp], edx 0x0000002a bsf eax, eax 0x0000002d setp al 0x00000030 rcr al, 00000002h 0x00000033 jmp 00007FBD04820F31h 0x00000035 neg dx 0x00000038 push dword ptr [esp] 0x0000003b retn 0004h 0x0000003e sub esi, 02h 0x00000041 mov dh, dl 0x00000043 mov ax, word ptr [esp] 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49788F second address: 49790A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 jmp 00007FBD04BA4842h 0x00000008 mov ebx, dword ptr [edi] 0x0000000a push esi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49790A second address: 4979E5 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [edi+04h] 0x00000005 jmp 00007FBD04820EC6h 0x00000007 bts eax, esi 0x0000000a jle 00007FBD04820EE8h 0x0000000c lea eax, dword ptr [CE4B721Bh] 0x00000012 lea eax, dword ptr [00000000h+ebp*4] 0x00000019 jmp 00007FBD04820F16h 0x0000001b sub edi, 02h 0x0000001e mov ah, bh 0x00000020 not al 0x00000022 mov al, byte ptr [esp] 0x00000025 cmc 0x00000026 jmp 00007FBD04820F16h 0x00000028 jne 00007FBD04820ED1h 0x0000002a xchg edx, ecx 0x0000002c mov ax, bx 0x0000002f mov ax, 0B8Eh 0x00000033 jmp 00007FBD04820F7Fh 0x00000035 rol ebx, cl 0x00000037 setnp ah 0x0000003a not al 0x0000003c mov ax, dx 0x0000003f jmp 00007FBD04820EF0h 0x00000041 xchg edx, ecx 0x00000043 lea eax, dword ptr [ebp-0000CD0Bh] 0x00000049 bswap eax 0x0000004b mov ax, word ptr [esp] 0x0000004f jmp 00007FBD04820FCDh 0x00000054 mov dword ptr [edi+04h], ebx 0x00000057 lea ebx, dword ptr [6C50EA05h] 0x0000005d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C124 second address: 49BFCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA4675h 0x00000007 xchg dword ptr [esp], edi 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C9DC second address: 49CA5F instructions: 0x00000000 rdtsc 0x00000002 setnl al 0x00000005 not dh 0x00000007 jmp 00007FBD04820EE3h 0x00000009 lea edx, dword ptr [edi+ebp] 0x0000000c dec ebp 0x0000000d mov ax, 64B7h 0x00000011 mov dx, 7257h 0x00000015 mov dh, byte ptr [esp] 0x00000018 jmp 00007FBD04820FA8h 0x0000001d mov eax, ebx 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 475F3F second address: 460A8B instructions: 0x00000000 rdtsc 0x00000002 call 00007FBD04BA47ECh 0x00000007 pop word ptr [esp] 0x0000000b push word ptr [esp] 0x0000000f js 00007FBD04BA47B1h 0x00000011 jns 00007FBD04BA47F0h 0x00000013 sub esi, 08h 0x00000016 cmc 0x00000017 jns 00007FBD04BA47AEh 0x00000019 sub esp, 0Fh 0x0000001c jmp 00007FBD04BA482Fh 0x0000001e lea esp, dword ptr [esp] 0x00000021 mov byte ptr [esp+06h], cl 0x00000025 lea esp, dword ptr [esp+03h] 0x00000029 jmp 00007FBD04BA4768h 0x0000002b mov dword ptr [esi], edx 0x0000002d lea edx, dword ptr [ebx+ebp] 0x00000030 bswap edx 0x00000032 jmp 00007FBD04BA4810h 0x00000034 xchg eax, ebx 0x00000035 clc 0x00000036 jnl 00007FBD04BA4807h 0x00000038 mov dx, bp 0x0000003b jmp 00007FBD04BA47B7h 0x0000003d xchg dh, dl 0x0000003f sete dl 0x00000042 jmp 00007FBD04BA47E6h 0x00000044 mov dword ptr [esi+04h], ebx 0x00000047 sub esp, 11h 0x0000004a jmp 00007FBD04BA4832h 0x0000004c jnle 00007FBD04BA4774h 0x0000004e mov edx, 5FBC1226h 0x00000053 mov edx, ebx 0x00000055 lea esp, dword ptr [esp+01h] 0x00000059 jmp 00007FBD04B8F22Ch 0x0000005e neg bx 0x00000061 jp 00007FBD04BA47B7h 0x00000063 mov eax, esp 0x00000065 jmp 00007FBD04BA47ECh 0x00000067 mov ah, 02h 0x00000069 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47A373 second address: 47A3B6 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dl 0x00000004 xchg dword ptr [esp], eax 0x00000007 bswap edx 0x00000009 jmp 00007FBD04820F52h 0x0000000b bsr dx, dx 0x0000000f mov dx, word ptr [esp] 0x00000013 neg dx 0x00000016 lea eax, dword ptr [eax-000000C3h] 0x0000001c lea edx, dword ptr [00000000h+edx*4] 0x00000023 pushfd 0x00000024 jmp 00007FBD04820EE1h 0x00000026 lea edx, dword ptr [esi+2152D358h] 0x0000002c mov dl, byte ptr [esp+03h] 0x00000030 xchg dword ptr [esp+04h], eax 0x00000034 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4FAE3F second address: 4FAE0D instructions: 0x00000000 rdtsc 0x00000002 mov cl, E4h 0x00000004 mov cl, ah 0x00000006 jmp 00007FBD04BA4796h 0x00000008 bswap eax 0x0000000a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4FAE0D second address: 4FAE47 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 mov edi, edx 0x00000007 mov cx, D400h 0x0000000b lea ebp, dword ptr [esp+edx] 0x0000000e jmp 00007FBD04820EEAh 0x00000010 mov ebx, edx 0x00000012 lea esi, dword ptr [00000000h+ebp*4] 0x00000019 xchg cx, bp 0x0000001c mov bl, byte ptr [esp] 0x0000001f jmp 00007FBD04820F29h 0x00000021 mov edi, dword ptr [esp] 0x00000024 mov ecx, C7CA738Bh 0x00000029 mov ah, F9h 0x0000002b mov bp, word ptr [esp] 0x0000002f xchg cl, al 0x00000031 xchg ecx, edx 0x00000033 jmp 00007FBD04820F98h 0x00000038 xchg bx, cx 0x0000003b lea edx, dword ptr [B38AD51Bh] 0x00000041 mov esi, EE51B137h 0x00000046 mov ecx, dword ptr [esp] 0x00000049 lea eax, dword ptr [esp+ebp] 0x0000004c mov dh, bl 0x0000004e jmp 00007FBD04820EB6h 0x00000050 mov ecx, dword ptr [esp] 0x00000053 mov dh, byte ptr [esp] 0x00000056 xchg di, dx 0x00000059 not bl 0x0000005b xchg edx, ebp 0x0000005d lea ebx, dword ptr [eax+ebp] 0x00000060 jmp 00007FBD04820ED4h 0x00000062 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4FAE47 second address: 4FAE49 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F5A7 second address: 44F43C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04820E93h 0x00000004 xchg ax, bx 0x00000006 call 00007FBD04820EB2h 0x0000000b mov dh, cl 0x0000000d sub esp, 14h 0x00000010 mov edx, dword ptr [esp+0Fh] 0x00000014 xchg dword ptr [esp+05h], edx 0x00000018 jmp 00007FBD04820E8Fh 0x0000001d xchg dword ptr [esp+14h], edx 0x00000021 shl ebx, 06h 0x00000024 mov ax, si 0x00000027 mov ebx, 17CE373Dh 0x0000002c sub esp, 05h 0x0000002f call 00007FBD04820EB6h 0x00000034 lea esp, dword ptr [esp+01h] 0x00000038 jmp 00007FBD04820EF6h 0x0000003a lea edx, dword ptr [edx+000000D3h] 0x00000040 stc 0x00000041 mov eax, edi 0x00000043 mov al, C7h 0x00000045 bswap ebx 0x00000047 jmp 00007FBD04820F35h 0x00000049 mov eax, 02C65B77h 0x0000004e xchg dword ptr [esp+1Ch], edx 0x00000052 xchg bx, dx 0x00000055 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F43C second address: 44F5C1 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [esp+0Bh] 0x00000006 push dword ptr [esp+1Ch] 0x0000000a retn 0020h 0x0000000d mov dx, word ptr [esp] 0x00000011 jmp 00007FBD04BA45E0h 0x00000016 mov edx, 8724C233h 0x0000001b sub esp, 1Ah 0x0000001e jno 00007FBD04BA4837h 0x00000020 mov edx, ecx 0x00000022 mov dx, word ptr [esp] 0x00000026 lea esp, dword ptr [esp+02h] 0x0000002a lea esp, dword ptr [esp+18h] 0x0000002e neg ebp 0x00000030 mov bx, ax 0x00000033 mov dh, 56h 0x00000035 jmp 00007FBD04BA487Bh 0x0000003a sub esp, 10h 0x0000003d jnc 00007FBD04BA47B7h 0x0000003f bswap edx 0x00000041 lea esp, dword ptr [esp+07h] 0x00000045 jmp 00007FBD04BA4807h 0x00000047 pop eax 0x00000048 call 00007FBD04BA47E5h 0x0000004d lea esp, dword ptr [esp+01h] 0x00000051 lea esp, dword ptr [esp+08h] 0x00000055 xor ebp, 19DD69F3h 0x0000005b jmp 00007FBD04BA4793h 0x0000005d neg ax 0x00000060 jl 00007FBD04BA4837h 0x00000062 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F5C1 second address: 44F6CE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4A18971Dh 0x00000007 jmp 00007FBD04820EF3h 0x00000009 xchg bx, ax 0x0000000c xor ah, ah 0x0000000e shr dh, 00000006h 0x00000011 jmp 00007FBD04820F27h 0x00000013 ror ebp, 00000000h 0x00000016 mov bx, 258Eh 0x0000001a or ebx, ebx 0x0000001c jc 00007FBD04821026h 0x00000022 jnc 00007FBD04820F9Bh 0x00000028 not bx 0x0000002b lea ebx, dword ptr [00000000h+esi*4] 0x00000032 inc bl 0x00000034 jmp 00007FBD04820F95h 0x00000039 jmp 00007FBD04820E40h 0x0000003e xor ebp, 4F446086h 0x00000044 shr ebx, cl 0x00000046 jbe 00007FBD04820EF2h 0x00000048 mov dl, byte ptr [esp] 0x0000004b jmp 00007FBD04820F16h 0x0000004d bswap eax 0x0000004f mov bh, byte ptr [esp] 0x00000052 mov bx, bp 0x00000055 jmp 00007FBD04820F16h 0x00000057 bts ebx, edi 0x0000005a call 00007FBD04820F52h 0x0000005f sub esp, 0Dh 0x00000062 not ebx 0x00000064 mov bx, word ptr [esp+08h] 0x00000069 lea esp, dword ptr [esp+01h] 0x0000006d xchg dword ptr [esp+0Ch], ebp 0x00000071 jmp 00007FBD04820EE8h 0x00000073 lea eax, dword ptr [00000000h+ecx*4] 0x0000007a setnl ah 0x0000007d call 00007FBD04820F30h 0x00000082 call 00007FBD04820F3Ch 0x00000087 lea ebp, dword ptr [ebp+67h] 0x0000008a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F6CE second address: 44F8A9 instructions: 0x00000000 rdtsc 0x00000002 not dh 0x00000004 lea ebx, dword ptr [ecx+esi] 0x00000007 jmp 00007FBD04BA49A0h 0x0000000c xchg dword ptr [esp+14h], ebp 0x00000010 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45D953 second address: 45D994 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 call 00007FBD04820F4Eh 0x00000008 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 468C67 second address: 468C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA47B2h 0x00000004 setl dl 0x00000007 push bx 0x00000009 xchg byte ptr [esp], ah 0x0000000c rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46227E second address: 4622CE instructions: 0x00000000 rdtsc 0x00000002 call 00007FBD04820EEBh 0x00000007 mov bl, 14h 0x00000009 stc 0x0000000a mov dh, bh 0x0000000c mov ax, word ptr [esp] 0x00000010 xchg dword ptr [esp], edx 0x00000013 jmp 00007FBD04820F45h 0x00000015 mov bh, byte ptr [esp] 0x00000018 mov bx, 3147h 0x0000001c mov ebx, DE4C7237h 0x00000021 mov ebx, dword ptr [esp] 0x00000024 lea edx, dword ptr [edx-0000004Dh] 0x0000002a bsr eax, esp 0x0000002d jmp 00007FBD04820EE2h 0x0000002f setne ah 0x00000032 inc bx 0x00000034 xchg dword ptr [esp], edx 0x00000037 bt edx, edi 0x0000003a mov dl, byte ptr [esp] 0x0000003d xchg al, ah 0x0000003f jmp 00007FBD04820F5Eh 0x00000041 mov ah, DEh 0x00000043 push dword ptr [esp] 0x00000046 retn 0004h 0x00000049 push ecx 0x0000004a shl al, cl 0x0000004c jno 00007FBD04820FA3h 0x00000052 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45DCF2 second address: 45DD44 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, dx 0x00000004 push esi 0x00000005 shr si, cl 0x00000008 jne 00007FBD04BA47B1h 0x0000000a jmp 00007FBD04BA4811h 0x0000000c neg dh 0x0000000e sub esp, 09h 0x00000011 mov word ptr [esp], bp 0x00000015 call 00007FBD04BA47ECh 0x0000001a not bx 0x0000001d rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45DD44 second address: 45DFA9 instructions: 0x00000000 rdtsc 0x00000002 mov si, ax 0x00000005 mov ax, sp 0x00000008 xchg dword ptr [esp], ebx 0x0000000b jmp 00007FBD04820EECh 0x0000000d lea edx, dword ptr [eax+ebx] 0x00000010 mov dl, BAh 0x00000012 btc dx, bx 0x00000016 lea ebx, dword ptr [ebx+5Bh] 0x00000019 jmp 00007FBD04820F40h 0x0000001b mov si, F9BFh 0x0000001f lea esi, dword ptr [edi+72703053h] 0x00000025 mov dl, F5h 0x00000027 bsf ax, bx 0x0000002b xchg dword ptr [esp], ebx 0x0000002e mov al, ah 0x00000030 jmp 00007FBD04820EE5h 0x00000032 pushfd 0x00000033 mov eax, dword ptr [esp] 0x00000036 sub esp, 12h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d push dword ptr [esp+14h] 0x00000041 retn 0018h 0x00000044 lea esp, dword ptr [esp+01h] 0x00000048 jmp 00007FBD04820F22h 0x0000004a bsr ebx, edx 0x0000004d jnp 00007FBD0482110Eh 0x00000053 mov eax, 7A7AB50Dh 0x00000058 lea edx, dword ptr [00000000h+ebp*4] 0x0000005f push ecx 0x00000060 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4626B2 second address: 4626B4 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4614E1 second address: 44F5A7 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [ebx-000028E1h] 0x00000008 clc 0x00000009 jne 00007FBD04820EF1h 0x0000000b pop edi 0x0000000c jmp 00007FBD04820F32h 0x0000000e mov al, dl 0x00000010 sub esp, 17h 0x00000013 jmp 00007FBD04821002h 0x00000018 jp 00007FBD04820E24h 0x0000001e mov dx, 612Dh 0x00000022 xchg ah, bh 0x00000024 jmp 00007FBD04820E78h 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d jmp 00007FBD04820EE6h 0x0000002f add esp, 1Ch 0x00000032 jno 00007FBD04820EF7h 0x00000034 pop ebp 0x00000035 inc bh 0x00000037 jmp 00007FBD04820F7Eh 0x00000039 jne 00007FBD04820EBCh 0x0000003b shr al, 00000005h 0x0000003e bts edx, edx 0x00000041 jmp 00007FBD04820F45h 0x00000043 pop esi 0x00000044 jmp 00007FBD0480ED6Ah 0x00000049 mov ecx, ebp 0x0000004b bt ebx, edi 0x0000004e je 00007FBD04821135h 0x00000054 pushad 0x00000055 jmp 00007FBD048210D4h 0x0000005a add esp, 0Ah 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4643D2 second address: 464417 instructions: 0x00000000 rdtsc 0x00000002 mov dh, bl 0x00000004 mov dx, 8786h 0x00000008 shr eax, 00000000h 0x0000000b xchg dx, ax 0x0000000e jmp 00007FBD04BA47ACh 0x00000010 xchg dword ptr [esp], ebp 0x00000013 cmc 0x00000014 bsr dx, sp 0x00000018 not ah 0x0000001a bswap eax 0x0000001c bswap eax 0x0000001e jmp 00007FBD04BA4A4Ah 0x00000023 lea ebp, dword ptr [ebp-00000021h] 0x00000029 bswap edx 0x0000002b sete al 0x0000002e stc 0x0000002f mov dx, word ptr [esp] 0x00000033 xchg dword ptr [esp], ebp 0x00000036 jmp 00007FBD04BA467Eh 0x0000003b sbb eax, edx 0x0000003d mov edx, 2D87C49Bh 0x00000042 neg ax 0x00000045 bsf eax, ebp 0x00000048 sbb eax, 377E77FDh 0x0000004d push dword ptr [esp] 0x00000050 retn 0004h 0x00000053 mov al, ah 0x00000055 jmp 00007FBD04BA485Ch 0x0000005a mov dx, 1D8Dh 0x0000005e xchg dx, ax 0x00000061 xor dl, 00000062h 0x00000064 jnbe 00007FBD04BA47AAh 0x00000066 xchg ah, dh 0x00000068 jmp 00007FBD04BA47B8h 0x0000006a bsr dx, bx 0x0000006e lea eax, dword ptr [esp-3Bh] 0x00000072 mov ah, byte ptr [esp] 0x00000075 jmp 00007FBD04BA47DFh 0x00000077 lea edx, dword ptr [00000000h+esi*4] 0x0000007e rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 464417 second address: 4644C0 instructions: 0x00000000 rdtsc 0x00000002 rcr ah, 00000007h 0x00000005 jg 00007FBD04820FB4h 0x0000000b rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 464765 second address: 4647BF instructions: 0x00000000 rdtsc 0x00000002 mov ax, 49FAh 0x00000006 mov dh, bh 0x00000008 jmp 00007FBD04BA47FBh 0x0000000a mov al, 24h 0x0000000c xchg dx, ax 0x0000000f lea eax, dword ptr [esi-43A12DA5h] 0x00000015 rol bl, 00000000h 0x00000018 bsf ax, bx 0x0000001c jmp 00007FBD04BA47FBh 0x0000001e jnp 00007FBD04BA477Dh 0x00000020 stc 0x00000021 sub esp, 1Eh 0x00000024 jmp 00007FBD04BA47B4h 0x00000026 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 468CEE second address: 468C53 instructions: 0x00000000 rdtsc 0x00000002 setl dl 0x00000005 push bx 0x00000007 jmp 00007FBD04820E6Bh 0x0000000c xchg byte ptr [esp], ah 0x0000000f rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46421C second address: 451FCF instructions: 0x00000000 rdtsc 0x00000002 rcl bl, 00000004h 0x00000005 jns 00007FBD04BA48D2h 0x0000000b shl ebx, cl 0x0000000d jmp 00007FBD04BA48B3h 0x00000012 neg bx 0x00000015 dec ax 0x00000017 jmp 00007FBD04BA47E9h 0x00000019 call 00007FBD04BA4896h 0x0000001e neg al 0x00000020 jp 00007FBD04BA4776h 0x00000022 jnp 00007FBD04BA4774h 0x00000024 jmp 00007FBD04BA47A3h 0x00000026 add esp, 04h 0x00000029 jnle 00007FBD04BA47A7h 0x0000002b pop ecx 0x0000002c jmp 00007FBD04B92453h 0x00000031 mov ecx, edi 0x00000033 xchg al, bl 0x00000035 xchg ah, dh 0x00000037 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4624DF second address: 4623B0 instructions: 0x00000000 rdtsc 0x00000002 setl bh 0x00000005 xor eax, eax 0x00000007 btr edx, ebx 0x0000000a jmp 00007FBD04820E0Bh 0x0000000f xchg dword ptr [esp], ebp 0x00000012 xchg dx, bx 0x00000015 sub bh, bl 0x00000017 clc 0x00000018 mov bh, 48h 0x0000001a xchg ebx, edx 0x0000001c jmp 00007FBD04820ED9h 0x0000001e lea ebp, dword ptr [ebp+00000197h] 0x00000024 bsf eax, edi 0x00000027 sub esp, 11h 0x0000002a and edx, ebp 0x0000002c xchg byte ptr [esp+0Ch], dl 0x00000030 sub esp, 0Eh 0x00000033 jmp 00007FBD04820EE5h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 xchg dword ptr [esp+1Ch], ebp 0x0000003d mov bx, ax 0x00000040 cmc 0x00000041 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4623B0 second address: 462465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA4848h 0x00000004 rcr eax, 08h 0x00000007 push dword ptr [esp+1Ch] 0x0000000b retn 0020h 0x0000000e push ebp 0x0000000f mov bl, cl 0x00000011 bsf bp, ax 0x00000015 jns 00007FBD04BA46B3h 0x0000001b call 00007FBD04BA4841h 0x00000020 pushad 0x00000021 not dh 0x00000023 not bl 0x00000025 bsf edx, ebp 0x00000028 xchg dword ptr [esp+20h], ebx 0x0000002c jmp 00007FBD04BA4794h 0x0000002e btc ebp, edx 0x00000031 mov eax, ecx 0x00000033 shl eax, cl 0x00000035 mov edx, dword ptr [esp] 0x00000038 xchg eax, ebp 0x00000039 lea ebx, dword ptr [ebx-0000001Bh] 0x0000003f jmp 00007FBD04BA47A9h 0x00000041 xchg ah, al 0x00000043 mov dl, 36h 0x00000045 xchg dl, dh 0x00000047 push bx 0x00000049 xchg bp, dx 0x0000004c lea esp, dword ptr [esp+02h] 0x00000050 jmp 00007FBD04BA47EAh 0x00000052 xchg dword ptr [esp+20h], ebx 0x00000056 mov bh, byte ptr [esp] 0x00000059 clc 0x0000005a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46E126 second address: 46E198 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edx-54A5BC8Bh] 0x00000008 jmp 00007FBD04820F21h 0x0000000a mov ax, word ptr [esp] 0x0000000e inc dh 0x00000010 jle 00007FBD04820F61h 0x00000012 jnle 00007FBD04820F5Fh 0x00000014 sub bl, cl 0x00000016 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46E50D second address: 46E55D instructions: 0x00000000 rdtsc 0x00000002 xchg dl, dh 0x00000004 jmp 00007FBD04BA4815h 0x00000006 ror bl, 00000000h 0x00000009 neg eax 0x0000000b jnle 00007FBD04BA4788h 0x0000000d rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4C6936 second address: 4C6938 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4A2CDA second address: 4A2CDF instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F55C second address: 44F6CE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4A18971Dh 0x00000007 xchg bx, ax 0x0000000a xor ah, ah 0x0000000c jmp 00007FBD04820F88h 0x0000000e shr dh, 00000006h 0x00000011 jmp 00007FBD04820EF7h 0x00000013 ror ebp, 00000000h 0x00000016 mov bx, 258Eh 0x0000001a or ebx, ebx 0x0000001c jc 00007FBD04821026h 0x00000022 jnc 00007FBD04820F9Bh 0x00000028 not bx 0x0000002b lea ebx, dword ptr [00000000h+esi*4] 0x00000032 inc bl 0x00000034 jmp 00007FBD04820F95h 0x00000039 jmp 00007FBD04820E40h 0x0000003e xor ebp, 4F446086h 0x00000044 shr ebx, cl 0x00000046 jbe 00007FBD04820EF2h 0x00000048 mov dl, byte ptr [esp] 0x0000004b jmp 00007FBD04820F16h 0x0000004d bswap eax 0x0000004f mov bh, byte ptr [esp] 0x00000052 mov bx, bp 0x00000055 jmp 00007FBD04820F16h 0x00000057 bts ebx, edi 0x0000005a call 00007FBD04820F52h 0x0000005f sub esp, 0Dh 0x00000062 not ebx 0x00000064 mov bx, word ptr [esp+08h] 0x00000069 lea esp, dword ptr [esp+01h] 0x0000006d xchg dword ptr [esp+0Ch], ebp 0x00000071 jmp 00007FBD04820EE8h 0x00000073 lea eax, dword ptr [00000000h+ecx*4] 0x0000007a setnl ah 0x0000007d call 00007FBD04820F30h 0x00000082 call 00007FBD04820F3Ch 0x00000087 lea ebp, dword ptr [ebp+67h] 0x0000008a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49872B second address: 49872D instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49872D second address: 4987EF instructions: 0x00000000 rdtsc 0x00000002 not dl 0x00000004 not bl 0x00000006 jmp 00007FBD04820EC8h 0x00000008 xchg dword ptr [esp], edx 0x0000000b mov bx, word ptr [esp] 0x0000000f xchg ah, bh 0x00000011 lea edx, dword ptr [edx-00000118h] 0x00000017 bsr eax, eax 0x0000001a lea eax, dword ptr [00000000h+ebx*4] 0x00000021 jmp 00007FBD04820EE1h 0x00000023 inc bh 0x00000025 mov al, bl 0x00000027 xchg dword ptr [esp], edx 0x0000002a bsf eax, eax 0x0000002d setp al 0x00000030 rcr al, 00000002h 0x00000033 jmp 00007FBD04820F31h 0x00000035 neg dx 0x00000038 push dword ptr [esp] 0x0000003b retn 0004h 0x0000003e sub esi, 02h 0x00000041 mov dh, dl 0x00000043 mov ax, word ptr [esp] 0x00000047 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49788F second address: 49790A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 jmp 00007FBD04BA4842h 0x00000008 mov ebx, dword ptr [edi] 0x0000000a push esi 0x0000000b rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49790A second address: 4979E5 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [edi+04h] 0x00000005 jmp 00007FBD04820EC6h 0x00000007 bts eax, esi 0x0000000a jle 00007FBD04820EE8h 0x0000000c lea eax, dword ptr [CE4B721Bh] 0x00000012 lea eax, dword ptr [00000000h+ebp*4] 0x00000019 jmp 00007FBD04820F16h 0x0000001b sub edi, 02h 0x0000001e mov ah, bh 0x00000020 not al 0x00000022 mov al, byte ptr [esp] 0x00000025 cmc 0x00000026 jmp 00007FBD04820F16h 0x00000028 jne 00007FBD04820ED1h 0x0000002a xchg edx, ecx 0x0000002c mov ax, bx 0x0000002f mov ax, 0B8Eh 0x00000033 jmp 00007FBD04820F7Fh 0x00000035 rol ebx, cl 0x00000037 setnp ah 0x0000003a not al 0x0000003c mov ax, dx 0x0000003f jmp 00007FBD04820EF0h 0x00000041 xchg edx, ecx 0x00000043 lea eax, dword ptr [ebp-0000CD0Bh] 0x00000049 bswap eax 0x0000004b mov ax, word ptr [esp] 0x0000004f jmp 00007FBD04820FCDh 0x00000054 mov dword ptr [edi+04h], ebx 0x00000057 lea ebx, dword ptr [6C50EA05h] 0x0000005d rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49C124 second address: 49BFCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA4675h 0x00000007 xchg dword ptr [esp], edi 0x0000000a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49C9DC second address: 49CA5F instructions: 0x00000000 rdtsc 0x00000002 setnl al 0x00000005 not dh 0x00000007 jmp 00007FBD04820EE3h 0x00000009 lea edx, dword ptr [edi+ebp] 0x0000000c dec ebp 0x0000000d mov ax, 64B7h 0x00000011 mov dx, 7257h 0x00000015 mov dh, byte ptr [esp] 0x00000018 jmp 00007FBD04820FA8h 0x0000001d mov eax, ebx 0x0000001f rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 475F3F second address: 460A8B instructions: 0x00000000 rdtsc 0x00000002 call 00007FBD04BA47ECh 0x00000007 pop word ptr [esp] 0x0000000b push word ptr [esp] 0x0000000f js 00007FBD04BA47B1h 0x00000011 jns 00007FBD04BA47F0h 0x00000013 sub esi, 08h 0x00000016 cmc 0x00000017 jns 00007FBD04BA47AEh 0x00000019 sub esp, 0Fh 0x0000001c jmp 00007FBD04BA482Fh 0x0000001e lea esp, dword ptr [esp] 0x00000021 mov byte ptr [esp+06h], cl 0x00000025 lea esp, dword ptr [esp+03h] 0x00000029 jmp 00007FBD04BA4768h 0x0000002b mov dword ptr [esi], edx 0x0000002d lea edx, dword ptr [ebx+ebp] 0x00000030 bswap edx 0x00000032 jmp 00007FBD04BA4810h 0x00000034 xchg eax, ebx 0x00000035 clc 0x00000036 jnl 00007FBD04BA4807h 0x00000038 mov dx, bp 0x0000003b jmp 00007FBD04BA47B7h 0x0000003d xchg dh, dl 0x0000003f sete dl 0x00000042 jmp 00007FBD04BA47E6h 0x00000044 mov dword ptr [esi+04h], ebx 0x00000047 sub esp, 11h 0x0000004a jmp 00007FBD04BA4832h 0x0000004c jnle 00007FBD04BA4774h 0x0000004e mov edx, 5FBC1226h 0x00000053 mov edx, ebx 0x00000055 lea esp, dword ptr [esp+01h] 0x00000059 jmp 00007FBD04B8F22Ch 0x0000005e neg bx 0x00000061 jp 00007FBD04BA47B7h 0x00000063 mov eax, esp 0x00000065 jmp 00007FBD04BA47ECh 0x00000067 mov ah, 02h 0x00000069 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 47A373 second address: 47A3B6 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dl 0x00000004 xchg dword ptr [esp], eax 0x00000007 bswap edx 0x00000009 jmp 00007FBD04820F52h 0x0000000b bsr dx, dx 0x0000000f mov dx, word ptr [esp] 0x00000013 neg dx 0x00000016 lea eax, dword ptr [eax-000000C3h] 0x0000001c lea edx, dword ptr [00000000h+edx*4] 0x00000023 pushfd 0x00000024 jmp 00007FBD04820EE1h 0x00000026 lea edx, dword ptr [esi+2152D358h] 0x0000002c mov dl, byte ptr [esp+03h] 0x00000030 xchg dword ptr [esp+04h], eax 0x00000034 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49F168 second address: 45D990 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 jc 00007FBD04BA47B7h 0x00000005 clc 0x00000006 jmp 00007FBD04BA47D6h 0x00000008 sub edi, 08h 0x0000000b push bx 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 call 00007FBD04BA4848h 0x00000016 xchg dword ptr [esp], edi 0x00000019 sub esp, 1Ch 0x0000001c mov byte ptr [esp+0Eh], cl 0x00000020 cmc 0x00000021 lea edi, dword ptr [edi+000000C5h] 0x00000027 jmp 00007FBD04BA478Bh 0x00000029 sub esp, 05h 0x0000002c pop word ptr [esp] 0x00000030 lea esp, dword ptr [esp+03h] 0x00000034 xchg dword ptr [esp+1Ch], edi 0x00000038 call 00007FBD04BA47A2h 0x0000003d call 00007FBD04BA47BAh 0x00000042 push dword ptr [esp+24h] 0x00000046 retn 0028h 0x00000049 xchg edx, ebx 0x0000004b jmp 00007FBD04BA472Eh 0x00000050 mov dword ptr [edi], ebx 0x00000052 call 00007FBD04BA47FCh 0x00000057 lea esp, dword ptr [esp+03h] 0x0000005b mov bh, byte ptr [esp] 0x0000005e setnb bh 0x00000061 lea esp, dword ptr [esp+01h] 0x00000065 jmp 00007FBD04BA480Bh 0x00000067 mov dword ptr [edi+04h], eax 0x0000006a setl ah 0x0000006d mov bx, word ptr [esp] 0x00000071 dec ax 0x00000073 jp 00007FBD04BA47AEh 0x00000075 mov ah, byte ptr [esp] 0x00000078 jmp 00007FBD04B62EB5h 0x0000007d jmp 00007FBD04BA481Fh 0x0000007f mov bh, byte ptr [esp] 0x00000082 mov ax, si 0x00000085 lea eax, dword ptr [ebp-6656654Ch] 0x0000008b not dx 0x0000008e lea ebx, dword ptr [esi+50h] 0x00000091 jmp 00007FBD04BA47A7h 0x00000093 shl eax, cl 0x00000095 jle 00007FBD04BA480Fh 0x00000097 lea edx, dword ptr [ecx+ebx] 0x0000009a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4FAE3F second address: 4FAE0D instructions: 0x00000000 rdtsc 0x00000002 mov cl, E4h 0x00000004 mov cl, ah 0x00000006 jmp 00007FBD04820ED6h 0x00000008 bswap eax 0x0000000a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4FAE0D second address: 4FAE47 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 mov edi, edx 0x00000007 mov cx, D400h 0x0000000b lea ebp, dword ptr [esp+edx] 0x0000000e jmp 00007FBD04BA47AAh 0x00000010 mov ebx, edx 0x00000012 lea esi, dword ptr [00000000h+ebp*4] 0x00000019 xchg cx, bp 0x0000001c mov bl, byte ptr [esp] 0x0000001f jmp 00007FBD04BA47E9h 0x00000021 mov edi, dword ptr [esp] 0x00000024 mov ecx, C7CA738Bh 0x00000029 mov ah, F9h 0x0000002b mov bp, word ptr [esp] 0x0000002f xchg cl, al 0x00000031 xchg ecx, edx 0x00000033 jmp 00007FBD04BA4858h 0x00000038 xchg bx, cx 0x0000003b lea edx, dword ptr [B38AD51Bh] 0x00000041 mov esi, EE51B137h 0x00000046 mov ecx, dword ptr [esp] 0x00000049 lea eax, dword ptr [esp+ebp] 0x0000004c mov dh, bl 0x0000004e jmp 00007FBD04BA4776h 0x00000050 mov ecx, dword ptr [esp] 0x00000053 mov dh, byte ptr [esp] 0x00000056 xchg di, dx 0x00000059 not bl 0x0000005b xchg edx, ebp 0x0000005d lea ebx, dword ptr [eax+ebp] 0x00000060 jmp 00007FBD04BA4794h 0x00000062 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F5A7 second address: 44F43C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04BA4753h 0x00000004 xchg ax, bx 0x00000006 call 00007FBD04BA4772h 0x0000000b mov dh, cl 0x0000000d sub esp, 14h 0x00000010 mov edx, dword ptr [esp+0Fh] 0x00000014 xchg dword ptr [esp+05h], edx 0x00000018 jmp 00007FBD04BA474Fh 0x0000001d xchg dword ptr [esp+14h], edx 0x00000021 shl ebx, 06h 0x00000024 mov ax, si 0x00000027 mov ebx, 17CE373Dh 0x0000002c sub esp, 05h 0x0000002f call 00007FBD04BA4776h 0x00000034 lea esp, dword ptr [esp+01h] 0x00000038 jmp 00007FBD04BA47B6h 0x0000003a lea edx, dword ptr [edx+000000D3h] 0x00000040 stc 0x00000041 mov eax, edi 0x00000043 mov al, C7h 0x00000045 bswap ebx 0x00000047 jmp 00007FBD04BA47F5h 0x00000049 mov eax, 02C65B77h 0x0000004e xchg dword ptr [esp+1Ch], edx 0x00000052 xchg bx, dx 0x00000055 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F43C second address: 44F5C1 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [esp+0Bh] 0x00000006 push dword ptr [esp+1Ch] 0x0000000a retn 0020h 0x0000000d mov dx, word ptr [esp] 0x00000011 jmp 00007FBD04820D20h 0x00000016 mov edx, 8724C233h 0x0000001b sub esp, 1Ah 0x0000001e jno 00007FBD04820F77h 0x00000020 mov edx, ecx 0x00000022 mov dx, word ptr [esp] 0x00000026 lea esp, dword ptr [esp+02h] 0x0000002a lea esp, dword ptr [esp+18h] 0x0000002e neg ebp 0x00000030 mov bx, ax 0x00000033 mov dh, 56h 0x00000035 jmp 00007FBD04820FBBh 0x0000003a sub esp, 10h 0x0000003d jnc 00007FBD04820EF7h 0x0000003f bswap edx 0x00000041 lea esp, dword ptr [esp+07h] 0x00000045 jmp 00007FBD04820F47h 0x00000047 pop eax 0x00000048 call 00007FBD04820F25h 0x0000004d lea esp, dword ptr [esp+01h] 0x00000051 lea esp, dword ptr [esp+08h] 0x00000055 xor ebp, 19DD69F3h 0x0000005b jmp 00007FBD04820ED3h 0x0000005d neg ax 0x00000060 jl 00007FBD04820F77h 0x00000062 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F5C1 second address: 44F6CE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4A18971Dh 0x00000007 jmp 00007FBD04BA47B3h 0x00000009 xchg bx, ax 0x0000000c xor ah, ah 0x0000000e shr dh, 00000006h 0x00000011 jmp 00007FBD04BA47E7h 0x00000013 ror ebp, 00000000h 0x00000016 mov bx, 258Eh 0x0000001a or ebx, ebx 0x0000001c jc 00007FBD04BA48E6h 0x00000022 jnc 00007FBD04BA485Bh 0x00000028 not bx 0x0000002b lea ebx, dword ptr [00000000h+esi*4] 0x00000032 inc bl 0x00000034 jmp 00007FBD04BA4855h 0x00000039 jmp 00007FBD04BA4700h 0x0000003e xor ebp, 4F446086h 0x00000044 shr ebx, cl 0x00000046 jbe 00007FBD04BA47B2h 0x00000048 mov dl, byte ptr [esp] 0x0000004b jmp 00007FBD04BA47D6h 0x0000004d bswap eax 0x0000004f mov bh, byte ptr [esp] 0x00000052 mov bx, bp 0x00000055 jmp 00007FBD04BA47D6h 0x00000057 bts ebx, edi 0x0000005a call 00007FBD04BA4812h 0x0000005f sub esp, 0Dh 0x00000062 not ebx 0x00000064 mov bx, word ptr [esp+08h] 0x00000069 lea esp, dword ptr [esp+01h] 0x0000006d xchg dword ptr [esp+0Ch], ebp 0x00000071 jmp 00007FBD04BA47A8h 0x00000073 lea eax, dword ptr [00000000h+ecx*4] 0x0000007a setnl ah 0x0000007d call 00007FBD04BA47F0h 0x00000082 call 00007FBD04BA47FCh 0x00000087 lea ebp, dword ptr [ebp+67h] 0x0000008a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F6CE second address: 44F8A9 instructions: 0x00000000 rdtsc 0x00000002 not dh 0x00000004 lea ebx, dword ptr [ecx+esi] 0x00000007 jmp 00007FBD048210E0h 0x0000000c xchg dword ptr [esp+14h], ebp 0x00000010 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45D953 second address: 45D994 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 call 00007FBD04BA480Eh 0x00000008 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 468C67 second address: 468C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04820EF2h 0x00000004 setl dl 0x00000007 push bx 0x00000009 xchg byte ptr [esp], ah 0x0000000c rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46227E second address: 4622CE instructions: 0x00000000 rdtsc 0x00000002 call 00007FBD04BA47ABh 0x00000007 mov bl, 14h 0x00000009 stc 0x0000000a mov dh, bh 0x0000000c mov ax, word ptr [esp] 0x00000010 xchg dword ptr [esp], edx 0x00000013 jmp 00007FBD04BA4805h 0x00000015 mov bh, byte ptr [esp] 0x00000018 mov bx, 3147h 0x0000001c mov ebx, DE4C7237h 0x00000021 mov ebx, dword ptr [esp] 0x00000024 lea edx, dword ptr [edx-0000004Dh] 0x0000002a bsr eax, esp 0x0000002d jmp 00007FBD04BA47A2h 0x0000002f setne ah 0x00000032 inc bx 0x00000034 xchg dword ptr [esp], edx 0x00000037 bt edx, edi 0x0000003a mov dl, byte ptr [esp] 0x0000003d xchg al, ah 0x0000003f jmp 00007FBD04BA481Eh 0x00000041 mov ah, DEh 0x00000043 push dword ptr [esp] 0x00000046 retn 0004h 0x00000049 push ecx 0x0000004a shl al, cl 0x0000004c jno 00007FBD04BA4863h 0x00000052 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45DCF2 second address: 45DD44 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, dx 0x00000004 push esi 0x00000005 shr si, cl 0x00000008 jne 00007FBD04820EF1h 0x0000000a jmp 00007FBD04820F51h 0x0000000c neg dh 0x0000000e sub esp, 09h 0x00000011 mov word ptr [esp], bp 0x00000015 call 00007FBD04820F2Ch 0x0000001a not bx 0x0000001d rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45DD44 second address: 45DFA9 instructions: 0x00000000 rdtsc 0x00000002 mov si, ax 0x00000005 mov ax, sp 0x00000008 xchg dword ptr [esp], ebx 0x0000000b jmp 00007FBD04BA47ACh 0x0000000d lea edx, dword ptr [eax+ebx] 0x00000010 mov dl, BAh 0x00000012 btc dx, bx 0x00000016 lea ebx, dword ptr [ebx+5Bh] 0x00000019 jmp 00007FBD04BA4800h 0x0000001b mov si, F9BFh 0x0000001f lea esi, dword ptr [edi+72703053h] 0x00000025 mov dl, F5h 0x00000027 bsf ax, bx 0x0000002b xchg dword ptr [esp], ebx 0x0000002e mov al, ah 0x00000030 jmp 00007FBD04BA47A5h 0x00000032 pushfd 0x00000033 mov eax, dword ptr [esp] 0x00000036 sub esp, 12h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d push dword ptr [esp+14h] 0x00000041 retn 0018h 0x00000044 lea esp, dword ptr [esp+01h] 0x00000048 jmp 00007FBD04BA47E2h 0x0000004a bsr ebx, edx 0x0000004d jnp 00007FBD04BA49CEh 0x00000053 mov eax, 7A7AB50Dh 0x00000058 lea edx, dword ptr [00000000h+ebp*4] 0x0000005f push ecx 0x00000060 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4614E1 second address: 44F5A7 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [ebx-000028E1h] 0x00000008 clc 0x00000009 jne 00007FBD04BA47B1h 0x0000000b pop edi 0x0000000c jmp 00007FBD04BA47F2h 0x0000000e mov al, dl 0x00000010 sub esp, 17h 0x00000013 jmp 00007FBD04BA48C2h 0x00000018 jp 00007FBD04BA46E4h 0x0000001e mov dx, 612Dh 0x00000022 xchg ah, bh 0x00000024 jmp 00007FBD04BA4738h 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d jmp 00007FBD04BA47A6h 0x0000002f add esp, 1Ch 0x00000032 jno 00007FBD04BA47B7h 0x00000034 pop ebp 0x00000035 inc bh 0x00000037 jmp 00007FBD04BA483Eh 0x00000039 jne 00007FBD04BA477Ch 0x0000003b shr al, 00000005h 0x0000003e bts edx, edx 0x00000041 jmp 00007FBD04BA4805h 0x00000043 pop esi 0x00000044 jmp 00007FBD04B9262Ah 0x00000049 mov ecx, ebp 0x0000004b bt ebx, edi 0x0000004e je 00007FBD04BA49F5h 0x00000054 pushad 0x00000055 jmp 00007FBD04BA4994h 0x0000005a add esp, 0Ah 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4643D2 second address: 464417 instructions: 0x00000000 rdtsc 0x00000002 mov dh, bl 0x00000004 mov dx, 8786h 0x00000008 shr eax, 00000000h 0x0000000b xchg dx, ax 0x0000000e jmp 00007FBD04820EECh 0x00000010 xchg dword ptr [esp], ebp 0x00000013 cmc 0x00000014 bsr dx, sp 0x00000018 not ah 0x0000001a bswap eax 0x0000001c bswap eax 0x0000001e jmp 00007FBD0482118Ah 0x00000023 lea ebp, dword ptr [ebp-00000021h] 0x00000029 bswap edx 0x0000002b sete al 0x0000002e stc 0x0000002f mov dx, word ptr [esp] 0x00000033 xchg dword ptr [esp], ebp 0x00000036 jmp 00007FBD04820DBEh 0x0000003b sbb eax, edx 0x0000003d mov edx, 2D87C49Bh 0x00000042 neg ax 0x00000045 bsf eax, ebp 0x00000048 sbb eax, 377E77FDh 0x0000004d push dword ptr [esp] 0x00000050 retn 0004h 0x00000053 mov al, ah 0x00000055 jmp 00007FBD04820F9Ch 0x0000005a mov dx, 1D8Dh 0x0000005e xchg dx, ax 0x00000061 xor dl, 00000062h 0x00000064 jnbe 00007FBD04820EEAh 0x00000066 xchg ah, dh 0x00000068 jmp 00007FBD04820EF8h 0x0000006a bsr dx, bx 0x0000006e lea eax, dword ptr [esp-3Bh] 0x00000072 mov ah, byte ptr [esp] 0x00000075 jmp 00007FBD04820F1Fh 0x00000077 lea edx, dword ptr [00000000h+esi*4] 0x0000007e rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 464417 second address: 4644C0 instructions: 0x00000000 rdtsc 0x00000002 rcr ah, 00000007h 0x00000005 jg 00007FBD04BA4874h 0x0000000b rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 464765 second address: 4647BF instructions: 0x00000000 rdtsc 0x00000002 mov ax, 49FAh 0x00000006 mov dh, bh 0x00000008 jmp 00007FBD04820F3Bh 0x0000000a mov al, 24h 0x0000000c xchg dx, ax 0x0000000f lea eax, dword ptr [esi-43A12DA5h] 0x00000015 rol bl, 00000000h 0x00000018 bsf ax, bx 0x0000001c jmp 00007FBD04820F3Bh 0x0000001e jnp 00007FBD04820EBDh 0x00000020 stc 0x00000021 sub esp, 1Eh 0x00000024 jmp 00007FBD04820EF4h 0x00000026 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 468CEE second address: 468C53 instructions: 0x00000000 rdtsc 0x00000002 setl dl 0x00000005 push bx 0x00000007 jmp 00007FBD04BA472Bh 0x0000000c xchg byte ptr [esp], ah 0x0000000f rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46421C second address: 451FCF instructions: 0x00000000 rdtsc 0x00000002 rcl bl, 00000004h 0x00000005 jns 00007FBD04821012h 0x0000000b shl ebx, cl 0x0000000d jmp 00007FBD04820FF3h 0x00000012 neg bx 0x00000015 dec ax 0x00000017 jmp 00007FBD04820F29h 0x00000019 call 00007FBD04820FD6h 0x0000001e neg al 0x00000020 jp 00007FBD04820EB6h 0x00000022 jmp 00007FBD04820EE3h 0x00000024 add esp, 04h 0x00000027 jnle 00007FBD04820EE7h 0x00000029 pop ecx 0x0000002a jmp 00007FBD0480EB93h 0x0000002f mov ecx, edi 0x00000031 xchg al, bl 0x00000033 xchg ah, dh 0x00000035 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4624DF second address: 4623B0 instructions: 0x00000000 rdtsc 0x00000002 setl bh 0x00000005 xor eax, eax 0x00000007 btr edx, ebx 0x0000000a jmp 00007FBD04BA46CBh 0x0000000f xchg dword ptr [esp], ebp 0x00000012 xchg dx, bx 0x00000015 sub bh, bl 0x00000017 clc 0x00000018 mov bh, 48h 0x0000001a xchg ebx, edx 0x0000001c jmp 00007FBD04BA4799h 0x0000001e lea ebp, dword ptr [ebp+00000197h] 0x00000024 bsf eax, edi 0x00000027 sub esp, 11h 0x0000002a and edx, ebp 0x0000002c xchg byte ptr [esp+0Ch], dl 0x00000030 sub esp, 0Eh 0x00000033 jmp 00007FBD04BA47A5h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 xchg dword ptr [esp+1Ch], ebp 0x0000003d mov bx, ax 0x00000040 cmc 0x00000041 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 4623B0 second address: 462465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04820F88h 0x00000004 rcr eax, 08h 0x00000007 push dword ptr [esp+1Ch] 0x0000000b retn 0020h 0x0000000e push ebp 0x0000000f mov bl, cl 0x00000011 bsf bp, ax 0x00000015 jns 00007FBD04820DF3h 0x0000001b call 00007FBD04820F81h 0x00000020 pushad 0x00000021 not dh 0x00000023 not bl 0x00000025 bsf edx, ebp 0x00000028 xchg dword ptr [esp+20h], ebx 0x0000002c jmp 00007FBD04820ED4h 0x0000002e btc ebp, edx 0x00000031 mov eax, ecx 0x00000033 shl eax, cl 0x00000035 mov edx, dword ptr [esp] 0x00000038 xchg eax, ebp 0x00000039 lea ebx, dword ptr [ebx-0000001Bh] 0x0000003f jmp 00007FBD04820EE9h 0x00000041 xchg ah, al 0x00000043 mov dl, 36h 0x00000045 xchg dl, dh 0x00000047 push bx 0x00000049 xchg bp, dx 0x0000004c lea esp, dword ptr [esp+02h] 0x00000050 jmp 00007FBD04820F2Ah 0x00000052 xchg dword ptr [esp+20h], ebx 0x00000056 mov bh, byte ptr [esp] 0x00000059 clc 0x0000005a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 45DD44 second address: 45DFA9 instructions: 0x00000000 rdtsc 0x00000002 mov si, ax 0x00000005 mov ax, sp 0x00000008 xchg dword ptr [esp], ebx 0x0000000b jmp 00007FBD04820EECh 0x0000000d lea edx, dword ptr [eax+ebx] 0x00000010 mov dl, BAh 0x00000012 btc dx, bx 0x00000016 lea ebx, dword ptr [ebx+5Bh] 0x00000019 jmp 00007FBD04820F40h 0x0000001b mov si, F9BFh 0x0000001f lea esi, dword ptr [edi+72703053h] 0x00000025 mov dl, F5h 0x00000027 bsf ax, bx 0x0000002b xchg dword ptr [esp], ebx 0x0000002e mov al, ah 0x00000030 jmp 00007FBD04820EE5h 0x00000032 pushfd 0x00000033 mov eax, dword ptr [esp] 0x00000036 sub esp, 12h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d push dword ptr [esp+14h] 0x00000041 retn 0018h 0x00000044 lea esp, dword ptr [esp+01h] 0x00000048 jmp 00007FBD04820F22h 0x0000004a bsr ebx, edx 0x0000004d jnp 00007FBD0482110Eh 0x00000053 mov eax, 7A7AB50Dh 0x00000058 jmp 00007FBD04820F68h 0x0000005a lea edx, dword ptr [00000000h+ebp*4] 0x00000061 jmp 00007FBD048210B0h 0x00000066 push ecx 0x00000067 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46421C second address: 451FCF instructions: 0x00000000 rdtsc 0x00000002 rcl bl, 00000004h 0x00000005 jns 00007FBD04BA48D2h 0x0000000b shl ebx, cl 0x0000000d jmp 00007FBD04BA48B3h 0x00000012 neg bx 0x00000015 dec ax 0x00000017 jmp 00007FBD04BA47E9h 0x00000019 call 00007FBD04BA4896h 0x0000001e neg al 0x00000020 jp 00007FBD04BA4776h 0x00000022 jmp 00007FBD04BA47A3h 0x00000024 add esp, 04h 0x00000027 jnle 00007FBD04BA47A7h 0x00000029 pop ecx 0x0000002a jmp 00007FBD04B92453h 0x0000002f mov ecx, edi 0x00000031 xchg al, bl 0x00000033 xchg ah, dh 0x00000035 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 46E50D second address: 46E513 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, dh 0x00000004 jmp 00007FBD04BA4815h 0x00000006 ror bl, 00000000h 0x00000009 neg eax 0x0000000b jnle 00007FBD04BA4788h 0x0000000d rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F55C second address: 44F6CE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4A18971Dh 0x00000007 xchg bx, ax 0x0000000a xor ah, ah 0x0000000c jmp 00007FBD04BA4848h 0x0000000e shr dh, 00000006h 0x00000011 jmp 00007FBD04BA47B7h 0x00000013 ror ebp, 00000000h 0x00000016 mov bx, 258Eh 0x0000001a or ebx, ebx 0x0000001c jc 00007FBD04BA48E6h 0x00000022 jnc 00007FBD04BA485Bh 0x00000028 not bx 0x0000002b lea ebx, dword ptr [00000000h+esi*4] 0x00000032 inc bl 0x00000034 jmp 00007FBD04BA4855h 0x00000039 jmp 00007FBD04BA4700h 0x0000003e xor ebp, 4F446086h 0x00000044 shr ebx, cl 0x00000046 jbe 00007FBD04BA47B2h 0x00000048 mov dl, byte ptr [esp] 0x0000004b jmp 00007FBD04BA47D6h 0x0000004d bswap eax 0x0000004f mov bh, byte ptr [esp] 0x00000052 mov bx, bp 0x00000055 jmp 00007FBD04BA47D6h 0x00000057 bts ebx, edi 0x0000005a call 00007FBD04BA4812h 0x0000005f sub esp, 0Dh 0x00000062 not ebx 0x00000064 mov bx, word ptr [esp+08h] 0x00000069 lea esp, dword ptr [esp+01h] 0x0000006d xchg dword ptr [esp+0Ch], ebp 0x00000071 jmp 00007FBD04BA47A8h 0x00000073 lea eax, dword ptr [00000000h+ecx*4] 0x0000007a setnl ah 0x0000007d call 00007FBD04BA47F0h 0x00000082 call 00007FBD04BA47FCh 0x00000087 lea ebp, dword ptr [ebp+67h] 0x0000008a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49872D second address: 4987EF instructions: 0x00000000 rdtsc 0x00000002 not dl 0x00000004 not bl 0x00000006 jmp 00007FBD04BA4788h 0x00000008 xchg dword ptr [esp], edx 0x0000000b mov bx, word ptr [esp] 0x0000000f xchg ah, bh 0x00000011 lea edx, dword ptr [edx-00000118h] 0x00000017 bsr eax, eax 0x0000001a lea eax, dword ptr [00000000h+ebx*4] 0x00000021 jmp 00007FBD04BA47A1h 0x00000023 inc bh 0x00000025 mov al, bl 0x00000027 xchg dword ptr [esp], edx 0x0000002a bsf eax, eax 0x0000002d setp al 0x00000030 rcr al, 00000002h 0x00000033 jmp 00007FBD04BA47F1h 0x00000035 neg dx 0x00000038 push dword ptr [esp] 0x0000003b retn 0004h 0x0000003e sub esi, 02h 0x00000041 mov dh, dl 0x00000043 mov ax, word ptr [esp] 0x00000047 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49788F second address: 49790A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 jmp 00007FBD04820F82h 0x00000008 mov ebx, dword ptr [edi] 0x0000000a push esi 0x0000000b rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49790A second address: 4979E5 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [edi+04h] 0x00000005 jmp 00007FBD04BA4786h 0x00000007 bts eax, esi 0x0000000a jle 00007FBD04BA47A8h 0x0000000c lea eax, dword ptr [CE4B721Bh] 0x00000012 lea eax, dword ptr [00000000h+ebp*4] 0x00000019 jmp 00007FBD04BA47D6h 0x0000001b sub edi, 02h 0x0000001e mov ah, bh 0x00000020 not al 0x00000022 mov al, byte ptr [esp] 0x00000025 cmc 0x00000026 jmp 00007FBD04BA47D6h 0x00000028 jne 00007FBD04BA4791h 0x0000002a xchg edx, ecx 0x0000002c mov ax, bx 0x0000002f mov ax, 0B8Eh 0x00000033 jmp 00007FBD04BA483Fh 0x00000035 rol ebx, cl 0x00000037 setnp ah 0x0000003a not al 0x0000003c mov ax, dx 0x0000003f jmp 00007FBD04BA47B0h 0x00000041 xchg edx, ecx 0x00000043 lea eax, dword ptr [ebp-0000CD0Bh] 0x00000049 bswap eax 0x0000004b mov ax, word ptr [esp] 0x0000004f jmp 00007FBD04BA488Dh 0x00000054 mov dword ptr [edi+04h], ebx 0x00000057 lea ebx, dword ptr [6C50EA05h] 0x0000005d rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49C124 second address: 49BFCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD04820DB5h 0x00000007 xchg dword ptr [esp], edi 0x0000000a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49C9DC second address: 49CA5F instructions: 0x00000000 rdtsc 0x00000002 setnl al 0x00000005 not dh 0x00000007 jmp 00007FBD04BA47A3h 0x00000009 lea edx, dword ptr [edi+ebp] 0x0000000c dec ebp 0x0000000d mov ax, 64B7h 0x00000011 mov dx, 7257h 0x00000015 mov dh, byte ptr [esp] 0x00000018 jmp 00007FBD04BA4868h 0x0000001d mov eax, ebx 0x0000001f rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 475F3F second address: 460A8B instructions: 0x00000000 rdtsc 0x00000002 call 00007FBD04820F2Ch 0x00000007 pop word ptr [esp] 0x0000000b push word ptr [esp] 0x0000000f js 00007FBD04820EF1h 0x00000011 jns 00007FBD04820F30h 0x00000013 sub esi, 08h 0x00000016 cmc 0x00000017 jns 00007FBD04820EEEh 0x00000019 sub esp, 0Fh 0x0000001c jmp 00007FBD04820F6Fh 0x0000001e lea esp, dword ptr [esp] 0x00000021 mov byte ptr [esp+06h], cl 0x00000025 lea esp, dword ptr [esp+03h] 0x00000029 jmp 00007FBD04820EA8h 0x0000002b mov dword ptr [esi], edx 0x0000002d lea edx, dword ptr [ebx+ebp] 0x00000030 bswap edx 0x00000032 jmp 00007FBD04820F50h 0x00000034 xchg eax, ebx 0x00000035 clc 0x00000036 jnl 00007FBD04820F47h 0x00000038 mov dx, bp 0x0000003b jmp 00007FBD04820EF7h 0x0000003d xchg dh, dl 0x0000003f sete dl 0x00000042 jmp 00007FBD04820F26h 0x00000044 mov dword ptr [esi+04h], ebx 0x00000047 sub esp, 11h 0x0000004a jmp 00007FBD04820F72h 0x0000004c jnle 00007FBD04820EB4h 0x0000004e mov edx, 5FBC1226h 0x00000053 mov edx, ebx 0x00000055 lea esp, dword ptr [esp+01h] 0x00000059 jmp 00007FBD0480B96Ch 0x0000005e neg bx 0x00000061 jp 00007FBD04820EF7h 0x00000063 mov eax, esp 0x00000065 jmp 00007FBD04820F2Ch 0x00000067 mov ah, 02h 0x00000069 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 47A373 second address: 47A3B6 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dl 0x00000004 xchg dword ptr [esp], eax 0x00000007 bswap edx 0x00000009 jmp 00007FBD04BA4812h 0x0000000b bsr dx, dx 0x0000000f mov dx, word ptr [esp] 0x00000013 neg dx 0x00000016 lea eax, dword ptr [eax-000000C3h] 0x0000001c lea edx, dword ptr [00000000h+edx*4] 0x00000023 pushfd 0x00000024 jmp 00007FBD04BA47A1h 0x00000026 lea edx, dword ptr [esi+2152D358h] 0x0000002c mov dl, byte ptr [esp+03h] 0x00000030 xchg dword ptr [esp+04h], eax 0x00000034 rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 49F168 second address: 45D990 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 jc 00007FBD04820EF7h 0x00000005 clc 0x00000006 jmp 00007FBD04820F16h 0x00000008 sub edi, 08h 0x0000000b push bx 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 call 00007FBD04820F88h 0x00000016 xchg dword ptr [esp], edi 0x00000019 sub esp, 1Ch 0x0000001c mov byte ptr [esp+0Eh], cl 0x00000020 cmc 0x00000021 lea edi, dword ptr [edi+000000C5h] 0x00000027 jmp 00007FBD04820ECBh 0x00000029 sub esp, 05h 0x0000002c pop word ptr [esp] 0x00000030 lea esp, dword ptr [esp+03h] 0x00000034 xchg dword ptr [esp+1Ch], edi 0x00000038 call 00007FBD04820EE2h 0x0000003d call 00007FBD04820EFAh 0x00000042 push dword ptr [esp+24h] 0x00000046 retn 0028h 0x00000049 xchg edx, ebx 0x0000004b jmp 00007FBD04820E6Eh 0x00000050 mov dword ptr [edi], ebx 0x00000052 call 00007FBD04820F3Ch 0x00000057 lea esp, dword ptr [esp+03h] 0x0000005b mov bh, byte ptr [esp] 0x0000005e setnb bh 0x00000061 lea esp, dword ptr [esp+01h] 0x00000065 jmp 00007FBD04820F4Bh 0x00000067 mov dword ptr [edi+04h], eax 0x0000006a setl ah 0x0000006d mov bx, word ptr [esp] 0x00000071 dec ax 0x00000073 jp 00007FBD04820EEEh 0x00000075 mov ah, byte ptr [esp] 0x00000078 jmp 00007FBD047DF5F5h 0x0000007d jmp 00007FBD04820F5Fh 0x0000007f mov bh, byte ptr [esp] 0x00000082 mov ax, si 0x00000085 lea eax, dword ptr [ebp-6656654Ch] 0x0000008b not dx 0x0000008e lea ebx, dword ptr [esi+50h] 0x00000091 jmp 00007FBD04820EE7h 0x00000093 shl eax, cl 0x00000095 jle 00007FBD04820F4Fh 0x00000097 lea edx, dword ptr [ecx+ebx] 0x0000009a rdtsc
                    Source: C:\ProgramData\javaw.exeRDTSC instruction interceptor: First address: 44F602 second address: 44F5C1 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, bx 0x00000004 mov dx, word ptr [esp] 0x00000008 jmp 00007FBD04820D20h 0x0000000d mov edx, 8724C233h 0x00000012 sub esp, 1Ah 0x00000015 jno 00007FBD04820F77h 0x00000017 mov edx, ecx 0x00000019 mov dx, word ptr [esp] 0x0000001d lea esp, dword ptr [esp+02h] 0x00000021 lea esp, dword ptr [esp+18h] 0x00000025 neg ebp 0x00000027 mov bx, ax 0x0000002a mov dh, 56h 0x0000002c jmp 00007FBD04820FBBh 0x00000031 sub esp, 10h 0x00000034 jnc 00007FBD04820EF7h 0x00000036 bswap edx 0x00000038 lea esp, dword ptr [esp+07h] 0x0000003c jmp 00007FBD04820F47h 0x0000003e pop eax 0x0000003f call 00007FBD04820F25h 0x00000044 lea esp, dword ptr [esp+01h] 0x00000048 lea esp, dword ptr [esp+08h] 0x0000004c xor ebp, 19DD69F3h 0x00000052 jmp 00007FBD04820ED3h 0x00000054 neg ax 0x00000057 jl 00007FBD04820F77h 0x00000059 rdtsc
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F247 rdtsc 0_2_0044F247
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4F22 sldt word ptr [eax]0_2_004F4F22
                    Source: C:\Users\user\Desktop\file.exeCode function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlenA,OpenServiceA,QueryServiceConfig2A,lstrcpyA,lstrcpyA,QueryServiceConfigA,lstrcpyA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseServiceHandle,CloseServiceHandle,LocalReAlloc,0_2_1000D310
                    Source: C:\ProgramData\javaw.exeCode function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlenA,OpenServiceA,QueryServiceConfig2A,lstrcpyA,lstrcpyA,QueryServiceConfigA,lstrcpyA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseServiceHandle,CloseServiceHandle,LocalReAlloc,2_2_1000D310
                    Source: C:\ProgramData\javaw.exeWindow / User API: threadDelayed 534Jump to behavior
                    Source: C:\ProgramData\javaw.exeWindow / User API: threadDelayed 548Jump to behavior
                    Source: C:\ProgramData\javaw.exeWindow / User API: threadDelayed 582Jump to behavior
                    Source: C:\ProgramData\javaw.exeWindow / User API: threadDelayed 604Jump to behavior
                    Source: C:\ProgramData\javaw.exeWindow / User API: threadDelayed 434Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-59852
                    Source: C:\ProgramData\javaw.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                    Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.7 %
                    Source: C:\ProgramData\javaw.exeAPI coverage: 2.5 %
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10009B902_2_10009B90
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10009B900_2_10009B90
                    Source: C:\ProgramData\javaw.exe TID: 5288Thread sleep count: 534 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5288Thread sleep time: -1068000s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5064Thread sleep count: 548 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5064Thread sleep time: -1096000s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5352Thread sleep count: 182 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5352Thread sleep time: -728000s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5840Thread sleep count: 582 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 5840Thread sleep time: -1164000s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 2008Thread sleep count: 604 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 2008Thread sleep time: -1208000s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 7964Thread sleep count: 141 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 7964Thread sleep time: -70500s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 1720Thread sleep count: 434 > 30Jump to behavior
                    Source: C:\ProgramData\javaw.exe TID: 1720Thread sleep time: -868000s >= -30000sJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\javaw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B870 lstrlen,FindFirstFileA,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileA,FindClose,0_2_0040B870
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B090 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,0_2_0040B090
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BBD0 FindFirstFileA,FindClose,FindClose,0_2_0040BBD0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BC90 FindFirstFileA,FindClose,CreateFileA,CloseHandle,0_2_0040BC90
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A64D FindFirstFileA,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,0_2_0040A64D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A680 FindFirstFileA,FindNextFileA,FindClose,0_2_0040A680
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003820 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,0_2_10003820
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003040 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10003040
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003230 wsprintfA,wsprintfA,FindFirstFileA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10003230
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003B80 FindFirstFileA,FindClose,FindClose,0_2_10003B80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10003C40 FindFirstFileA,FindClose,CreateFileA,CloseHandle,0_2_10003C40
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10002630 FindFirstFileA,_strupr,_strupr,_strupr,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,0_2_10002630
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040B870 lstrlen,FindFirstFileA,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileA,FindClose,2_2_0040B870
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040B090 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,2_2_0040B090
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040BBD0 FindFirstFileA,FindClose,FindClose,2_2_0040BBD0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040BC90 FindFirstFileA,FindClose,CreateFileA,CloseHandle,2_2_0040BC90
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040A64D FindFirstFileA,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,2_2_0040A64D
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_0040A680 FindFirstFileA,FindNextFileA,FindClose,2_2_0040A680
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003820 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,2_2_10003820
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003040 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,2_2_10003040
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003230 wsprintfA,wsprintfA,FindFirstFileA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_10003230
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003B80 FindFirstFileA,FindClose,FindClose,2_2_10003B80
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10003C40 FindFirstFileA,FindClose,CreateFileA,CloseHandle,2_2_10003C40
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_10002630 FindFirstFileA,_strupr,_strupr,_strupr,strstr,LocalAlloc,LocalReAlloc,LocalSize,Sleep,LocalFree,FindNextFileA,FindClose,2_2_10002630
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AED0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,0_2_0040AED0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413660 GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetTickCount,0_2_00413660
                    Source: Amcache.hve.11.drBinary or memory string: VMware
                    Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.11.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.11.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: file.exe, 00000000.00000002.2147210790.000000000087F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: javaw.exe, 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                    Source: Amcache.hve.11.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
                    Source: javaw.exe, 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                    Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\ProgramData\javaw.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\ProgramData\javaw.exeThread information set: HideFromDebuggerJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                    Source: C:\ProgramData\javaw.exeOpen window title or class name: regmonclass
                    Source: C:\ProgramData\javaw.exeOpen window title or class name: filemonclass
                    Source: C:\ProgramData\javaw.exeFile opened: NTICE
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\javaw.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F247 rdtsc 0_2_0044F247
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0250020D LdrInitializeThunk,0_2_0250020D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041194D BlockInput,0_2_0041194D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410030 LoadLibraryA,GetProcAddress,RtlDeleteCriticalSection,FreeLibrary,0_2_00410030
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307229 mov eax, dword ptr fs:[00000030h]0_2_02307229
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307229 mov eax, dword ptr fs:[00000030h]0_2_02307229
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233C299 mov eax, dword ptr fs:[00000030h]0_2_0233C299
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233C299 mov eax, dword ptr fs:[00000030h]0_2_0233C299
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233C299 mov eax, dword ptr fs:[00000030h]0_2_0233C299
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A29B mov eax, dword ptr fs:[00000030h]0_2_0231A29B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E8297 mov eax, dword ptr fs:[00000030h]0_2_022E8297
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E8297 mov eax, dword ptr fs:[00000030h]0_2_022E8297
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A2FB mov eax, dword ptr fs:[00000030h]0_2_0231A2FB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A2FB mov eax, dword ptr fs:[00000030h]0_2_0231A2FB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov eax, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov eax, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov ecx, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov eax, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov eax, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov eax, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C31B mov eax, dword ptr fs:[00000030h]0_2_0230C31B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8362 mov eax, dword ptr fs:[00000030h]0_2_022D8362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8362 mov ecx, dword ptr fs:[00000030h]0_2_022D8362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B35B mov eax, dword ptr fs:[00000030h]0_2_0231B35B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B3BB mov eax, dword ptr fs:[00000030h]0_2_0231B3BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B3BB mov eax, dword ptr fs:[00000030h]0_2_0231B3BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023073AB mov eax, dword ptr fs:[00000030h]0_2_023073AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023073AB mov eax, dword ptr fs:[00000030h]0_2_023073AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023073AB mov eax, dword ptr fs:[00000030h]0_2_023073AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023073AB mov eax, dword ptr fs:[00000030h]0_2_023073AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023063FE mov ecx, dword ptr fs:[00000030h]0_2_023063FE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023063FE mov eax, dword ptr fs:[00000030h]0_2_023063FE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A3E9 mov eax, dword ptr fs:[00000030h]0_2_0231A3E9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A3E9 mov eax, dword ptr fs:[00000030h]0_2_0231A3E9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023383ED mov eax, dword ptr fs:[00000030h]0_2_023383ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023383ED mov eax, dword ptr fs:[00000030h]0_2_023383ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023203DB mov eax, dword ptr fs:[00000030h]0_2_023203DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023203DB mov eax, dword ptr fs:[00000030h]0_2_023203DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B013 mov eax, dword ptr fs:[00000030h]0_2_0233B013
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B013 mov eax, dword ptr fs:[00000030h]0_2_0233B013
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327004 mov eax, dword ptr fs:[00000030h]0_2_02327004
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327004 mov eax, dword ptr fs:[00000030h]0_2_02327004
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327004 mov eax, dword ptr fs:[00000030h]0_2_02327004
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327004 mov eax, dword ptr fs:[00000030h]0_2_02327004
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327004 mov ecx, dword ptr fs:[00000030h]0_2_02327004
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02338004 mov eax, dword ptr fs:[00000030h]0_2_02338004
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230007A mov ecx, dword ptr fs:[00000030h]0_2_0230007A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230007A mov eax, dword ptr fs:[00000030h]0_2_0230007A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233207E mov eax, dword ptr fs:[00000030h]0_2_0233207E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233207E mov eax, dword ptr fs:[00000030h]0_2_0233207E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B06B mov eax, dword ptr fs:[00000030h]0_2_0231B06B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B06B mov eax, dword ptr fs:[00000030h]0_2_0231B06B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F04D mov eax, dword ptr fs:[00000030h]0_2_0231F04D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F04D mov eax, dword ptr fs:[00000030h]0_2_0231F04D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F04D mov eax, dword ptr fs:[00000030h]0_2_0231F04D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230D0B2 mov eax, dword ptr fs:[00000030h]0_2_0230D0B2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233C0FF mov eax, dword ptr fs:[00000030h]0_2_0233C0FF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C0DB mov eax, dword ptr fs:[00000030h]0_2_0230C0DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C0DB mov eax, dword ptr fs:[00000030h]0_2_0230C0DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C0DB mov eax, dword ptr fs:[00000030h]0_2_0230C0DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C0DB mov eax, dword ptr fs:[00000030h]0_2_0230C0DB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231E137 mov ecx, dword ptr fs:[00000030h]0_2_0231E137
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02333121 mov eax, dword ptr fs:[00000030h]0_2_02333121
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02333121 mov eax, dword ptr fs:[00000030h]0_2_02333121
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02333121 mov eax, dword ptr fs:[00000030h]0_2_02333121
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F169 mov eax, dword ptr fs:[00000030h]0_2_0232F169
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F169 mov eax, dword ptr fs:[00000030h]0_2_0232F169
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F169 mov eax, dword ptr fs:[00000030h]0_2_0232F169
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F169 mov ecx, dword ptr fs:[00000030h]0_2_0232F169
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F169 mov eax, dword ptr fs:[00000030h]0_2_0232F169
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F169 mov ecx, dword ptr fs:[00000030h]0_2_0232F169
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233215D mov eax, dword ptr fs:[00000030h]0_2_0233215D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233215D mov eax, dword ptr fs:[00000030h]0_2_0233215D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232014F mov eax, dword ptr fs:[00000030h]0_2_0232014F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DD153 mov eax, dword ptr fs:[00000030h]0_2_022DD153
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230A1BB mov eax, dword ptr fs:[00000030h]0_2_0230A1BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230A1BB mov ecx, dword ptr fs:[00000030h]0_2_0230A1BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02338195 mov eax, dword ptr fs:[00000030h]0_2_02338195
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02338195 mov eax, dword ptr fs:[00000030h]0_2_02338195
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B19C mov eax, dword ptr fs:[00000030h]0_2_0233B19C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B19C mov eax, dword ptr fs:[00000030h]0_2_0233B19C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023241CB mov eax, dword ptr fs:[00000030h]0_2_023241CB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023241CB mov ecx, dword ptr fs:[00000030h]0_2_023241CB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233C1CC mov eax, dword ptr fs:[00000030h]0_2_0233C1CC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F863C mov eax, dword ptr fs:[00000030h]0_2_022F863C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F863C mov eax, dword ptr fs:[00000030h]0_2_022F863C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F863C mov eax, dword ptr fs:[00000030h]0_2_022F863C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232662F mov eax, dword ptr fs:[00000030h]0_2_0232662F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232662F mov eax, dword ptr fs:[00000030h]0_2_0232662F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232662F mov eax, dword ptr fs:[00000030h]0_2_0232662F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232662F mov eax, dword ptr fs:[00000030h]0_2_0232662F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232662F mov ecx, dword ptr fs:[00000030h]0_2_0232662F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023076BA mov eax, dword ptr fs:[00000030h]0_2_023076BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023076BA mov eax, dword ptr fs:[00000030h]0_2_023076BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023076BA mov eax, dword ptr fs:[00000030h]0_2_023076BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023076BA mov eax, dword ptr fs:[00000030h]0_2_023076BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023316BC mov eax, dword ptr fs:[00000030h]0_2_023316BC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023246E5 mov eax, dword ptr fs:[00000030h]0_2_023246E5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023246E5 mov eax, dword ptr fs:[00000030h]0_2_023246E5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023246E5 mov eax, dword ptr fs:[00000030h]0_2_023246E5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023246E5 mov eax, dword ptr fs:[00000030h]0_2_023246E5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023246E5 mov ecx, dword ptr fs:[00000030h]0_2_023246E5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232873B mov eax, dword ptr fs:[00000030h]0_2_0232873B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307722 mov eax, dword ptr fs:[00000030h]0_2_02307722
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307722 mov eax, dword ptr fs:[00000030h]0_2_02307722
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F725 mov eax, dword ptr fs:[00000030h]0_2_0232F725
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F71B mov eax, dword ptr fs:[00000030h]0_2_0231F71B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F71B mov ecx, dword ptr fs:[00000030h]0_2_0231F71B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233670A mov eax, dword ptr fs:[00000030h]0_2_0233670A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231E761 mov eax, dword ptr fs:[00000030h]0_2_0231E761
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231E761 mov eax, dword ptr fs:[00000030h]0_2_0231E761
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231E761 mov eax, dword ptr fs:[00000030h]0_2_0231E761
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307768 mov eax, dword ptr fs:[00000030h]0_2_02307768
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307768 mov eax, dword ptr fs:[00000030h]0_2_02307768
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307768 mov ecx, dword ptr fs:[00000030h]0_2_02307768
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov ecx, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232376F mov eax, dword ptr fs:[00000030h]0_2_0232376F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A76F mov eax, dword ptr fs:[00000030h]0_2_0231A76F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A76F mov ecx, dword ptr fs:[00000030h]0_2_0231A76F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE759 mov eax, dword ptr fs:[00000030h]0_2_022FE759
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02302748 mov eax, dword ptr fs:[00000030h]0_2_02302748
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DC7AC mov eax, dword ptr fs:[00000030h]0_2_022DC7AC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DC7AC mov eax, dword ptr fs:[00000030h]0_2_022DC7AC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DC7AC mov eax, dword ptr fs:[00000030h]0_2_022DC7AC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F97AB mov eax, dword ptr fs:[00000030h]0_2_022F97AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F97AB mov eax, dword ptr fs:[00000030h]0_2_022F97AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F97AB mov eax, dword ptr fs:[00000030h]0_2_022F97AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E778B mov ecx, dword ptr fs:[00000030h]0_2_022E778B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331796 mov eax, dword ptr fs:[00000030h]0_2_02331796
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C787 mov eax, dword ptr fs:[00000030h]0_2_0230C787
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C787 mov eax, dword ptr fs:[00000030h]0_2_0230C787
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E07E7 mov eax, dword ptr fs:[00000030h]0_2_022E07E7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E07E7 mov ecx, dword ptr fs:[00000030h]0_2_022E07E7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231E7EC mov eax, dword ptr fs:[00000030h]0_2_0231E7EC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230F7EE mov eax, dword ptr fs:[00000030h]0_2_0230F7EE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230F7EE mov eax, dword ptr fs:[00000030h]0_2_0230F7EE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233A42A mov eax, dword ptr fs:[00000030h]0_2_0233A42A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233A42A mov ecx, dword ptr fs:[00000030h]0_2_0233A42A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232641B mov eax, dword ptr fs:[00000030h]0_2_0232641B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232641B mov ecx, dword ptr fs:[00000030h]0_2_0232641B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F477 mov eax, dword ptr fs:[00000030h]0_2_0231F477
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F477 mov eax, dword ptr fs:[00000030h]0_2_0231F477
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B4BB mov eax, dword ptr fs:[00000030h]0_2_0231B4BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233248B mov eax, dword ptr fs:[00000030h]0_2_0233248B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DB4E2 mov eax, dword ptr fs:[00000030h]0_2_022DB4E2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231C4E6 mov eax, dword ptr fs:[00000030h]0_2_0231C4E6
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023324CF mov eax, dword ptr fs:[00000030h]0_2_023324CF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023324CF mov eax, dword ptr fs:[00000030h]0_2_023324CF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232653B mov eax, dword ptr fs:[00000030h]0_2_0232653B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E053C mov esi, dword ptr fs:[00000030h]0_2_022E053C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231B51B mov eax, dword ptr fs:[00000030h]0_2_0231B51B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331574 mov eax, dword ptr fs:[00000030h]0_2_02331574
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331574 mov eax, dword ptr fs:[00000030h]0_2_02331574
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331574 mov eax, dword ptr fs:[00000030h]0_2_02331574
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DB561 mov eax, dword ptr fs:[00000030h]0_2_022DB561
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DB561 mov eax, dword ptr fs:[00000030h]0_2_022DB561
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DB57B mov eax, dword ptr fs:[00000030h]0_2_022DB57B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DB57B mov eax, dword ptr fs:[00000030h]0_2_022DB57B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A569 mov eax, dword ptr fs:[00000030h]0_2_0231A569
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A569 mov ecx, dword ptr fs:[00000030h]0_2_0231A569
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F555 mov eax, dword ptr fs:[00000030h]0_2_0232F555
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F555 mov eax, dword ptr fs:[00000030h]0_2_0232F555
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F555 mov eax, dword ptr fs:[00000030h]0_2_0232F555
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231C54C mov eax, dword ptr fs:[00000030h]0_2_0231C54C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023065A2 mov ecx, dword ptr fs:[00000030h]0_2_023065A2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023065A2 mov eax, dword ptr fs:[00000030h]0_2_023065A2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232158B mov ecx, dword ptr fs:[00000030h]0_2_0232158B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023315E2 mov eax, dword ptr fs:[00000030h]0_2_023315E2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C5EB mov eax, dword ptr fs:[00000030h]0_2_0230C5EB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C5EB mov eax, dword ptr fs:[00000030h]0_2_0230C5EB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C5EB mov eax, dword ptr fs:[00000030h]0_2_0230C5EB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C5EB mov eax, dword ptr fs:[00000030h]0_2_0230C5EB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230E5C9 mov eax, dword ptr fs:[00000030h]0_2_0230E5C9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230E5C9 mov eax, dword ptr fs:[00000030h]0_2_0230E5C9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F9A1B mov eax, dword ptr fs:[00000030h]0_2_022F9A1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F9A1B mov ecx, dword ptr fs:[00000030h]0_2_022F9A1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F9A1B mov eax, dword ptr fs:[00000030h]0_2_022F9A1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331A05 mov eax, dword ptr fs:[00000030h]0_2_02331A05
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318A71 mov eax, dword ptr fs:[00000030h]0_2_02318A71
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02319A48 mov eax, dword ptr fs:[00000030h]0_2_02319A48
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02319A48 mov eax, dword ptr fs:[00000030h]0_2_02319A48
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231AA4F mov eax, dword ptr fs:[00000030h]0_2_0231AA4F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DFABB mov eax, dword ptr fs:[00000030h]0_2_022DFABB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022DFABB mov ecx, dword ptr fs:[00000030h]0_2_022DFABB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233AAAA mov eax, dword ptr fs:[00000030h]0_2_0233AAAA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233AAAA mov eax, dword ptr fs:[00000030h]0_2_0233AAAA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231FAEB mov eax, dword ptr fs:[00000030h]0_2_0231FAEB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231FAEB mov ecx, dword ptr fs:[00000030h]0_2_0231FAEB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E7AD8 mov eax, dword ptr fs:[00000030h]0_2_022E7AD8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E7AD8 mov ecx, dword ptr fs:[00000030h]0_2_022E7AD8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E7AD8 mov eax, dword ptr fs:[00000030h]0_2_022E7AD8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BB3E mov eax, dword ptr fs:[00000030h]0_2_0233BB3E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BB3E mov eax, dword ptr fs:[00000030h]0_2_0233BB3E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231AB2D mov eax, dword ptr fs:[00000030h]0_2_0231AB2D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231AB2D mov eax, dword ptr fs:[00000030h]0_2_0231AB2D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318B10 mov eax, dword ptr fs:[00000030h]0_2_02318B10
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318B10 mov ecx, dword ptr fs:[00000030h]0_2_02318B10
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337B1F mov eax, dword ptr fs:[00000030h]0_2_02337B1F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337B1F mov eax, dword ptr fs:[00000030h]0_2_02337B1F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337B1F mov eax, dword ptr fs:[00000030h]0_2_02337B1F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337B1F mov eax, dword ptr fs:[00000030h]0_2_02337B1F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327B0A mov eax, dword ptr fs:[00000030h]0_2_02327B0A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02328B5B mov eax, dword ptr fs:[00000030h]0_2_02328B5B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02314B4F mov eax, dword ptr fs:[00000030h]0_2_02314B4F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02314B4F mov ecx, dword ptr fs:[00000030h]0_2_02314B4F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E6BB6 mov eax, dword ptr fs:[00000030h]0_2_022E6BB6
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02302BA9 mov eax, dword ptr fs:[00000030h]0_2_02302BA9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02302BA9 mov eax, dword ptr fs:[00000030h]0_2_02302BA9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318BFC mov eax, dword ptr fs:[00000030h]0_2_02318BFC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318BFC mov eax, dword ptr fs:[00000030h]0_2_02318BFC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8BC9 mov eax, dword ptr fs:[00000030h]0_2_022D8BC9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02323BDB mov ecx, dword ptr fs:[00000030h]0_2_02323BDB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02310BDB mov eax, dword ptr fs:[00000030h]0_2_02310BDB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BBDB mov eax, dword ptr fs:[00000030h]0_2_0230BBDB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BBDB mov eax, dword ptr fs:[00000030h]0_2_0230BBDB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331BC3 mov eax, dword ptr fs:[00000030h]0_2_02331BC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331BC3 mov eax, dword ptr fs:[00000030h]0_2_02331BC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230283B mov eax, dword ptr fs:[00000030h]0_2_0230283B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230283B mov eax, dword ptr fs:[00000030h]0_2_0230283B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A81B mov eax, dword ptr fs:[00000030h]0_2_0231A81B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A81B mov eax, dword ptr fs:[00000030h]0_2_0231A81B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A81B mov eax, dword ptr fs:[00000030h]0_2_0231A81B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A81B mov ecx, dword ptr fs:[00000030h]0_2_0231A81B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02336873 mov eax, dword ptr fs:[00000030h]0_2_02336873
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232F874 mov eax, dword ptr fs:[00000030h]0_2_0232F874
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE878 mov eax, dword ptr fs:[00000030h]0_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE878 mov ecx, dword ptr fs:[00000030h]0_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE878 mov eax, dword ptr fs:[00000030h]0_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE878 mov eax, dword ptr fs:[00000030h]0_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE878 mov eax, dword ptr fs:[00000030h]0_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FE878 mov eax, dword ptr fs:[00000030h]0_2_022FE878
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F86B mov eax, dword ptr fs:[00000030h]0_2_0231F86B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231F86B mov ecx, dword ptr fs:[00000030h]0_2_0231F86B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F884B mov eax, dword ptr fs:[00000030h]0_2_022F884B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F884B mov ecx, dword ptr fs:[00000030h]0_2_022F884B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F884B mov eax, dword ptr fs:[00000030h]0_2_022F884B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B8BB mov eax, dword ptr fs:[00000030h]0_2_0233B8BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B8BB mov eax, dword ptr fs:[00000030h]0_2_0233B8BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023288BB mov eax, dword ptr fs:[00000030h]0_2_023288BB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233988B mov ecx, dword ptr fs:[00000030h]0_2_0233988B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_023188FB mov eax, dword ptr fs:[00000030h]0_2_023188FB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C8FB mov eax, dword ptr fs:[00000030h]0_2_0230C8FB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233A8C8 mov eax, dword ptr fs:[00000030h]0_2_0233A8C8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02318935 mov eax, dword ptr fs:[00000030h]0_2_02318935
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232892B mov eax, dword ptr fs:[00000030h]0_2_0232892B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FF90C mov eax, dword ptr fs:[00000030h]0_2_022FF90C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FF90C mov eax, dword ptr fs:[00000030h]0_2_022FF90C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FF90C mov eax, dword ptr fs:[00000030h]0_2_022FF90C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FF90C mov eax, dword ptr fs:[00000030h]0_2_022FF90C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FF90C mov eax, dword ptr fs:[00000030h]0_2_022FF90C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FA91B mov eax, dword ptr fs:[00000030h]0_2_022FA91B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331957 mov eax, dword ptr fs:[00000030h]0_2_02331957
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02331957 mov eax, dword ptr fs:[00000030h]0_2_02331957
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230B95B mov eax, dword ptr fs:[00000030h]0_2_0230B95B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230B95B mov eax, dword ptr fs:[00000030h]0_2_0230B95B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230B95B mov eax, dword ptr fs:[00000030h]0_2_0230B95B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230B95B mov eax, dword ptr fs:[00000030h]0_2_0230B95B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230C9AB mov eax, dword ptr fs:[00000030h]0_2_0230C9AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B9A8 mov eax, dword ptr fs:[00000030h]0_2_0233B9A8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B9A8 mov eax, dword ptr fs:[00000030h]0_2_0233B9A8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B9A8 mov eax, dword ptr fs:[00000030h]0_2_0233B9A8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233B9A8 mov eax, dword ptr fs:[00000030h]0_2_0233B9A8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E199B mov eax, dword ptr fs:[00000030h]0_2_022E199B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231A9CA mov eax, dword ptr fs:[00000030h]0_2_0231A9CA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02319E0B mov eax, dword ptr fs:[00000030h]0_2_02319E0B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02338E4D mov eax, dword ptr fs:[00000030h]0_2_02338E4D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BE91 mov eax, dword ptr fs:[00000030h]0_2_0233BE91
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BE91 mov eax, dword ptr fs:[00000030h]0_2_0233BE91
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BE91 mov eax, dword ptr fs:[00000030h]0_2_0233BE91
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BE91 mov eax, dword ptr fs:[00000030h]0_2_0233BE91
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307E92 mov eax, dword ptr fs:[00000030h]0_2_02307E92
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307E92 mov eax, dword ptr fs:[00000030h]0_2_02307E92
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307E92 mov eax, dword ptr fs:[00000030h]0_2_02307E92
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233AEE5 mov eax, dword ptr fs:[00000030h]0_2_0233AEE5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02309F3B mov eax, dword ptr fs:[00000030h]0_2_02309F3B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02309F3B mov ecx, dword ptr fs:[00000030h]0_2_02309F3B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337F22 mov eax, dword ptr fs:[00000030h]0_2_02337F22
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02335F29 mov eax, dword ptr fs:[00000030h]0_2_02335F29
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02332F2F mov eax, dword ptr fs:[00000030h]0_2_02332F2F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232DF12 mov eax, dword ptr fs:[00000030h]0_2_0232DF12
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232DF12 mov ecx, dword ptr fs:[00000030h]0_2_0232DF12
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02322F1B mov eax, dword ptr fs:[00000030h]0_2_02322F1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02322F1B mov eax, dword ptr fs:[00000030h]0_2_02322F1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308F4B mov eax, dword ptr fs:[00000030h]0_2_02308F4B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308F4B mov eax, dword ptr fs:[00000030h]0_2_02308F4B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308F4B mov eax, dword ptr fs:[00000030h]0_2_02308F4B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231AFBB mov eax, dword ptr fs:[00000030h]0_2_0231AFBB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231AFBB mov eax, dword ptr fs:[00000030h]0_2_0231AFBB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230CFAB mov eax, dword ptr fs:[00000030h]0_2_0230CFAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02323FFC mov eax, dword ptr fs:[00000030h]0_2_02323FFC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02323FFC mov ecx, dword ptr fs:[00000030h]0_2_02323FFC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022FDFFB mov eax, dword ptr fs:[00000030h]0_2_022FDFFB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E7FF2 mov eax, dword ptr fs:[00000030h]0_2_022E7FF2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E7FF2 mov eax, dword ptr fs:[00000030h]0_2_022E7FF2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F8FCB mov eax, dword ptr fs:[00000030h]0_2_022F8FCB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022F8FCB mov ecx, dword ptr fs:[00000030h]0_2_022F8FCB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02328FD7 mov eax, dword ptr fs:[00000030h]0_2_02328FD7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231FC3B mov eax, dword ptr fs:[00000030h]0_2_0231FC3B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0231FC3B mov ecx, dword ptr fs:[00000030h]0_2_0231FC3B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BC14 mov eax, dword ptr fs:[00000030h]0_2_0233BC14
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0233BC14 mov eax, dword ptr fs:[00000030h]0_2_0233BC14
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02336C03 mov eax, dword ptr fs:[00000030h]0_2_02336C03
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02336C03 mov eax, dword ptr fs:[00000030h]0_2_02336C03
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022E7C75 mov eax, dword ptr fs:[00000030h]0_2_022E7C75
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02309C50 mov eax, dword ptr fs:[00000030h]0_2_02309C50
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02333C4C mov eax, dword ptr fs:[00000030h]0_2_02333C4C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02339CAB mov eax, dword ptr fs:[00000030h]0_2_02339CAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02339CAB mov ecx, dword ptr fs:[00000030h]0_2_02339CAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02324C9B mov ecx, dword ptr fs:[00000030h]0_2_02324C9B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02328C9B mov eax, dword ptr fs:[00000030h]0_2_02328C9B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02324CDB mov eax, dword ptr fs:[00000030h]0_2_02324CDB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02319CCB mov eax, dword ptr fs:[00000030h]0_2_02319CCB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308D1B mov eax, dword ptr fs:[00000030h]0_2_02308D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308D1B mov eax, dword ptr fs:[00000030h]0_2_02308D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308D1B mov eax, dword ptr fs:[00000030h]0_2_02308D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02308D1B mov eax, dword ptr fs:[00000030h]0_2_02308D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8D1B mov eax, dword ptr fs:[00000030h]0_2_022D8D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8D1B mov eax, dword ptr fs:[00000030h]0_2_022D8D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8D1B mov eax, dword ptr fs:[00000030h]0_2_022D8D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022D8D1B mov eax, dword ptr fs:[00000030h]0_2_022D8D1B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307D08 mov eax, dword ptr fs:[00000030h]0_2_02307D08
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307D08 mov eax, dword ptr fs:[00000030h]0_2_02307D08
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02307D08 mov ecx, dword ptr fs:[00000030h]0_2_02307D08
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337D71 mov eax, dword ptr fs:[00000030h]0_2_02337D71
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02337D71 mov eax, dword ptr fs:[00000030h]0_2_02337D71
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02324D6B mov ecx, dword ptr fs:[00000030h]0_2_02324D6B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov ecx, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0230BDAB mov eax, dword ptr fs:[00000030h]0_2_0230BDAB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232ED80 mov eax, dword ptr fs:[00000030h]0_2_0232ED80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0232ED80 mov eax, dword ptr fs:[00000030h]0_2_0232ED80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02327DC3 mov eax, dword ptr fs:[00000030h]0_2_02327DC3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02319DCB mov eax, dword ptr fs:[00000030h]0_2_02319DCB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov ecx, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov ecx, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov ecx, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov ecx, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov ecx, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov ecx, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13ED mov eax, dword ptr fs:[00000030h]0_2_024D13ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DB45E mov eax, dword ptr fs:[00000030h]0_2_024DB45E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DB45E mov eax, dword ptr fs:[00000030h]0_2_024DB45E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DB45E mov eax, dword ptr fs:[00000030h]0_2_024DB45E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DE48E mov eax, dword ptr fs:[00000030h]0_2_024DE48E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE2 mov eax, dword ptr fs:[00000030h]0_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE2 mov eax, dword ptr fs:[00000030h]0_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE2 mov eax, dword ptr fs:[00000030h]0_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE2 mov eax, dword ptr fs:[00000030h]0_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE2 mov eax, dword ptr fs:[00000030h]0_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CDBE2 mov eax, dword ptr fs:[00000030h]0_2_024CDBE2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EBC94 mov eax, dword ptr fs:[00000030h]0_2_024EBC94
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257225D mov eax, dword ptr fs:[00000030h]0_2_0257225D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257225D mov eax, dword ptr fs:[00000030h]0_2_0257225D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D244 mov eax, dword ptr fs:[00000030h]0_2_0257D244
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE26B mov eax, dword ptr fs:[00000030h]0_2_024CE26B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE26B mov eax, dword ptr fs:[00000030h]0_2_024CE26B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B527A mov eax, dword ptr fs:[00000030h]0_2_024B527A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B527A mov ecx, dword ptr fs:[00000030h]0_2_024B527A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DE278 mov eax, dword ptr fs:[00000030h]0_2_024DE278
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DE278 mov eax, dword ptr fs:[00000030h]0_2_024DE278
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024DE278 mov eax, dword ptr fs:[00000030h]0_2_024DE278
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02590204 mov eax, dword ptr fs:[00000030h]0_2_02590204
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02590204 mov eax, dword ptr fs:[00000030h]0_2_02590204
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02590204 mov eax, dword ptr fs:[00000030h]0_2_02590204
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02590204 mov eax, dword ptr fs:[00000030h]0_2_02590204
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0259122D mov eax, dword ptr fs:[00000030h]0_2_0259122D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0259122D mov eax, dword ptr fs:[00000030h]0_2_0259122D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0259122D mov eax, dword ptr fs:[00000030h]0_2_0259122D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024BC2CD mov eax, dword ptr fs:[00000030h]0_2_024BC2CD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025472DF mov eax, dword ptr fs:[00000030h]0_2_025472DF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258B2D4 mov eax, dword ptr fs:[00000030h]0_2_0258B2D4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258B2D4 mov eax, dword ptr fs:[00000030h]0_2_0258B2D4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258B2D4 mov eax, dword ptr fs:[00000030h]0_2_0258B2D4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0255A2CD mov eax, dword ptr fs:[00000030h]0_2_0255A2CD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0255A2CD mov eax, dword ptr fs:[00000030h]0_2_0255A2CD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B52ED mov eax, dword ptr fs:[00000030h]0_2_024B52ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B52ED mov ecx, dword ptr fs:[00000030h]0_2_024B52ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B52ED mov eax, dword ptr fs:[00000030h]0_2_024B52ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B52ED mov eax, dword ptr fs:[00000030h]0_2_024B52ED
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024F92E8 mov esi, dword ptr fs:[00000030h]0_2_024F92E8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D2FC mov eax, dword ptr fs:[00000030h]0_2_0257D2FC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0258F2E9 mov eax, dword ptr fs:[00000030h]0_2_0258F2E9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov eax, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov eax, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov eax, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov eax, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov eax, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov eax, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025622E1 mov ecx, dword ptr fs:[00000030h]0_2_025622E1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254A29D mov eax, dword ptr fs:[00000030h]0_2_0254A29D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254D289 mov eax, dword ptr fs:[00000030h]0_2_0254D289
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254D289 mov eax, dword ptr fs:[00000030h]0_2_0254D289
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254D289 mov eax, dword ptr fs:[00000030h]0_2_0254D289
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE2AD mov eax, dword ptr fs:[00000030h]0_2_024CE2AD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE2AD mov eax, dword ptr fs:[00000030h]0_2_024CE2AD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE2AD mov eax, dword ptr fs:[00000030h]0_2_024CE2AD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CE2AD mov eax, dword ptr fs:[00000030h]0_2_024CE2AD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EC2A9 mov eax, dword ptr fs:[00000030h]0_2_024EC2A9
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025422BC mov eax, dword ptr fs:[00000030h]0_2_025422BC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025492BD mov eax, dword ptr fs:[00000030h]0_2_025492BD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025492BD mov eax, dword ptr fs:[00000030h]0_2_025492BD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025492BD mov ecx, dword ptr fs:[00000030h]0_2_025492BD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D2A0 mov eax, dword ptr fs:[00000030h]0_2_0257D2A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025992AE mov eax, dword ptr fs:[00000030h]0_2_025992AE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025992AE mov eax, dword ptr fs:[00000030h]0_2_025992AE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024BB34D mov eax, dword ptr fs:[00000030h]0_2_024BB34D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257D358 mov eax, dword ptr fs:[00000030h]0_2_0257D358
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0253A34D mov ecx, dword ptr fs:[00000030h]0_2_0253A34D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0253A34D mov eax, dword ptr fs:[00000030h]0_2_0253A34D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0253A34D mov eax, dword ptr fs:[00000030h]0_2_0253A34D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0253A34D mov eax, dword ptr fs:[00000030h]0_2_0253A34D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024F336D mov eax, dword ptr fs:[00000030h]0_2_024F336D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024F336D mov eax, dword ptr fs:[00000030h]0_2_024F336D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0256E362 mov eax, dword ptr fs:[00000030h]0_2_0256E362
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B637D mov eax, dword ptr fs:[00000030h]0_2_024B637D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024CF30D mov eax, dword ptr fs:[00000030h]0_2_024CF30D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024EF329 mov eax, dword ptr fs:[00000030h]0_2_024EF329
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024D13CD mov eax, dword ptr fs:[00000030h]0_2_024D13CD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254D3D7 mov eax, dword ptr fs:[00000030h]0_2_0254D3D7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254D3D7 mov eax, dword ptr fs:[00000030h]0_2_0254D3D7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025923DD mov eax, dword ptr fs:[00000030h]0_2_025923DD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025463CD mov eax, dword ptr fs:[00000030h]0_2_025463CD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0254B3F4 mov eax, dword ptr fs:[00000030h]0_2_0254B3F4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025933FD mov eax, dword ptr fs:[00000030h]0_2_025933FD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_025933FD mov eax, dword ptr fs:[00000030h]0_2_025933FD
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B53EE mov eax, dword ptr fs:[00000030h]0_2_024B53EE
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B5382 mov eax, dword ptr fs:[00000030h]0_2_024B5382
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B5382 mov eax, dword ptr fs:[00000030h]0_2_024B5382
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B5382 mov eax, dword ptr fs:[00000030h]0_2_024B5382
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_024B5382 mov eax, dword ptr fs:[00000030h]0_2_024B5382
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C180 GetProcessHeap,RtlAllocateHeap,0_2_0040C180

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to automate explorer (e.g. start an application)
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100052D0 mciSendStringA,mciSendStringA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,FindWindowA,SendMessageA,FindWindowA,SendMessageA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,SwapMouseButton,SwapMouseButton,0_2_100052D0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_100052D0 mciSendStringA,mciSendStringA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,FindWindowA,SendMessageA,FindWindowA,SendMessageA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,SwapMouseButton,SwapMouseButton,0_2_100052D0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100052D0 mciSendStringA,mciSendStringA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,FindWindowA,SendMessageA,FindWindowA,SendMessageA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,SwapMouseButton,SwapMouseButton,2_2_100052D0
                    Source: C:\ProgramData\javaw.exeCode function: 2_2_100052D0 mciSendStringA,mciSendStringA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,FindWindowA,SendMessageA,FindWindowA,SendMessageA,FindWindowA,ShowWindow,FindWindowA,ShowWindow,SwapMouseButton,SwapMouseButton,2_2_100052D0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411D60 SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,0_2_00411D60
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_10009D10 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,0_2_10009D10
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nulJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7712 -ip 7712Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 568Jump to behavior
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: file.exe, 00000000.00000002.2186795336.0000000002AAC000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2245207048.0000000001733000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
                    Source: javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Program Files\Internet Explorer\IEXPLORE.EXESystemSecurityApplicationHostSYSTEM\CurrentControlSet\Services\%sSeShutdownPrivilege\\.\PHYSICALDRIVE0Shell_TrayWndProgmanset cdaudio door closed waitset cdaudio door openBITS > nul /c del COMSPEC\Sougou.key(&^%$#@!)9876543210*[NumLock][
                    Source: file.exe, 00000000.00000002.2186795336.0000000002AAC000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776678957.0000000002648000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2245207048.0000000001733000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004141B0 GetLocalTime,lstrlen,0_2_004141B0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414120 GetVersionExA,GetModuleFileNameA,wsprintfA,CloseHandle,0_2_00414120
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: acs.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: vsserv.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: avcenter.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: kxetray.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: avp.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: cfp.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: KSafeTray.exe
                    Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: rtvscan.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 360tray.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: TMBMSRV.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ashDisp.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: avgwdsvc.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: AYAgent.aye
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: QUHLPSVC.EXE
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: RavMonD.exe
                    Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Mcshield.exe
                    Source: file.exe, file.exe, 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, javaw.exe, javaw.exe, 00000002.00000002.2245745782.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, javaw.exe, 00000007.00000002.2360175723.000000001001C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: K7TSecurity.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected GhostRat
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 7712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 8000, type: MEMORYSTR
                    Yara detected Nitol
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected GhostRat
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 7712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 8000, type: MEMORYSTR
                    Yara detected Nitol
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.10000000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.408050.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.javaw.exe.408050.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		131
                    Input Capture                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomains1
                    Replication Through Removable Media                    		12
                    Service Execution                    		1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory11
                    Peripheral Device Discovery                    		Remote Desktop Protocol131
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt33
                    Windows Service                    		11
                    Access Token Manipulation                    		4
                    Obfuscated Files or Information                    		Security Account Manager1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Registry Run Keys / Startup Folder                    		33
                    Windows Service                    		12
                    Software Packing                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd1
                    Bootkit                    		12
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets36
                    System Information Discovery                    		SSHKeylogging1
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Registry Run Keys / Startup Folder                    		2
                    File Deletion                    		Cached Domain Credentials861
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Valid Accounts                    		DCSync24
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job24
                    Virtualization/Sandbox Evasion                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Bootkit                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                    Indicator Removal                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583451 Sample: file.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 36 e.0000o.xyz 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 52 6 other signatures 2->52 8 javaw.exe 2->8         started        11 file.exe 1 3 2->11         started        14 svchost.exe 3 8 2->14         started        signatures3 50 Performs DNS queries to domains with low reputation 36->50 process4 file5 54 Antivirus detection for dropped file 8->54 56 Multi AV Scanner detection for dropped file 8->56 58 Detected unpacking (changes PE section rights) 8->58 68 9 other signatures 8->68 16 javaw.exe 1 8->16         started        20 javaw.exe 8->20         started        22 WerFault.exe 21 16 8->22         started        30 C:\ProgramData\javaw.exe, PE32 11->30 dropped 32 C:\ProgramData\javaw.exe:Zone.Identifier, ASCII 11->32 dropped 60 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->60 62 Self deletion via cmd or bat file 11->62 64 Contains functionality to automate explorer (e.g. start an application) 11->64 66 Deletes itself after installation 11->66 24 cmd.exe 1 11->24         started        26 WerFault.exe 2 14->26         started        signatures6 process7 dnsIp8 34 e.0000o.xyz 198.98.57.188, 49747, 49887, 50008 PONYNETUS United States 16->34 38 Hides threads from debuggers 16->38 40 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->40 42 Creates autostart registry keys to launch java 22->42 28 conhost.exe 24->28         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe66%ReversingLabsWin32.Backdoor.Zegost
                    file.exe100%AviraHEUR/AGEN.1332102
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\javaw.exe100%AviraHEUR/AGEN.1332102
                    C:\ProgramData\javaw.exe100%Joe Sandbox ML
                    C:\ProgramData\javaw.exe66%ReversingLabsWin32.Backdoor.Zegost

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    e.0000o.xyz
                    		198.98.57.188
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.11.drfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        198.98.57.188
                        		e.0000o.xyzUnited States
                        		53667PONYNETUStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1583451
                        Start date and time:2025-01-02 20:08:05 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 11m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:13
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@15/9@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 67%
                        • Number of executed functions: 34
                        • Number of non-executed functions: 353
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 20.189.173.22, 4.175.87.197, 20.190.159.0, 13.107.246.45
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:09:52API Interceptor1x Sleep call for process: WerFault.exe modified
                        14:10:25API Interceptor4795x Sleep call for process: javaw.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PONYNETUSlx64.elfGet hashmaliciousUnknownBrowse
                        • 205.185.126.56
                        https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3DGet hashmaliciousHTMLPhisherBrowse
                        • 198.251.89.144
                        arm6.elfGet hashmaliciousMirai, MoobotBrowse
                        • 209.141.47.117
                        JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                        • 107.189.14.43
                        JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                        • 104.244.76.24
                        Clienter.dll.dllGet hashmaliciousUnknownBrowse
                        • 107.189.1.9
                        SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                        • 198.251.84.200
                        vpn.exeGet hashmaliciousMetasploitBrowse
                        • 209.141.35.225
                        jew.sh4.elfGet hashmaliciousUnknownBrowse
                        • 144.172.104.27
                        MGj3hwACvs.htmlGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                        • 104.194.152.148

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_javaw.exe_e9f84acc835f6f19c09cb6daaf6335572daae88_7a6a551a_bf9fc005-f69e-4bf1-843f-41fe7a8f9fa9\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8660431817661455
                        Encrypted:false
                        SSDEEP:192:osfUTMxVIk5/tM0BU/Ey3g+jFzuiFuZ24IO8oW:oMUwskRNBU/PjFzuiFuY4IO8Z
                        MD5:D6BA1D28637DA604DE34795DB0F7EC72
                        SHA1:463A03D5BD140CB9A93C9ECA0607B9F576C6B807
                        SHA-256:64E1A76489B0EBCDDC73ABDC820DED06AFC847DCE0EC7A5FBA4A763A789A955B
                        SHA-512:E292031E63444D1DF44BB8725E66D66EB6F596A49CAB3589041037D5B78091940DB9D10E084FCC19BB6700CF67E7FF832E02035D7E06B633E0133F6C128F4C0A
                        Malicious:false
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.3.1.8.5.7.7.7.9.9.6.8.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.3.1.8.5.8.0.9.4.0.3.5.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.9.f.c.0.0.5.-.f.6.9.e.-.4.b.f.1.-.8.4.3.f.-.4.1.f.e.7.a.8.f.9.f.a.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.a.4.8.4.b.f.-.7.c.7.c.-.4.e.5.b.-.9.1.3.e.-.e.8.a.5.c.7.4.d.2.0.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.j.a.v.a.w...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.j.a.v.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.0.-.0.0.0.0.-.0.0.1.4.-.4.5.e.c.-.7.3.d.0.4.9.5.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.9.7.e.5.1.6.b.2.5.1.9.2.4.d.4.1.6.6.2.b.1.7.8.e.8.9.b.1.3.5.3.0.0.0.0.0.0.0.0.!.0.0.0.0.3.b.0.0.8.6.4.2.9.9.5.1.3.5.4.6.7.5.9.a.1.0.2.1.8.6.b.1.b.8.9.4.f.7.9.2.0.8.8.4.!.j.a.v.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1364.tmp.txt

                        Download File
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.6851196529029706
                        Encrypted:false
                        SSDEEP:96:TiZYWbrkDtrKYyYCAWNHAQYEZ9mGtHiQIoKcwIrYga+vqMjSYIFv3:2ZDuKFNstMr9a+vqMjS/Fv3
                        MD5:C42355F9AE2AFAB94EC2D98B9189BF6E
                        SHA1:7DAE38D7A564D8EA3B020F920DC3EE96AE3C2171
                        SHA-256:06FE6735DE8360F5913F0B59C14B0B9A248DD8279E77E93427B8CF2950546F4F
                        SHA-512:27D4A88DE76C0A4F222959280FBDFC986AA1B502746AA27F43F471ADC5CC9EC2710C5AA4410A8A44959B2FD79674B69C09FF9945129AE39597424306360AC054
                        Malicious:false
                        Reputation:low
                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA9.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Thu Jan 2 19:09:38 2025, 0x1205a4 type
                        Category:dropped
                        Size (bytes):79826
                        Entropy (8bit):1.793463436582004
                        Encrypted:false
                        SSDEEP:192:Cp40oznSJ9Xx9xNpQNoSOmTxvhICgm2/lJMVlJsJUtIUKGdOtozxkqBFz61jE0tJ:K40snS59xnox5IC090BiqBF+NtcF
                        MD5:C88CD7C9FDF0C9A3F04C53DC445CD1D5
                        SHA1:6C2A9C82FE0F96A22C7A10B975474320B3E1C15B
                        SHA-256:B725527FF225B46F90FCFF5F6D0E21A7658280FC249D8F339D38D14D24BCA079
                        SHA-512:0B7C281DE83DB595654FFC926FBAAC157E9735EA5D09E4157BE585F71AD69889D6480B33A5B6226C7D616E9FD09E57455CE62F5D25BCA7871EFA5645003A5A96
                        Malicious:false
                        Reputation:low
                        Preview:MDMP..a..... .......r.vg........................\...........l...T.......D...:=..........`.......8...........T...........P...........................................................................................................eJ......D.......GenuineIntel............T....... ...Z.vg.............................@..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE34.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6330
                        Entropy (8bit):3.7282249677796795
                        Encrypted:false
                        SSDEEP:96:RSIU6o7wVetbjVr67QQYDw1QE/VF45aM4UB89beLsfkYKm:R6l7wVeJjVr67XYD+YprB89beLsfkYKm
                        MD5:A01C76F59F79978E88DBBC7B72E6E2BA
                        SHA1:F5D73271BD72446C756F10EB2FA3178AD6F9B0CF
                        SHA-256:ACA8807017A50BD53D117BF2AD265EEC4AB3548779CD8962E08E624497434BD6
                        SHA-512:B8D917C2574BEE59079993A0DFA400322ECB9B4EF9A3C3FC9F2F5638F2B2B8FF75A50122D119BB1B9E0DD50B608B7480DE8374669A5E74443363A8E2A3A0084E
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.2.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB2.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4665
                        Entropy (8bit):4.479595806015269
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsCJg77aI9peWpW8VY1NYm8M4JkqFHL+q84yGnOob+ykORd:uIjfQI7jf7VvJxLtOofbRd
                        MD5:0521D44E8FA9E1B09F9D73D24119DE47
                        SHA1:C6FF1C09984F57B4059516DA3BBF9342B395422A
                        SHA-256:5044B6614880A79C1A9F7B242A6AF8E9F6B5F3DBB016C3CA20DD81D976F3D681
                        SHA-512:74C1E35CB6695F26F9AAD2A471FEC85E80DB34C812ECD3B1F162F871C8E12FA52AE41A73652836160AFD4446A175EB3F603A7B962421863DA5C7FACE7B2D9361
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658692" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERED0.tmp.csv

                        Download File
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):88860
                        Entropy (8bit):3.0588732361673587
                        Encrypted:false
                        SSDEEP:1536:+QCNkxZvcRCKgiO8rRKWcBZZxsGrjWPb+XkrK:+QCNkxZvcRCKgiO8rRKWcBZZxscjWPbQ
                        MD5:35492F4E7B68C3E8BBAA856CF59EB4C8
                        SHA1:3C5D4E82C422F4D1E979EC662F4ECB281A862BA4
                        SHA-256:1B46ADF0EA26C7C24086BEACD2110591511637C80A987CE96EC067EC24BE1FDE
                        SHA-512:0B4397AA4EBF88527F8BD78BC885BDE8D5434A30AC9872B64DEF26B5913CE7AC8B8B04B37735CE7D6EDB54C44E81C771E202A070E3C1BC958EE6B32FD9FE1F3E
                        Malicious:false
                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                        C:\ProgramData\javaw.exe

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):958464
                        Entropy (8bit):7.762242210336897
                        Encrypted:false
                        SSDEEP:24576:gm8hT6GgqFrF2Bb482DvTUgT8ZL2r3qIlXLlaBj:981Uq5WsVU+4shRsJ
                        MD5:B00F13F32231A2DE38E2086DD297E250
                        SHA1:3B00864299513546759A102186B1B894F7920884
                        SHA-256:00EF210A88F26BE8DC6998D53A5EDA9158F71842F590EEA13D913F8FF3327CB7
                        SHA-512:71DC95784C212B3790011660FEB3CEDF5AA0E6A5A44274EF52D6ACBD5D9DBB70D93CE6EA36D28630AB0E26E8A2671D8CE2433FEFFC4B4B9FBB0864D43A1FEC44
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 66%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7..V...V...V...p...V...J...V...p...V.._Y...V...V...V..tI...V..[P.V..tI.V..Rich.V..........PE..L....P.X..........................................@.................................`...................................F...S........................................................................................................................text....P.......p..................`....sedata..p...`...p.................. ....idata..............................@....rsrc...............................@....sedata......p......................@..@........................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\javaw.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.465718691062609
                        Encrypted:false
                        SSDEEP:6144:aIXfpi67eLPU9skLmb0b46WSPKaJG8nAgejZMMhA2gX4WABl0uNkdwBCswSb9h:vXD946WlLZMM6YFH6+9h
                        MD5:ED63A03134E3C0018422A34FDEF1FB58
                        SHA1:878182313F2E644AF36CB1824A67BA3CB415B592
                        SHA-256:6E3AB559954E49102E2B9252800793C1245B9580E9939D193387C16E835356DF
                        SHA-512:24EB1CB9F6A5788B11891A03D6E1FDFF2A6958A365C38BCD2F199ED27ACFFDBB467DC05627FF90E9B6EA1A3034FB7C6ACF64208B0DAD0573C0771C30D3A396AD
                        Malicious:false
                        Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....I]..............................................................................................................................................................................................................................................................................................................................................-...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.762242210336897
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:958'464 bytes
                        MD5:b00f13f32231a2de38e2086dd297e250
                        SHA1:3b00864299513546759a102186b1b894f7920884
                        SHA256:00ef210a88f26be8dc6998d53a5eda9158f71842f590eea13d913f8ff3327cb7
                        SHA512:71dc95784c212b3790011660feb3cedf5aa0e6a5a44274ef52d6acbd5d9dbb70d93ce6ea36d28630ab0e26e8a2671d8ce2433feffc4b4b9fbb0864d43a1fec44
                        SSDEEP:24576:gm8hT6GgqFrF2Bb482DvTUgT8ZL2r3qIlXLlaBj:981Uq5WsVU+4shRsJ
                        TLSH:011512D2EE682276E1B740B19417A4ECE5F11DE51EB8C47E03E233D53EB22B5603A587
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V...V...V...p...V...J...V...p...V.._Y...V...V...V..tI...V..[P...V..tI...V..Rich.V..........PE..L....P.X...................

                        File Icon

                        Icon Hash:d08c8e8ea2868a54

                        Static PE Info

                        General

                        Entrypoint:0x4fb4ae
                        Entrypoint Section:.sedata
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        DLL Characteristics:
                        Time Stamp:0x58CE50EA [Sun Mar 19 09:35:38 2017 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:aeda2677a6bf3275430a245892769aee

                        Entrypoint Preview

                        Instruction
                        call 00007FBD04C8E381h
                        push ebx
                        popad
                        outsb
                        imul ebp, dword ptr [bp+65h], 69685320h
                        insb
                        outsb
                        and byte ptr [esi+32h], dh
                        xor al, 2Eh
                        xor byte ptr [esi], ch
                        xor byte ptr [eax], al
                        pushfd
                        push ecx
                        stc
                        push dword ptr [esp+02h]
                        jmp 00007FBD04C8E2BAh
                        add bp, 3F59h
                        mov dword ptr [esp], edi
                        bswap edi
                        lea ebp, dword ptr [00000000h+ebp*4]
                        push ecx
                        jmp 00007FBD04C8E3B3h
                        test al, 20h
                        mov dh, D1h
                        and ah, dh

                        Rich Headers

                        Programming Language:
                        • [C++] VS98 (6.0) SP6 build 8804
                        • [ C ] VS98 (6.0) SP6 build 8804
                        • [C++] VS98 (6.0) build 8168
                        • [EXP] VC++ 6.0 SP5 build 8804
                        • [LNK] VS98 (6.0) imp/exp build 8168

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0xf9c030x46.sedata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xfd0530xa0.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x9000.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x350000x17000639419a4999502402c8f3537eccd206eFalse0.9646951426630435data7.91448099637405IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .sedata0x360000xc70000xc7000b4c54ee865c0095c1e7947c5d9b4d536False0.851043547817211data7.810988873579679IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata0xfd0000x10000x1000827f731b2f33afb0215f352136a99cc4False0.06884765625data0.7449802947730676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xfe0000x90000x90005a17049aca0ba27a553a641c90c560ccFalse0.3170572916666667data5.645526171358482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .sedata0x1070000x10000x100069d3e9fcc2b40557f3e57d67b7066243False0.78125data7.982862489398755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xfe3400x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21890243902439024
                        RT_ICON0xfe9a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3400537634408602
                        RT_ICON0xfec900x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.35450819672131145
                        RT_ICON0xfee780x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46283783783783783
                        RT_ICON0xfefa00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5026652452025586
                        RT_ICON0xffe480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5798736462093863
                        RT_ICON0x1006f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.40264976958525345
                        RT_ICON0x100db80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3273121387283237
                        RT_ICON0x1013200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.27344398340248965
                        RT_ICON0x1038c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.37875234521575984
                        RT_ICON0x1049700x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37868852459016394
                        RT_ICON0x1052f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4796099290780142
                        RT_GROUP_ICON0x1057600xaedata0.603448275862069
                        RT_VERSION0x1058100x334data0.46463414634146344
                        RT_MANIFEST0x105b440x67dexported SGML document, ASCII text0.42203491872366045

                        Imports

                        DLLImport
                        KERNEL32.dllExpandEnvironmentStringsA
                        USER32.dllwsprintfA
                        MSVCRT.dllstrncpy
                        IPHLPAPI.DLLGetInterfaceInfo
                        PSAPI.DLLGetMappedFileNameW
                        ADVAPI32.dllRegDeleteKeyA
                        SHELL32.dllSHGetFolderPathW

                        Exports

                        NameOrdinalAddress
                        Update10x401000

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-02T20:09:00.997407+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450014198.98.57.1887722TCP
                        2025-01-02T20:10:00.645899+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.449747198.98.57.1887722TCP
                        2025-01-02T20:10:20.828065+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.449747198.98.57.1887722TCP
                        2025-01-02T20:10:22.061717+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.449887198.98.57.1887722TCP
                        2025-01-02T20:10:42.814413+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.449887198.98.57.1887722TCP
                        2025-01-02T20:10:44.063664+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450008198.98.57.1887722TCP
                        2025-01-02T20:11:04.830146+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450008198.98.57.1887722TCP
                        2025-01-02T20:11:12.217745+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450009198.98.57.1887722TCP
                        2025-01-02T20:11:26.609583+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450009198.98.57.1887722TCP
                        2025-01-02T20:11:32.601465+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450010198.98.57.1887722TCP
                        2025-01-02T20:11:48.161259+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450010198.98.57.1887722TCP
                        2025-01-02T20:11:55.733950+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450011198.98.57.1887722TCP
                        2025-01-02T20:12:09.630499+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450011198.98.57.1887722TCP
                        2025-01-02T20:12:15.241803+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450012198.98.57.1887722TCP
                        2025-01-02T20:12:31.003568+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450012198.98.57.1887722TCP
                        2025-01-02T20:12:37.705395+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450013198.98.57.1887722TCP
                        2025-01-02T20:12:52.441492+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450013198.98.57.1887722TCP
                        2025-01-02T20:12:58.888721+01002036861ET MALWARE Gh0st RAT Backdoor Checkin1192.168.2.450014198.98.57.1887722TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 2, 2025 20:09:59.443021059 CET497477722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:09:59.447890043 CET772249747198.98.57.188192.168.2.4
                        Jan 2, 2025 20:09:59.447962999 CET497477722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:00.645899057 CET497477722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:00.650682926 CET772249747198.98.57.188192.168.2.4
                        Jan 2, 2025 20:10:20.827188969 CET772249747198.98.57.188192.168.2.4
                        Jan 2, 2025 20:10:20.828012943 CET497477722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:20.828064919 CET497477722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:21.451446056 CET498877722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:21.456212044 CET772249887198.98.57.188192.168.2.4
                        Jan 2, 2025 20:10:21.456284046 CET498877722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:22.061717033 CET498877722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:22.066463947 CET772249887198.98.57.188192.168.2.4
                        Jan 2, 2025 20:10:42.813705921 CET772249887198.98.57.188192.168.2.4
                        Jan 2, 2025 20:10:42.814308882 CET498877722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:42.814413071 CET498877722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:43.467861891 CET500087722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:43.472726107 CET772250008198.98.57.188192.168.2.4
                        Jan 2, 2025 20:10:43.472836971 CET500087722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:44.063663960 CET500087722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:10:44.068500996 CET772250008198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:04.829905987 CET772250008198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:04.830065012 CET500087722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:04.830146074 CET500087722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:05.226279020 CET500097722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:05.232441902 CET772250009198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:05.232532024 CET500097722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:12.217745066 CET500097722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:12.222790956 CET772250009198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:26.609244108 CET772250009198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:26.609464884 CET500097722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:26.609582901 CET500097722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:26.772238016 CET500107722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:26.777160883 CET772250010198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:26.777308941 CET500107722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:32.601464987 CET500107722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:32.606420994 CET772250010198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:48.161024094 CET772250010198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:48.161166906 CET500107722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:48.161258936 CET500107722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:48.237934113 CET500117722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:48.242841959 CET772250011198.98.57.188192.168.2.4
                        Jan 2, 2025 20:11:48.242952108 CET500117722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:55.733949900 CET500117722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:11:55.738799095 CET772250011198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:09.630100012 CET772250011198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:09.630395889 CET500117722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:09.630498886 CET500117722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:09.639287949 CET500127722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:09.645771027 CET772250012198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:09.645910025 CET500127722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:15.241802931 CET500127722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:15.246598005 CET772250012198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:31.003252029 CET772250012198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:31.003343105 CET500127722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:31.003567934 CET500127722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:31.073945045 CET500137722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:31.078803062 CET772250013198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:31.078916073 CET500137722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:37.705394983 CET500137722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:37.710264921 CET772250013198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:52.441098928 CET772250013198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:52.441272974 CET500137722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:52.441492081 CET500137722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:52.479317904 CET500147722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:52.484136105 CET772250014198.98.57.188192.168.2.4
                        Jan 2, 2025 20:12:52.484308004 CET500147722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:58.888720989 CET500147722192.168.2.4198.98.57.188
                        Jan 2, 2025 20:12:58.893568993 CET772250014198.98.57.188192.168.2.4
                        Jan 2, 2025 20:13:13.863917112 CET772250014198.98.57.188192.168.2.4
                        Jan 2, 2025 20:13:13.864084005 CET500147722192.168.2.4198.98.57.188

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 2, 2025 20:09:59.416071892 CET6521053192.168.2.41.1.1.1
                        Jan 2, 2025 20:09:59.437658072 CET53652101.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 2, 2025 20:09:59.416071892 CET192.168.2.41.1.1.10x89f1Standard query (0)e.0000o.xyzA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 2, 2025 20:09:59.437658072 CET1.1.1.1192.168.2.40x89f1No error (0)e.0000o.xyz198.98.57.188A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:14:08:56
                        Start date:02/01/2025
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x400000
                        File size:958'464 bytes
                        MD5 hash:B00F13F32231A2DE38E2086DD297E250
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2179987936.000000000287B000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1765375409.000000000264E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:14:09:14
                        Start date:02/01/2025
                        Path:C:\ProgramData\javaw.exe
                        Wow64 process (32bit):true
                        Commandline:C:\ProgramData\javaw.exe
                        Imagebase:0x400000
                        File size:958'464 bytes
                        MD5 hash:B00F13F32231A2DE38E2086DD297E250
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000003.1948059494.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2244976716.000000000150C000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000002.00000002.2243616897.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 66%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:14:09:34
                        Start date:02/01/2025
                        Path:C:\ProgramData\javaw.exe
                        Wow64 process (32bit):true
                        Commandline:C:\ProgramData\javaw.exe Win7
                        Imagebase:0x400000
                        File size:958'464 bytes
                        MD5 hash:B00F13F32231A2DE38E2086DD297E250
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000003.2185800053.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:6
                        Start time:14:09:34
                        Start date:02/01/2025
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\file.exe > nul
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:14:09:34
                        Start date:02/01/2025
                        Path:C:\ProgramData\javaw.exe
                        Wow64 process (32bit):true
                        Commandline:C:\ProgramData\javaw.exe Win7
                        Imagebase:0x400000
                        File size:958'464 bytes
                        MD5 hash:B00F13F32231A2DE38E2086DD297E250
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000007.00000002.2358476682.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000003.2191896933.000000000264F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2359647070.000000000287F000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:8
                        Start time:14:09:39
                        Start date:02/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x800000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:14:09:34
                        Start date:02/01/2025
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Imagebase:0x7ff6eef20000
                        File size:55'320 bytes
                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:14:09:35
                        Start date:02/01/2025
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7712 -ip 7712
                        Imagebase:0xe20000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:14:09:37
                        Start date:02/01/2025
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 568
                        Imagebase:0xe20000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:1.4%
                          Dynamic/Decrypted Code Coverage:76.3%
                          Signature Coverage:51.6%
                          Total number of Nodes:413
                          Total number of Limit Nodes:58
                          execution_graph 59512 24d13ed 59513 24d146b 59512->59513 59514 24d1494 59512->59514 59515 24d14dc GetPEB 59514->59515 59518 24d14bb 59514->59518 59516 24d14fe 59515->59516 59517 24d14e9 59515->59517 59520 24d1508 GetPEB 59516->59520 59521 24d1517 59516->59521 59517->59516 59519 24d14ee GetPEB 59517->59519 59519->59516 59520->59521 59522 24d15b4 59521->59522 59526 24d156b 59521->59526 59581 24e832d GetPEB _vswprintf_s GetPEB _vswprintf_s 59522->59581 59523 24d16cd 59525 24d1714 GetPEB 59523->59525 59536 24d172d 59523->59536 59525->59536 59526->59523 59527 24d25ca 59526->59527 59528 24d2617 GetPEB 59527->59528 59529 24d262d 59527->59529 59528->59529 59579 24d13cd GetPEB 59529->59579 59531 24d1f33 59534 24d15df 59531->59534 59591 24ce2ad 7 API calls _vswprintf_s 59531->59591 59535 24d2675 GetPEB 59537 24d268e 59535->59537 59536->59531 59542 24d19fc GetPEB 59536->59542 59571 24d1959 59536->59571 59538 24d13cd GetPEB 59537->59538 59539 24d26c6 59538->59539 59540 24d26dd 59539->59540 59541 24d26ca GetPEB 59539->59541 59546 24d26e7 GetPEB 59540->59546 59568 24d270f 59540->59568 59541->59540 59543 24d1a29 59542->59543 59544 24d1a09 GetPEB 59542->59544 59583 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59543->59583 59582 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59544->59582 59545 24d1e8b 59545->59531 59549 24d1ed3 GetPEB 59545->59549 59551 24d26f6 59546->59551 59546->59568 59554 24d1f00 59549->59554 59555 24d1ee0 GetPEB 59549->59555 59550 24d1c34 GetPEB 59556 24d1c41 GetPEB 59550->59556 59550->59571 59557 24d13cd GetPEB 59551->59557 59552 24d13cd GetPEB 59558 24d273b 59552->59558 59553 24d1a24 59584 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59553->59584 59589 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59554->59589 59588 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59555->59588 59585 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59556->59585 59562 24d26fb 59557->59562 59564 24d273f GetPEB 59558->59564 59565 24d2752 59558->59565 59562->59568 59569 24d26ff GetPEB 59562->59569 59564->59565 59565->59534 59574 24d13cd GetPEB 59565->59574 59567 24d1efb 59590 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59567->59590 59568->59552 59569->59568 59570 24d1a4a GetPEB 59570->59571 59571->59531 59571->59545 59571->59550 59586 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59571->59586 59587 24b901d GetPEB _vswprintf_s GetPEB _vswprintf_s 59571->59587 59577 24d2761 59574->59577 59575 24d1f24 GetPEB 59575->59531 59576 24d1c82 GetPEB 59576->59571 59577->59534 59578 24d2765 GetPEB 59577->59578 59578->59534 59580 24d13da 59579->59580 59580->59535 59580->59537 59581->59534 59582->59553 59583->59553 59584->59570 59585->59571 59586->59571 59587->59576 59588->59567 59589->59567 59590->59575 59591->59534 59592 24de8cc 59593 2527a49 59592->59593 59595 24de8ec 59592->59595 59604 253c0bf 6 API calls _vswprintf_s 59593->59604 59596 24de91a 59595->59596 59605 24b43bd 5 API calls _vswprintf_s 59595->59605 59599 24de969 59596->59599 59603 25003bd LdrInitializeThunk 59596->59603 59600 24de9b8 59599->59600 59606 253c0bf 6 API calls _vswprintf_s 59599->59606 59602 2527aff 59603->59599 59604->59595 59605->59596 59606->59602 59607 24cf12d 59610 24cf146 59607->59610 59614 24cf25a 59607->59614 59608 24cf28d 59610->59614 59615 24ef329 GetPEB 59610->59615 59613 24cf182 59613->59614 59616 24dc30d 59613->59616 59614->59608 59622 24e82bd GetPEB GetPEB _vswprintf_s 59614->59622 59615->59613 59617 24dc422 59616->59617 59618 24dc338 59616->59618 59617->59614 59618->59617 59623 24de788 59618->59623 59620 24dc776 59620->59617 59634 250020d LdrInitializeThunk 59620->59634 59622->59608 59624 25279f2 59623->59624 59625 24de7a5 59623->59625 59636 253c0bf 6 API calls _vswprintf_s 59624->59636 59633 24de805 59625->59633 59635 25004ad LdrInitializeThunk 59625->59635 59628 24de840 59628->59620 59629 24de7dc 59629->59633 59637 250020d LdrInitializeThunk 59629->59637 59631 2527a41 59633->59628 59638 253c0bf 6 API calls _vswprintf_s 59633->59638 59634->59617 59635->59629 59636->59629 59637->59633 59638->59631 59639 24de424 59640 24de43a 59639->59640 59641 24de46f 59640->59641 59646 24de482 59640->59646 59647 24de48e 59640->59647 59641->59646 59655 254210f GetPEB GetPEB _vswprintf_s 59641->59655 59644 25278a8 59644->59646 59656 253c0bf 6 API calls _vswprintf_s 59644->59656 59648 24de49a 59647->59648 59649 24de4db GetPEB 59648->59649 59654 24de4c9 59648->59654 59651 24de4fc _vswprintf_s 59649->59651 59653 24de627 59651->59653 59651->59654 59657 25002fd LdrInitializeThunk 59651->59657 59653->59654 59658 24b53ee GetPEB 59653->59658 59654->59641 59655->59644 59656->59646 59657->59653 59658->59654 59659 25740dd 59660 2574116 59659->59660 59661 257411a 59660->59661 59664 2574170 59660->59664 59666 257418b 59660->59666 59677 25022dd 59661->59677 59663 2574295 59664->59661 59674 250065d LdrInitializeThunk 59664->59674 59667 25741cc 59666->59667 59668 25741e7 _vswprintf_s 59666->59668 59667->59661 59675 250065d LdrInitializeThunk 59667->59675 59671 2574278 59668->59671 59673 25019ed LdrInitializeThunk 59668->59673 59671->59661 59676 250065d LdrInitializeThunk 59671->59676 59673->59671 59674->59661 59675->59661 59676->59661 59678 25022e5 59677->59678 59679 25022e8 59677->59679 59678->59663 59682 251530d GetPEB GetPEB _vswprintf_s 59679->59682 59681 25023e7 _vswprintf_s 59681->59663 59682->59681 59683 24eb905 59684 24eb969 59683->59684 59694 24eb97a 59683->59694 59684->59694 59746 24dc033 6 API calls 59684->59746 59688 252d036 59748 24b918d GetPEB 59688->59748 59689 24ebaa3 59689->59688 59693 24ebaca 59689->59693 59692 252d03f 59692->59692 59695 25022dd _vswprintf_s 2 API calls 59693->59695 59694->59689 59697 24dfc0d 59694->59697 59709 24ebc94 59694->59709 59747 24b918d GetPEB 59694->59747 59696 24ebb07 59695->59696 59698 252813e 59697->59698 59707 24dfc62 59697->59707 59758 253c0bf 6 API calls _vswprintf_s 59698->59758 59700 2528365 59759 253c0bf 6 API calls _vswprintf_s 59700->59759 59701 24dfe45 59703 25022dd _vswprintf_s 2 API calls 59701->59703 59705 24dfe54 59703->59705 59704 2528381 59705->59694 59706 24dfdec 59706->59700 59706->59701 59707->59706 59749 24df6eb 59707->59749 59711 24ebcb6 59709->59711 59710 24ebd01 59712 252d129 GetPEB 59710->59712 59717 24ebd0e 59710->59717 59711->59710 59713 24d13cd GetPEB 59711->59713 59714 252d13c GetPEB 59712->59714 59713->59710 59715 24ebd19 GetPEB 59714->59715 59716 252d14f 59714->59716 59723 24ebd2c 59715->59723 59718 24d13cd GetPEB 59716->59718 59717->59714 59717->59715 59719 252d154 59718->59719 59720 252d158 GetPEB 59719->59720 59722 252d168 59719->59722 59720->59722 59722->59715 59724 24ebd53 59723->59724 59745 24ebde2 59723->59745 59799 250046d LdrInitializeThunk 59723->59799 59725 252d227 GetPEB 59724->59725 59727 24ebd6d 59724->59727 59729 24ebdda 59724->59729 59724->59745 59725->59727 59727->59729 59800 25005dd LdrInitializeThunk 59727->59800 59728 24ebd86 59730 24ebd90 59728->59730 59744 252d25b 59728->59744 59802 250020d LdrInitializeThunk 59729->59802 59732 24d13cd GetPEB 59730->59732 59733 24ebd95 59732->59733 59734 252d2e0 GetPEB 59733->59734 59735 24ebd9d 59733->59735 59736 252d2f4 GetPEB 59734->59736 59735->59736 59739 24ebda6 59735->59739 59738 252d307 59736->59738 59736->59739 59740 24d13cd GetPEB 59738->59740 59739->59745 59801 250020d LdrInitializeThunk 59739->59801 59742 252d30c 59740->59742 59742->59739 59743 252d310 GetPEB 59742->59743 59743->59739 59803 24fa11c GetPEB GetPEB GetPEB GetPEB 59744->59803 59745->59694 59746->59694 59747->59694 59748->59692 59750 2527f13 59749->59750 59756 24df708 _vswprintf_s 59749->59756 59771 253c0bf 6 API calls _vswprintf_s 59750->59771 59752 24df7d0 59752->59707 59754 2527fc5 59757 24df783 59756->59757 59760 24df80c 59756->59760 59757->59752 59772 253c0bf 6 API calls _vswprintf_s 59757->59772 59758->59707 59759->59704 59773 24d303d 59760->59773 59762 24df83a 59763 24df879 59762->59763 59764 24df846 59762->59764 59767 2527fcd 59762->59767 59765 25022dd _vswprintf_s 2 API calls 59763->59765 59795 250050d LdrInitializeThunk 59764->59795 59766 24df886 59765->59766 59766->59757 59796 24b918d GetPEB 59767->59796 59770 2527fd5 59770->59770 59771->59756 59772->59754 59774 24d3087 59773->59774 59783 24d3094 59773->59783 59775 24d33a3 59774->59775 59774->59783 59781 25022dd _vswprintf_s 2 API calls 59775->59781 59776 252456f GetPEB 59776->59783 59777 24d32fb 59782 25022dd _vswprintf_s 2 API calls 59777->59782 59778 25246bc GetPEB 59785 25246ce 59778->59785 59779 252455f GetPEB 59779->59776 59789 24d32ed 59779->59789 59784 24d33c8 59781->59784 59787 24d330e 59782->59787 59783->59776 59783->59779 59783->59789 59791 24d30f7 59783->59791 59792 24d31be 59783->59792 59784->59762 59786 24d31ad GetPEB 59786->59792 59787->59762 59788 24d3444 59788->59789 59798 250020d LdrInitializeThunk 59788->59798 59789->59777 59789->59778 59790 2524612 59790->59762 59791->59786 59791->59789 59791->59790 59791->59792 59792->59789 59797 24b5382 8 API calls 59792->59797 59794 252469c GetPEB 59794->59789 59795->59763 59796->59770 59797->59788 59798->59794 59799->59723 59800->59728 59801->59729 59802->59745 59803->59733 59804 250017d LdrInitializeThunk 59807 24cdbe2 59808 24cdc0c 59807->59808 59809 24cdc10 59808->59809 59812 24cdc52 59808->59812 59843 24ce2ad 7 API calls _vswprintf_s 59809->59843 59811 24cdc30 59812->59811 59814 24cdcc9 59812->59814 59841 250029d LdrInitializeThunk 59812->59841 59816 24cdcd3 59814->59816 59844 250029d LdrInitializeThunk 59814->59844 59816->59811 59842 250029d LdrInitializeThunk 59816->59842 59818 24cdd28 59818->59811 59819 24cdd68 59818->59819 59821 24d13cd GetPEB 59818->59821 59820 25225fb GetPEB 59819->59820 59823 24cdd7a 59819->59823 59822 252260b GetPEB 59820->59822 59821->59819 59824 252261e 59822->59824 59834 24cdd85 59822->59834 59823->59822 59823->59834 59827 24d13cd GetPEB 59824->59827 59825 24d13cd GetPEB 59826 24cdd8a 59825->59826 59828 24cdd9c 59826->59828 59829 2522661 GetPEB 59826->59829 59832 2522632 59827->59832 59830 2522671 59828->59830 59831 24cdda7 59828->59831 59829->59830 59836 24d13cd GetPEB 59830->59836 59833 24d13cd GetPEB 59831->59833 59832->59834 59835 2522636 GetPEB 59832->59835 59838 24cddac 59833->59838 59834->59825 59835->59834 59837 2522676 59836->59837 59837->59838 59839 252267a GetPEB 59837->59839 59838->59811 59840 25226a5 GetPEB 59838->59840 59839->59838 59840->59811 59841->59814 59842->59818 59843->59811 59844->59814 59845 1000cfd0 GetProcAddress 59846 1000cfe5 FreeLibrary 59845->59846 59847 1000cfec 12 API calls 59845->59847 59846->59847 59849 1000d105 59847->59849 59852 1000c850 GetModuleHandleA GetModuleFileNameA 59849->59852 59853 1000c892 59852->59853 59859 1000c8a6 59852->59859 59895 1000e1e0 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 59853->59895 59854 1000cab0 59858 1000c160 14 API calls 59854->59858 59855 1000c8b7 59857 1000c968 59855->59857 59896 1000cf30 RegOpenKeyExA 59855->59896 59861 1000c970 59857->59861 59862 1000c99c 59857->59862 59863 1000cac3 Sleep 59858->59863 59859->59854 59859->59855 59865 1000c160 14 API calls 59861->59865 59867 1000cad7 Sleep 59862->59867 59872 1000c160 14 API calls 59862->59872 59932 1000bae0 131 API calls 59863->59932 59864 1000c8cf 59868 1000c8d3 StartServiceCtrlDispatcherA 59864->59868 59869 1000c90f 59864->59869 59870 1000c983 59865->59870 59867->59849 59873 1000c8fe Sleep 59868->59873 59897 1000c160 wsprintfA GetLocalTime wsprintfA lstrlenA 59869->59897 59920 1000c640 18 API calls 59870->59920 59876 1000c9bb 59872->59876 59919 1000bae0 131 API calls 59873->59919 59922 1000b990 59876->59922 59883 1000c9c8 SHGetSpecialFolderPathA 59883->59867 59884 1000c9e4 wsprintfA wsprintfA GetFileAttributesA 59883->59884 59887 1000ca30 7 API calls 59884->59887 59888 1000caa5 59884->59888 59887->59888 59931 1000bae0 131 API calls 59888->59931 59889 1000c98b Sleep 59921 1000bae0 131 API calls 59889->59921 59890 1000c95b 59916 1000bd80 7 API calls 59890->59916 59893 1000c960 exit 59893->59857 59894 1000caaa Sleep 59894->59888 59895->59859 59896->59864 59933 1000ec20 59897->59933 59900 1000caf0 GetModuleFileNameA sprintf strncmp 59901 1000cc14 Sleep OpenSCManagerA 59900->59901 59902 1000cb87 59900->59902 59904 1000cede 59901->59904 59905 1000cc4e CreateServiceA LockServiceDatabase ChangeServiceConfig2A UnlockServiceDatabase 59901->59905 59950 1000bcf0 59902->59950 59955 1000cf01 59904->59955 59907 1000ccb2 GetLastError 59905->59907 59908 1000ccee StartServiceA 59905->59908 59907->59908 59912 1000ccbf OpenServiceA 59907->59912 59908->59904 59913 1000cd01 RegOpenKeyA lstrlenA RegSetValueExA 59908->59913 59911 1000b990 6 API calls 59914 1000cbb7 SetFileAttributesA 59911->59914 59912->59904 59915 1000ccdd StartServiceA 59912->59915 59913->59904 59914->59901 59915->59908 59917 1000bed8 59916->59917 59918 1000be8d 6 API calls 59916->59918 59917->59893 59918->59893 59919->59873 59920->59889 59921->59889 59923 1000b9a7 CreateFileA 59922->59923 59924 1000ba6e 59922->59924 59923->59924 59925 1000b9da SetFilePointer GetFileSize 59923->59925 59924->59883 59926 1000ba66 CloseHandle 59925->59926 59927 1000b9fa 59925->59927 59926->59924 59927->59926 59928 1000ba48 WriteFile 59927->59928 59929 1000ba28 rand 59927->59929 59928->59927 59930 1000ba65 59928->59930 59929->59928 59929->59929 59930->59926 59931->59894 59932->59863 59934 1000ec57 59933->59934 59944 1000ecdb 59933->59944 59935 1000ec85 RegOpenKeyExA 59934->59935 59936 1000ed06 RegOpenKeyExA 59934->59936 59937 1000ed36 RegOpenKeyExA 59934->59937 59938 1000ec5e RegCreateKeyExA 59934->59938 59935->59944 59945 1000eca5 59935->59945 59940 1000ed22 RegDeleteKeyA 59936->59940 59936->59944 59941 1000ed52 RegDeleteValueA 59937->59941 59937->59944 59938->59935 59938->59944 59943 1000ed34 59940->59943 59940->59944 59941->59944 59942 1000c384 sprintf 59942->59900 59943->59944 59949 1000ed8b RegCloseKey RegCloseKey 59944->59949 59945->59944 59946 1000ece0 RegSetValueExA 59945->59946 59947 1000ecb5 59945->59947 59946->59944 59947->59944 59948 1000ecbe RegSetValueExA 59947->59948 59948->59944 59949->59942 59952 1000bd25 59950->59952 59954 1000bd6e CopyFileA 59950->59954 59951 1000bd32 strncpy _access 59951->59952 59953 1000bd50 CreateDirectoryA 59951->59953 59952->59951 59952->59954 59953->59952 59954->59911 59956 1000cf12 59955->59956 59957 1000cf0b CloseServiceHandle 59955->59957 59958 1000cf16 CloseServiceHandle 59956->59958 59959 1000cf1d 59956->59959 59957->59956 59958->59959 59960 1000cf27 RegCloseKey 59959->59960 59961 1000c94f 59959->59961 59960->59961 59961->59873 59961->59890 59962 40127b 59963 401245 59962->59963 59963->59962 59964 40133b 59963->59964 59966 40141a 59963->59966 59967 4014f0 59966->59967 59968 40143b 59966->59968 59967->59964 59968->59967 59969 401467 VirtualFree 59968->59969 59969->59968 59972 25002ad 59974 25002b7 59972->59974 59975 25002cc LdrInitializeThunk 59974->59975 59976 25002be 59974->59976 59977 24df933 59979 24df94c 59977->59979 59978 24df99e 59984 24df9c2 59978->59984 59986 24df0c1 59978->59986 59979->59978 59979->59984 59992 24df058 10 API calls 59979->59992 59981 24df986 59981->59978 59983 2527fe7 59981->59983 59981->59984 59983->59984 59993 253c0bf 6 API calls _vswprintf_s 59983->59993 59989 24df11e 59986->59989 59990 24df0df 59986->59990 59987 24df113 59987->59989 59994 24dee7b 59987->59994 59989->59984 59990->59987 59990->59989 59991 24df0c1 14 API calls 59990->59991 59991->59990 59992->59981 59993->59984 59995 24dee87 59994->59995 60003 24df053 59995->60003 60005 24deed4 59995->60005 59996 24df08a 59997 24df09c 59996->59997 60025 24de278 10 API calls _vswprintf_s 59996->60025 59997->59989 59998 2527d42 60027 253c0bf 6 API calls _vswprintf_s 59998->60027 60003->59996 60003->59997 60026 24df058 10 API calls 60003->60026 60004 2527d62 60008 24df00b 60004->60008 60028 253c0bf 6 API calls _vswprintf_s 60004->60028 60005->59998 60005->60004 60005->60008 60009 24db3cd 60005->60009 60013 24db45e 60005->60013 60008->59989 60010 24db3f7 60009->60010 60011 25022dd _vswprintf_s 2 API calls 60010->60011 60012 24db441 60011->60012 60012->60005 60014 24db46a 60013->60014 60015 24d13cd GetPEB 60014->60015 60016 24db476 60015->60016 60017 24db47e 60016->60017 60018 2526d45 GetPEB 60016->60018 60019 2526d58 GetPEB 60017->60019 60024 24db48c 60017->60024 60018->60019 60020 2526d6b 60019->60020 60019->60024 60021 24d13cd GetPEB 60020->60021 60022 2526d70 60021->60022 60023 2526d74 GetPEB 60022->60023 60022->60024 60023->60024 60024->60005 60025->59997 60026->60003 60027->60004 60028->60008

                          Executed Functions

                          Function 1000CAF0 Relevance: 89.5, APIs: 18, Strings: 33, Instructions: 266serviceregistrystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,74DF0F00,00000001), ref: 1000CB25
                          • sprintf.MSVCRT ref: 1000CB51
                          • strncmp.MSVCRT ref: 1000CB76
                          • CopyFileA.KERNEL32(?,?,00000000), ref: 1000CBA5
                            • Part of subcall function 1000B990: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,74DF0F00), ref: 1000B9C9
                            • Part of subcall function 1000B990: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?), ref: 1000B9E2
                            • Part of subcall function 1000B990: GetFileSize.KERNEL32(00000000,00000000), ref: 1000B9EB
                            • Part of subcall function 1000B990: rand.MSVCRT ref: 1000BA28
                            • Part of subcall function 1000B990: WriteFile.KERNEL32(00000000,?,00000400,00000000,00000000,00000001), ref: 1000BA5A
                            • Part of subcall function 1000B990: CloseHandle.KERNEL32(00000000), ref: 1000BA67
                          • SetFileAttributesA.KERNEL32(?,00000007), ref: 1000CC04
                          • Sleep.KERNEL32(00000032), ref: 1000CC16
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000CC38
                          • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1000CC70
                          • LockServiceDatabase.ADVAPI32(00000000), ref: 1000CC7F
                          • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,Oracle Corporation), ref: 1000CCA1
                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 1000CCA8
                          • GetLastError.KERNEL32 ref: 1000CCB2
                          • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 1000CCC9
                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000CCE2
                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000CCF3
                            • Part of subcall function 1000BCF0: strncpy.MSVCRT ref: 1000BD39
                            • Part of subcall function 1000BCF0: _access.MSVCRT ref: 1000BD42
                            • Part of subcall function 1000BCF0: CreateDirectoryA.KERNEL32(?,00000000), ref: 1000BD57
                          • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 1000CE5B
                          • lstrlenA.KERNEL32(?), ref: 1000CEB8
                          • RegSetValueExA.KERNEL32(?,Dri,00000000,00000001,?,00000000), ref: 1000CED2
                            • Part of subcall function 1000CF01: CloseServiceHandle.ADVAPI32(?,1000CEEA), ref: 1000CF0C
                            • Part of subcall function 1000CF01: CloseServiceHandle.ADVAPI32(00000000,1000CEEA), ref: 1000CF17
                            • Part of subcall function 1000CF01: RegCloseKey.KERNEL32(?,1000CEEA), ref: 1000CF28
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Service$File$Close$CreateHandleOpen$DatabaseStart$AttributesChangeConfig2CopyDirectoryErrorLastLockManagerModuleNamePointerSizeSleepUnlockValueWrite_accesslstrlenrandsprintfstrncmpstrncpy
                          • String ID: %$Dri$E$M$Oracle Corporation$T$Y$c$c$i$i$i$l$n$n$n$o$o$o$p$r$r$r$r$r$s$s$t$t$t$t$u$v
                          • API String ID: 2769662080-443813891
                          • Opcode ID: 5e248a6cdc96e849b56df03601b3b2e8b572fc5995cfb1d8257b0f066e5713be
                          • Instruction ID: 1dbd370c185d15e149600501164948a569bc7234037f99d2159422e9d84b54e1
                          • Opcode Fuzzy Hash: 5e248a6cdc96e849b56df03601b3b2e8b572fc5995cfb1d8257b0f066e5713be
                          • Instruction Fuzzy Hash: 24B1A4319046A89FEB22CB648C88BDEBFBDAB19300F0441D9E55D67291C7B55F88CF61
                          Function 1000C850 Relevance: 54.4, APIs: 20, Strings: 11, Instructions: 173sleepfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,75BF8400), ref: 1000C877
                          • GetModuleFileNameA.KERNEL32(00000000), ref: 1000C87E
                          • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 1000C8F8
                          • Sleep.KERNEL32(00000032), ref: 1000C906
                          • sprintf.MSVCRT ref: 1000C92D
                          • exit.KERNELBASE ref: 1000C962
                          • Sleep.KERNEL32(00000032), ref: 1000C993
                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000,74DF0F00), ref: 1000C9D6
                          • wsprintfA.USER32 ref: 1000C9F9
                          • wsprintfA.USER32 ref: 1000CA12
                          • GetFileAttributesA.KERNEL32(?), ref: 1000CA1F
                            • Part of subcall function 1000E1E0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,1000BBDE,?), ref: 1000E204
                            • Part of subcall function 1000E1E0: _beginthreadex.MSVCRT ref: 1000E22C
                            • Part of subcall function 1000E1E0: WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000E23E
                            • Part of subcall function 1000E1E0: CloseHandle.KERNEL32(?), ref: 1000E249
                          • wsprintfA.USER32 ref: 1000CA47
                          • DefineDosDeviceA.KERNEL32(00000001,dhwrt4,?), ref: 1000CA5A
                          • Sleep.KERNEL32(00000064), ref: 1000CA62
                          • CopyFileA.KERNEL32(?,\\.\dhwrt4,00000000), ref: 1000CA73
                          • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000CA85
                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 1000CA92
                          • Sleep.KERNEL32(00000032), ref: 1000CAAC
                            • Part of subcall function 1000C160: wsprintfA.USER32 ref: 1000C255
                            • Part of subcall function 1000C160: GetLocalTime.KERNEL32(?,?,74DF0F00,00000001), ref: 1000C25F
                          • Sleep.KERNEL32(00000032), ref: 1000CACE
                            • Part of subcall function 1000BAE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 1000BC61
                            • Part of subcall function 1000BAE0: Sleep.KERNEL32(000001F4), ref: 1000BC6A
                            • Part of subcall function 1000BAE0: CloseHandle.KERNEL32(00000000), ref: 1000BC9B
                          • CreateDirectoryA.KERNEL32(?,00000000), ref: 1000CA9F
                            • Part of subcall function 1000BAE0: exit.MSVCRT ref: 1000BB10
                            • Part of subcall function 1000BAE0: lstrlenA.KERNEL32(00000000,?,00000001,1000CAD5), ref: 1000BB65
                            • Part of subcall function 1000BAE0: lstrlenA.KERNEL32(00000000,?,00000001,1000CAD5), ref: 1000BB7B
                            • Part of subcall function 1000BAE0: GetTickCount.KERNEL32 ref: 1000BBBB
                            • Part of subcall function 1000BAE0: GetTickCount.KERNEL32 ref: 1000BBED
                            • Part of subcall function 1000BAE0: GetTickCount.KERNEL32 ref: 1000BC45
                            • Part of subcall function 1000BAE0: OpenEventA.KERNEL32(001F0003,00000000,?), ref: 1000BC56
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Sleep$File$wsprintf$CountHandleTick$AttributesCloseCreateEventModuleObjectSingleWaitexitlstrlen$CopyCtrlDefineDeviceDirectoryDispatcherFolderLocalMoveNameOpenPathServiceSpecialStartTime_beginthreadexsprintf
                          • String ID: %s.exe$%s\%s$C:\ProgramData$Java(TM) Platform SE 8 Oracle Corporation$Java(TM) Platform Sa 8$Oracle Corporation$\??\%s\%s$\\.\dhwrt4$dhwrt4$f9c5aeff30be6268c66ca3e8ffe818a4$javaw.exe
                          • API String ID: 2222872799-52727966
                          • Opcode ID: 2d797bfab592a4ad7254f4107923aec125a1242bd47d3262e15f5e5c9cbf3e7b
                          • Instruction ID: dfbd6d575c8a59075cf6fbf272f408f3518e4620c3f0a4cf55874ee8f88c2af7
                          • Opcode Fuzzy Hash: 2d797bfab592a4ad7254f4107923aec125a1242bd47d3262e15f5e5c9cbf3e7b
                          • Instruction Fuzzy Hash: 0351D171544399ABF310DBA0CC85F9F36A8FF48784F408818F7499A196EB71E944CBA7
                          Function 024D13ED Relevance: 1.6, Instructions: 1603COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b7235b4713d3363c1d163dc70324cd56c4970555325c32f97926b282fc44c80a
                          • Instruction ID: 3d791be881b9e384fe5f45f7fb34f79803720cdccd5cd3c2c2a18757cff9e38e
                          • Opcode Fuzzy Hash: b7235b4713d3363c1d163dc70324cd56c4970555325c32f97926b282fc44c80a
                          • Instruction Fuzzy Hash: 6DE29270A00615DFDB25CF69C4A0BAAB7F1FF49304F14819AEC49AB395D774A886CF90
                          Function 0250020D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 600 250020d-2500219 LdrInitializeThunk
                          APIs
                          • LdrInitializeThunk.NTDLL(02548C08,00000004,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 02500217
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 91cbdc8f25cf403b97c733796c8533121141234f509fa7b6ad7da16308649fd1
                          • Instruction ID: eefa54c2ca1b03e1b6a8a97528d47933ba1f6fbb68e7c02e1499ae9adf70caab
                          • Opcode Fuzzy Hash: 91cbdc8f25cf403b97c733796c8533121141234f509fa7b6ad7da16308649fd1
                          • Instruction Fuzzy Hash: BD90027124240153410971588514616500A47E1241B66C021E1114554DCA2589916166
                          Function 024DC30D Relevance: .4, Instructions: 411COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6167ad550918ed8a470be4c3e703289528598234a6a0e06b28bd2da7e36cdc01
                          • Instruction ID: 9ca0958b83dc48cd2bdbd6c09cd95846aa36b0ccb3befda42abb0ad28ff3141f
                          • Opcode Fuzzy Hash: 6167ad550918ed8a470be4c3e703289528598234a6a0e06b28bd2da7e36cdc01
                          • Instruction Fuzzy Hash: EDE1F371A042268BCB21CF64C5E07AAFBE1BF09714F1985ABDC54EB381D770D986CB80
                          Function 024CDBE2 Relevance: .3, Instructions: 300COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff5dc0b58044fde630b6b22c814a46a5dc1fcb5b46fe11425d738d9ac161888b
                          • Instruction ID: b883967209533c2565d2d2aee9b21d61feba6fe047ed3292ed5d3b44dfebee8d
                          • Opcode Fuzzy Hash: ff5dc0b58044fde630b6b22c814a46a5dc1fcb5b46fe11425d738d9ac161888b
                          • Instruction Fuzzy Hash: BFB1C139A00655DFDB15CB68C890BBEBBF6BF86304F24416AE942DB280DB30ED45CB54
                          Function 024DE48E Relevance: .3, Instructions: 295COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 1ad3fdaa7b5a3c2773634c78cb6a7c73e260bcdb0b25ac588dce44f9c773d540
                          • Instruction ID: 92826c95788eafd5272ac719009760edb96b3f1b883a363600295b277f2bc466
                          • Opcode Fuzzy Hash: 1ad3fdaa7b5a3c2773634c78cb6a7c73e260bcdb0b25ac588dce44f9c773d540
                          • Instruction Fuzzy Hash: 0CC16974F00319DFDB15DFAAC894BADBBB6BF49704F20412AE519AB281D770A846CF40
                          Function 024EBC94 Relevance: .3, Instructions: 278COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 71fbbab77d08e9dbc498c5139218e8bbef50437b5b1a781bfd21ae467081fa21
                          • Instruction ID: 46443365fc57f94c947111559299b3cd1f236b31760d457730c2bd83ac262c3e
                          • Opcode Fuzzy Hash: 71fbbab77d08e9dbc498c5139218e8bbef50437b5b1a781bfd21ae467081fa21
                          • Instruction Fuzzy Hash: 3DA13432E016699FEF21DBA5C844FAEBBB5FB06718F150216E912AB2D0C774DC44CB85
                          Function 024DB45E Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37c2b88beafb13b90528cee4666593e603f58040aa5d04d111d46da7852188aa
                          • Instruction ID: 22a45a9f654080bd509d91f7d2465439a77a20c924cf62db0a937861d6b0a13f
                          • Opcode Fuzzy Hash: 37c2b88beafb13b90528cee4666593e603f58040aa5d04d111d46da7852188aa
                          • Instruction Fuzzy Hash: 3C210331A04288DFEB12DFA9C954BAD7BB6FF45308F0440AAE8449B3D1C7759904CB69
                          Function 1000C160 Relevance: 56.2, APIs: 4, Strings: 28, Instructions: 151stringtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: wsprintf$LocalTimelstrlen
                          • String ID: $-$:$E$M$T$T$Y$a$c$e$e$e$e$e$i$i$k$l$m$n$n$r$r$r$r$u$v
                          • API String ID: 1019745243-1015146237
                          • Opcode ID: 41df5d745c99ac56141cc9d9525112f8977f4fc5ccbb23e7c8f85bbc70a08e47
                          • Instruction ID: c326e5e383d98546b92b13864ee7b1433dc14f1ffbb9e2a561df23801e5e1ae0
                          • Opcode Fuzzy Hash: 41df5d745c99ac56141cc9d9525112f8977f4fc5ccbb23e7c8f85bbc70a08e47
                          • Instruction Fuzzy Hash: 2B61D42210D3C09DE322CA68888479BFFE55FB7648F48499DF2D447392C2AA924CC777
                          Function 1000BD80 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 102stringthreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,74DF0F00,00000001), ref: 1000BDDE
                          • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 1000BDF3
                          • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1000BE0B
                          • lstrcatA.KERNEL32(?,/c del ), ref: 1000BE24
                          • lstrcatA.KERNEL32(?,?), ref: 1000BE33
                          • lstrcatA.KERNEL32(?, > nul), ref: 1000BE42
                          • ShellExecuteExA.SHELL32 ref: 1000BE83
                          • SetPriorityClass.KERNEL32(?,00000040), ref: 1000BE9A
                          • GetCurrentProcess.KERNEL32(00000100), ref: 1000BEA1
                          • SetPriorityClass.KERNEL32(00000000), ref: 1000BEA8
                          • GetCurrentThread.KERNEL32 ref: 1000BEAC
                          • SetThreadPriority.KERNEL32(00000000), ref: 1000BEB3
                          • SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 1000BEC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Prioritylstrcat$ClassCurrentNameThread$ChangeEnvironmentExecuteFileModuleNotifyPathProcessShellShortVariable
                          • String ID: > nul$/c del $<$@$COMSPEC
                          • API String ID: 2091984646-3567428472
                          • Opcode ID: 790a9a99085931344bddd0cd1b9094bef67aeb8ba876bffc1c0d7be9ac9bc884
                          • Instruction ID: 1c6e955d13732b6d6a8c926f5f6f43000997ecffcc07712eb3a09e466b98f968
                          • Opcode Fuzzy Hash: 790a9a99085931344bddd0cd1b9094bef67aeb8ba876bffc1c0d7be9ac9bc884
                          • Instruction Fuzzy Hash: 0D316DB2108345AFE350CB64CC84BDBBBA8FBC9340F00492DF78996150DA75D6088B92
                          Function 1000EC20 Relevance: 12.1, APIs: 8, Instructions: 133registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 71 1000ec20-1000ec51 72 1000ec57 71->72 73 1000ed6b-1000ed8a call 1000ed8b 71->73 74 1000ec85-1000ec9f RegOpenKeyExA 72->74 75 1000ed06-1000ed20 RegOpenKeyExA 72->75 76 1000ed36-1000ed50 RegOpenKeyExA 72->76 77 1000ec5e-1000ec7f RegCreateKeyExA 72->77 74->73 82 1000eca5-1000ecaa 74->82 75->73 79 1000ed22-1000ed32 RegDeleteKeyA 75->79 76->73 80 1000ed52-1000ed62 RegDeleteValueA 76->80 77->73 77->74 79->73 83 1000ed34 79->83 80->73 84 1000ed64 80->84 82->73 85 1000ecb0-1000ecb3 82->85 83->84 84->73 86 1000ece0-1000ed02 RegSetValueExA 85->86 87 1000ecb5-1000ecb8 85->87 86->73 89 1000ed04 86->89 87->73 88 1000ecbe-1000ecd5 RegSetValueExA 87->88 88->73 90 1000ecdb 88->90 89->84 90->84
                          APIs
                          • RegCreateKeyExA.KERNEL32(?,0000004D,00000000,00000000,00000000,000F003F,00000000,?,?,?,75BF8400,00000025), ref: 1000EC77
                          • RegOpenKeyExA.KERNEL32(?,0000004D,00000000,0002001F,?), ref: 1000EC97
                          • RegSetValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 1000ECCD
                          • RegSetValueExA.KERNEL32(00000000,?,00000000,?,?), ref: 1000ECFA
                          • RegOpenKeyExA.ADVAPI32(?,0000004D,00000000,0002001F,?,?,?,?,00000000), ref: 1000ED18
                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 1000ED2A
                          • RegOpenKeyExA.ADVAPI32(?,0000004D,00000000,0002001F,?,?,?,?,00000000), ref: 1000ED48
                          • RegDeleteValueA.ADVAPI32(?,?,?,?,?,00000000), ref: 1000ED5A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: OpenValue$Delete$Create
                          • String ID:
                          • API String ID: 2295199933-0
                          • Opcode ID: 370559d9bc726ff8c67dcf31378f5c6ee5864308a7d13bd9bc709ea3a6187f49
                          • Instruction ID: 4f0dc92dcf1e6165ec852508b3b7d2ea114b870e90daa5a75c064b9560b4b021
                          • Opcode Fuzzy Hash: 370559d9bc726ff8c67dcf31378f5c6ee5864308a7d13bd9bc709ea3a6187f49
                          • Instruction Fuzzy Hash: 48410CB5A00649ABEB14CF95CDC8EAB77BDFB4C790F50851AFA19E3148D634ED008B60
                          Function 1000E1E0 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,1000BBDE,?), ref: 1000E204
                          • _beginthreadex.MSVCRT ref: 1000E22C
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000E23E
                          • CloseHandle.KERNEL32(?), ref: 1000E249
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                          • String ID:
                          • API String ID: 92035984-0
                          • Opcode ID: 2dc7f395cca6a93a7298d3fef628ebf9ad2ca4e4609caff0f94c10926d1a4db3
                          • Instruction ID: 526df46c5e5e0ffbfde43bdd44a538e4d9314d104869588bcdab187e1bdf80fc
                          • Opcode Fuzzy Hash: 2dc7f395cca6a93a7298d3fef628ebf9ad2ca4e4609caff0f94c10926d1a4db3
                          • Instruction Fuzzy Hash: C601C474608351AFE300DF288C84B6BBBE4BB8C754F448A0DF998A7391D675DA048B92
                          Function 1000CF30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 92 1000cf30-1000cfcc RegOpenKeyExA
                          APIs
                          • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,?), ref: 1000CFB8
                          Strings
                          • Java(TM) Platform Sa 8, xrefs: 1000CF7A
                          • SYSTEM\CurrentControlSet\Services\, xrefs: 1000CF52
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Java(TM) Platform Sa 8$SYSTEM\CurrentControlSet\Services\
                          • API String ID: 71445658-2416497211
                          • Opcode ID: ef868d58029e290182990cca147c7f94bb053a7cd75b841a1b5adb16d4a290ad
                          • Instruction ID: 183490b8d36bb0b74e24f1780fa65f619e01ecab0f16349bc410bb8053a11042
                          • Opcode Fuzzy Hash: ef868d58029e290182990cca147c7f94bb053a7cd75b841a1b5adb16d4a290ad
                          • Instruction Fuzzy Hash: F101C4326186041BD718C97CDC556AB7AC6FBC4330F940B3DB667C71C0DEE49D088151
                          Function 0040141A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 87COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 40141a-401435 94 4014f3-4014f4 93->94 95 40143b-40143e 93->95 96 401441-40145a 95->96 97 401482-401497 96->97 98 40145c-401461 96->98 100 401499 97->100 101 40149f-4014a6 97->101 99 401464-401480 call 4f4275 VirtualFree 98->99 108 4014d8-4014ea 99->108 100->101 103 4014a8-4014ab 101->103 104 4014bc 101->104 106 4014b2-4014b5 103->106 107 4014ad-4014b0 103->107 104->108 109 4014be-4014cf call 4f44ad 104->109 106->108 112 4014b7 106->112 111 4014ba 107->111 108->96 110 4014f0-4014f2 108->110 109->108 115 4014d1-4014d7 call 4f47ef 109->115 110->94 111->104 112->111 115->99 115->108
                          APIs
                          • VirtualFree.KERNELBASE(?,?,00004000,00000001,?,?,?,?), ref: 0040147E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeVirtual
                          • String ID: KERNEL32.dll$VirtualFree
                          • API String ID: 1263568516-1280306238
                          • Opcode ID: 531e2bf146aeac0ea1f1c4bac07cffe42ac1d87a8876b357b9616a420a77de63
                          • Instruction ID: 67938be825e9799d499a8313eeffa20e4320394f101ddf4f9fb55c4dd30e5a9f
                          • Opcode Fuzzy Hash: 531e2bf146aeac0ea1f1c4bac07cffe42ac1d87a8876b357b9616a420a77de63
                          • Instruction Fuzzy Hash: 2121F031A00204ABDB08DB06D994FBB7BA5EF81344F5541AEE9427B2F5CB38ED02C765
                          Function 1000BCF0 Relevance: 4.6, APIs: 3, Instructions: 55stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 118 1000bcf0-1000bd23 119 1000bd25-1000bd26 118->119 120 1000bd6f-1000bd78 118->120 121 1000bd2c-1000bd30 119->121 122 1000bd32-1000bd4e strncpy _access 121->122 123 1000bd5d-1000bd6c 121->123 122->123 124 1000bd50-1000bd57 CreateDirectoryA 122->124 123->121 125 1000bd6e 123->125 124->123 125->120
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: CreateDirectory_accessstrncpy
                          • String ID:
                          • API String ID: 3114431365-0
                          • Opcode ID: 41dc888796e420e8c4153414b92f353bd40ca6ebcae1cbe695c3f43c829458b3
                          • Instruction ID: c3766c07c32fe0cc577579d602ef41dedb1439f85d6bdf4b64646bdacc20323a
                          • Opcode Fuzzy Hash: 41dc888796e420e8c4153414b92f353bd40ca6ebcae1cbe695c3f43c829458b3
                          • Instruction Fuzzy Hash: 0E012872100A142BE324CA78DC80BABF7D9DB85371F114B3EF761920D0DE76DC048665
                          Function 1000CF01 Relevance: 4.5, APIs: 3, Instructions: 15serviceregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 126 1000cf01-1000cf09 127 1000cf12-1000cf14 126->127 128 1000cf0b-1000cf0c CloseServiceHandle 126->128 129 1000cf16-1000cf17 CloseServiceHandle 127->129 130 1000cf1d-1000cf25 127->130 128->127 129->130 131 1000cf27-1000cf28 RegCloseKey 130->131 132 1000cf2e 130->132 131->132
                          APIs
                          • CloseServiceHandle.ADVAPI32(?,1000CEEA), ref: 1000CF0C
                          • CloseServiceHandle.ADVAPI32(00000000,1000CEEA), ref: 1000CF17
                          • RegCloseKey.KERNEL32(?,1000CEEA), ref: 1000CF28
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Close$HandleService
                          • String ID:
                          • API String ID: 907781861-0
                          • Opcode ID: f8d362e90943d39ca53cafaac2383348e71547c6f3b5dcaef42f7e8ef5f9ed6e
                          • Instruction ID: a8b93f26cd193db390792174bbc49868c949703a62f6353ae40a1f975fc6ae3a
                          • Opcode Fuzzy Hash: f8d362e90943d39ca53cafaac2383348e71547c6f3b5dcaef42f7e8ef5f9ed6e
                          • Instruction Fuzzy Hash: D1D06734A0421A97EF52DB649D88E2A36BEAB486C1B554454A809D3114DA34CA40E911
                          Function 1000ED8B Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 133 1000ed8b-1000ed9d RegCloseKey * 2
                          APIs
                          • RegCloseKey.ADVAPI32(?,1000ED77,?,75BF8400,00000025), ref: 1000ED95
                          • RegCloseKey.ADVAPI32(?), ref: 1000ED9B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 231c4968b23cf013c38f7ca173ead9a819afe8a211c81d487799b4ee50a11e2c
                          • Instruction ID: 6e9dba7e8f2e2a7a8b96168101ef7b1423042151d0471bcef66a52a770ccfa92
                          • Opcode Fuzzy Hash: 231c4968b23cf013c38f7ca173ead9a819afe8a211c81d487799b4ee50a11e2c
                          • Instruction Fuzzy Hash: 21B09276A24028ABCB04DBA4EC8089E3BB9AB8C300711858AF50563154CA30FD41DFE0
                          Function 025002B7 Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 594 25002b7-25002bc 595 25002cc-25002d3 LdrInitializeThunk 594->595 596 25002be-25002c5 594->596
                          APIs
                          • LdrInitializeThunk.NTDLL(02548D94,000000FF,00000007,00000000,00000004,00000000,?,?,?,02548AA6,00000065,00000000,?,0254803B,FFFFFFE0,00000000), ref: 025002D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 57a3ce4a6cd042b2e29a04d47be6010eb2fc9a38db92db7222596fe38e09d5db
                          • Instruction ID: e8f5fe4239529e5220eb89a7ae61f425a849f9dacd32ead84e7b05330823761f
                          • Opcode Fuzzy Hash: 57a3ce4a6cd042b2e29a04d47be6010eb2fc9a38db92db7222596fe38e09d5db
                          • Instruction Fuzzy Hash: 5CB09B719428C7D6D615F7608B08B177D0077D1751F36C051D1074649A8738C195E176
                          Function 025002FD Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02548E5C,?,0000003F,00000004,00000008,?,?,?,02548414,?,76F9D220,00000058), ref: 02500307
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 87396bda67124f21e32f67ec540717f199adc35b46a1c5b0aec3ec10c0a1371b
                          • Instruction ID: 27e84011ba0bad40210e08ed5e93e69f8d4551153f88729841262c384e725f80
                          • Opcode Fuzzy Hash: 87396bda67124f21e32f67ec540717f199adc35b46a1c5b0aec3ec10c0a1371b
                          • Instruction Fuzzy Hash: EF90023128144993E10471588504B46200547D1341F6AC411A152461CDCB55C9517166
                          Function 0250029D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02548A0A,000000FF,00000000,00000000,0000000C,00001000,00000004,76F9D260,0000001C,02548763), ref: 025002A7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0d31bdc5e895713220ce662a61d04867ab61c022431a34318c2dc86bf81b89db
                          • Instruction ID: 4ea1b432caf4561c718d9b764f0e23649471b28f507ecf4cab519ef754f3fafc
                          • Opcode Fuzzy Hash: 0d31bdc5e895713220ce662a61d04867ab61c022431a34318c2dc86bf81b89db
                          • Instruction Fuzzy Hash: E690023124140953D1847158850464A100547D2341FA6C015A0125618DCF158B5977E2
                          Function 0250031D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02548C38,000000FF,0000001C,0000000C,00008000,00000000,00000000,?,02548A7C,000000FF,00000000,00000000,0000000C,00001000,00000004,76F9D260), ref: 02500327
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 74b2f5c1949c5b005ae280bc09e20f4996768b41f3b1e86b9f16953048c93bfb
                          • Instruction ID: 042c41eab79a74df4114dce023807dceaabe85d7c9383715a76a9dc89c017fe3
                          • Opcode Fuzzy Hash: 74b2f5c1949c5b005ae280bc09e20f4996768b41f3b1e86b9f16953048c93bfb
                          • Instruction Fuzzy Hash: 1890023124148953D1147158C50474A100547D1341F6AC411A452461CDCB9589917162
                          Function 025003BD Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02548BB5,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 025003C7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 3a9b15dd84d09f6cfe0997d4a92ef64ec3ff300c5dea4a88553003abd46ef662
                          • Instruction ID: 03df7ad3632efba307b5e365549eeb2080e711c2b6b6e6843f30a0b78e89a92e
                          • Opcode Fuzzy Hash: 3a9b15dd84d09f6cfe0997d4a92ef64ec3ff300c5dea4a88553003abd46ef662
                          • Instruction Fuzzy Hash: 4090023925340153D1847158950860A100547D2242FA6D415A011551CCCE1589695362
                          Function 0250017D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 598 250017d-2500189 LdrInitializeThunk
                          APIs
                          • LdrInitializeThunk.NTDLL(0253F2EE,?,00000000,00000000,00000000,?,?,00000004,00000030,00000000,?,00100001,?,?,00000005,00000060), ref: 02500187
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 5caf4adf629287ac0a7139d2747f1f4547ca29794821a11ae7cebfe9b87b0a32
                          • Instruction ID: b9ea41fa403f9fa9413899b5e798c2e4efb96666061ad971a2a859b6290c49e9
                          • Opcode Fuzzy Hash: 5caf4adf629287ac0a7139d2747f1f4547ca29794821a11ae7cebfe9b87b0a32
                          • Instruction Fuzzy Hash: 6E90043535140153010DF55C4704507104747D73D1377C031F1115514CDF31CD715173
                          Function 025019ED Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02574278,?,00010007), ref: 025019F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 12fc7b2c04055ca9423ffd80cd737a880b56bf7570745da57fc6a05aa389c420
                          • Instruction ID: 74eb402b2e709d4ff122dce4fd31bd076edb583086033199130ac3727584e00f
                          • Opcode Fuzzy Hash: 12fc7b2c04055ca9423ffd80cd737a880b56bf7570745da57fc6a05aa389c420
                          • Instruction Fuzzy Hash: D990023164580163914471588984546500557E1341B66C011E0524518CCF148A5653A2
                          Function 025001ED Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 599 25001ed-25001f9 LdrInitializeThunk
                          APIs
                          • LdrInitializeThunk.NTDLL(0251D325,000000FE,00000005,?,00000004,000000FE,00000000,00000001), ref: 025001F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4aff3a0d5c42aaa54cb7e5f73f43ffb6e72425bfc9cb2ff983512e8a5b77775d
                          • Instruction ID: 316550ce106d06ca486e39b69cc113884f03759fee3506b2551bddc249bb4915
                          • Opcode Fuzzy Hash: 4aff3a0d5c42aaa54cb7e5f73f43ffb6e72425bfc9cb2ff983512e8a5b77775d
                          • Instruction Fuzzy Hash: 6990023124140553D10471988504706100547D1241F66C412E062451CDCB5589516572
                          Function 0250065D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(024FDC90,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02500667
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4c15ff77ffc3c643d97a2284519a1cb9cfa346759bc4ddcbad7c11f47693cc96
                          • Instruction ID: 5347ede824c965de53902eea639419f0570af3a3c9d93f6a024a3f4025d402a2
                          • Opcode Fuzzy Hash: 4c15ff77ffc3c643d97a2284519a1cb9cfa346759bc4ddcbad7c11f47693cc96
                          • Instruction Fuzzy Hash: BD9002316414019341447168C94490650056BE2251766C121A0A98514DCA59896556A6
                          Function 0250068D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(025979B1,?,00100080,00000018,?,00000000,00000000,00000007,00000001,00000020,00000000,00000000,76EB5A68,00000000,?,?), ref: 02500697
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 54481f4d594b3377c34323b3386a0f2851a2affedc84f37fead9d6b2bd012bcf
                          • Instruction ID: 6ba36cff4f96477dec44d6e65deef2ee4110706603a2650ee37f516d2334f8a4
                          • Opcode Fuzzy Hash: 54481f4d594b3377c34323b3386a0f2851a2affedc84f37fead9d6b2bd012bcf
                          • Instruction Fuzzy Hash: A4900231251C0193D20475688D14B07100547D1343F66C115A0254518CCE1589615562
                          Function 0250047D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02516850,00000000,76FB4F4C), ref: 02500487
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 5ad6e419875d47a949f38a5a92fc343fbaa3db26a821c4ba20a65fcd7d2c8ca8
                          • Instruction ID: 376178e8ddb5bc5867ee31ab9d07b0e84cf5ca83bda756fe3d301d58dfefda4f
                          • Opcode Fuzzy Hash: 5ad6e419875d47a949f38a5a92fc343fbaa3db26a821c4ba20a65fcd7d2c8ca8
                          • Instruction Fuzzy Hash: 66900231282442A35549B1588504507500657E12817A6C012A1514914CCA269956D662
                          Function 0250046D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(024F1612,?,?,?,00000021,00100020,?), ref: 02500477
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 90bf019154798b880dc975dfcd84ae80c501904a7e030a5f90e48fb02031a11d
                          • Instruction ID: 3e4f4e96b3c5704a1420c16e4997732840a65c94ef00e194aa4ea8cddcc9ece9
                          • Opcode Fuzzy Hash: 90bf019154798b880dc975dfcd84ae80c501904a7e030a5f90e48fb02031a11d
                          • Instruction Fuzzy Hash: 7A90023164540553D14571588554706101947D1281FA6C012A0124518DCB558B56A6E2
                          Function 025004AD Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(024DE7DC,00000000,0000000D,02000000,C0000135,?,02000024), ref: 025004B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b69ce4a945a2fbc9160c3ce5ed7aa9c53c98b61d2b2e592ac42d282b1c620c41
                          • Instruction ID: e68421dc186aeea5c12a22dca5864be0b255e2ca089e7a00d82cd77aa184391d
                          • Opcode Fuzzy Hash: b69ce4a945a2fbc9160c3ce5ed7aa9c53c98b61d2b2e592ac42d282b1c620c41
                          • Instruction Fuzzy Hash: 01900271245441D3D11572588504F0A510947E1285FA6C016A0154558CCA258A52D162
                          Function 0250050D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(024F09CF,?,?,?,?), ref: 02500517
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: a0837b1aee755e81415db79eb56502344e58007f707974a1c04282a9bed6d337
                          • Instruction ID: fc1de20c4ff7836697093f3db438f8491cebabc48580fce9f118b3ec0fff4d6e
                          • Opcode Fuzzy Hash: a0837b1aee755e81415db79eb56502344e58007f707974a1c04282a9bed6d337
                          • Instruction Fuzzy Hash: 2C90027124140153D14571589504706500957E1281FA6C013A0614518CCA158A569262
                          Function 025005DD Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(02548B93,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 025005E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: e0c3fd7727c0618fe379fb431cd195caf2ca442fe67d98e48ff391937e99dfe8
                          • Instruction ID: f561119bb052d14626a9abf6b15384dfc98e2816db000d0cb483e9c625bb6dfd
                          • Opcode Fuzzy Hash: e0c3fd7727c0618fe379fb431cd195caf2ca442fe67d98e48ff391937e99dfe8
                          • Instruction Fuzzy Hash: 3D90027138140593D10471588514B06100587E2341F66C015E1164518DCB19CD526167
                          Function 022E90CB Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e293ebefbceb88d82437555cade2bc4aecea0c866ca57d5f68ecc01c82bb096
                          • Instruction ID: ae7679edbe675eb1eb63be2bd608582cbf541170bcbe54a77b87cae1adb9e2ec
                          • Opcode Fuzzy Hash: 8e293ebefbceb88d82437555cade2bc4aecea0c866ca57d5f68ecc01c82bb096
                          • Instruction Fuzzy Hash: DED06CB704014DBBCF029E85DC05EDA3F6AEB98370F158601FE34451A1CA76D9B1ABA1

                          Non-executed Functions

                          Function 10006440 Relevance: 232.8, APIs: 95, Strings: 37, Instructions: 1790keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000646F
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(1001D1E4), ref: 1000648E
                          • GetKeyState.USER32(00000010), ref: 100064A0
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,00000022,1001C558,?,1001C55C,?,1001C564,?,1001C56C,?,1001C574,?,1001C578,?,1001C580), ref: 10006722
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(1001C594), ref: 10006743
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([Esc]), ref: 10006767
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([F1]), ref: 10006790
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([F2]), ref: 100067B9
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([F3]), ref: 100067E2
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([F4]), ref: 1000680B
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([F5]), ref: 10006834
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60([F6]), ref: 1000685D
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10006885
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 100068C9
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10006900
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10006944
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000697B
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 100069BF
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 100069F6
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10006A3D
                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000749B
                          • GetKeyState.USER32(00000014), ref: 100074B2
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?), ref: 100074C8
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?), ref: 100074DE
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?), ref: 100074F9
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000754D
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000001), ref: 1000757F
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000001,?,00000001), ref: 100075BE
                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 100077D9
                          • GetKeyState.USER32(00000014), ref: 10007800
                          • ?_Xlen@std@@YAXXZ.MSVCP60(?,00000001), ref: 10007823
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(00000001,00000001,?,00000001), ref: 1000782F
                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(00000001,?,00000001), ref: 1000784D
                          • ?_Xlen@std@@YAXXZ.MSVCP60(?,00000001), ref: 10007862
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(00000001,00000001,?,00000001), ref: 1000786E
                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(00000001,?,00000001), ref: 1000788C
                          • ?_Xlen@std@@YAXXZ.MSVCP60(?,00000001), ref: 100078A2
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(00000001,00000001,?,00000001), ref: 100078AE
                          • ?_Xlen@std@@YAXXZ.MSVCP60(?,00000001), ref: 100078DE
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(00000001,00000001,?,00000001), ref: 100078EA
                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000001), ref: 10007919
                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000001,00000000,?,?,00000001), ref: 10007931
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001), ref: 10007953
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@V12@$?assign@?$basic_string@$Eos@?$basic_string@Xlen@std@@$State$Tidy@?$basic_string@$??3@
                          • String ID: [Alt]$[Backspace]$[CTRL]$[Cancel]$[Caps Lock]$[Clear]$[Ctrl]$[Delete]$[End]$[Enter]$[Esc]$[Execute]$[F10]$[F11]$[F12]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[F9]$[Home]$[Insert]$[NumLock]$[Pause]$[PgDown]$[PgUp]$[PrScrn]$[Print]$[Scroll Lock]$[Select]$[Tab]$[WIN]$[Win]
                          • API String ID: 2864894984-4073736917
                          • Opcode ID: 2a94b3093d80f278dd27ddb02ad39d2656af617b57ce88deacc6119f49de3073
                          • Instruction ID: 21b5a784699572f6481d7069544ef2b46d0ffa3d18ed3a6d37c6d09b270d1a37
                          • Opcode Fuzzy Hash: 2a94b3093d80f278dd27ddb02ad39d2656af617b57ce88deacc6119f49de3073
                          • Instruction Fuzzy Hash: 6BB21731708B585BF718CA394C9897E3AC2FB893E0F60462DF9678B6D1CEB9DD458241
                          Function 00414B40 Relevance: 87.8, APIs: 18, Strings: 32, Instructions: 266serviceregistrystringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00414B75
                          • sprintf.MSVCRT ref: 00414BA1
                          • strncmp.MSVCRT ref: 00414BC6
                          • CopyFileA.KERNEL32(?,?,00000000), ref: 00414BF5
                            • Part of subcall function 004139E0: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 00413A19
                            • Part of subcall function 004139E0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?), ref: 00413A32
                            • Part of subcall function 004139E0: GetFileSize.KERNEL32(00000000,00000000), ref: 00413A3B
                            • Part of subcall function 004139E0: rand.MSVCRT ref: 00413A78
                            • Part of subcall function 004139E0: WriteFile.KERNEL32(00000000,?,00000400,00000000,00000000,00000000), ref: 00413AAA
                            • Part of subcall function 004139E0: CloseHandle.KERNEL32(00000000), ref: 00413AB7
                          • SetFileAttributesA.KERNEL32(?,1001E490), ref: 00414C54
                          • Sleep.KERNEL32(00000032), ref: 00414C66
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00414C88
                          • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00414CC0
                          • LockServiceDatabase.ADVAPI32(00000000), ref: 00414CCF
                          • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,1001E63C), ref: 00414CF1
                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 00414CF8
                          • GetLastError.KERNEL32 ref: 00414D02
                          • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00414D19
                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00414D32
                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00414D43
                            • Part of subcall function 00413D40: _access.MSVCRT ref: 00413D92
                            • Part of subcall function 00413D40: CreateDirectoryA.KERNEL32(?,00000000), ref: 00413DA7
                          • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00414EAB
                          • lstrlen.KERNEL32(?), ref: 00414F08
                          • RegSetValueExA.ADVAPI32(?,Dri,00000000,00000001,?,00000000), ref: 00414F22
                            • Part of subcall function 00414F51: CloseServiceHandle.ADVAPI32(?,00414F3A), ref: 00414F5C
                            • Part of subcall function 00414F51: CloseServiceHandle.ADVAPI32(00000000,00414F3A), ref: 00414F67
                            • Part of subcall function 00414F51: RegCloseKey.ADVAPI32(?,00414F3A), ref: 00414F78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$File$Close$CreateHandleOpen$DatabaseStart$AttributesChangeConfig2CopyDirectoryErrorLastLockManagerModuleNamePointerSizeSleepUnlockValueWrite_accesslstrlenrandsprintfstrncmp
                          • String ID: %$Dri$E$M$T$Y$c$c$i$i$i$l$n$n$n$o$o$o$p$r$r$r$r$r$s$s$t$t$t$t$u$v
                          • API String ID: 1481116161-2860816351
                          • Opcode ID: 9a14968585d3cd3162f2fb5ad0dcb12d94e4ac6f6c21ec456bc5b950ca3f8113
                          • Instruction ID: ae9a3aae0955057ff4f26dd068199dc15b36e906ff9fdc11a3b1c8c59bf1543d
                          • Opcode Fuzzy Hash: 9a14968585d3cd3162f2fb5ad0dcb12d94e4ac6f6c21ec456bc5b950ca3f8113
                          • Instruction Fuzzy Hash: 5FB1C4319042A89FDB23CB648C88BEABFBDAB59300F0441D9E55D67281C7B55F88CF61
                          Function 0040E490 Relevance: 69.6, APIs: 2, Strings: 37, Instructions: 1388COMMON
                          Download Yara Rule
                          APIs
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001), ref: 0040F9A3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??3@
                          • String ID: [Alt]$[Backspace]$[CTRL]$[Cancel]$[Caps Lock]$[Clear]$[Ctrl]$[Delete]$[End]$[Enter]$[Esc]$[Execute]$[F10]$[F11]$[F12]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[F9]$[Home]$[Insert]$[NumLock]$[Pause]$[PgDown]$[PgUp]$[PrScrn]$[Print]$[Scroll Lock]$[Select]$[Tab]$[WIN]$[Win]
                          • API String ID: 613200358-4073736917
                          • Opcode ID: 815ec1412676fe0752e368db429921eca7734a9562198e64bd6a9ddbfc1d3f78
                          • Instruction ID: 97bf8395aed68d6afb11e8ded481c011b947eb9b0bf4709079ea676663b71589
                          • Opcode Fuzzy Hash: 815ec1412676fe0752e368db429921eca7734a9562198e64bd6a9ddbfc1d3f78
                          • Instruction Fuzzy Hash: E592D5313047145BDB28CE394CA4A7A3691F799720F50463FF963ABBD1CAB9DD4A8309
                          Function 004141B0 Relevance: 52.7, APIs: 2, Strings: 28, Instructions: 151stringtimeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTimelstrlen
                          • String ID: $-$:$E$M$T$T$Y$a$c$e$e$e$e$e$i$i$k$l$m$n$n$r$r$r$r$u$v
                          • API String ID: 1391181718-1015146237
                          • Opcode ID: 571bdb129b6f295bb63b1011175492065736b8d0570f28682cc7f7ab5299d35e
                          • Instruction ID: 70aa8b27e973e7aa25af26c343bb9becd01cb37565231d367850c2b6c6d53dfa
                          • Opcode Fuzzy Hash: 571bdb129b6f295bb63b1011175492065736b8d0570f28682cc7f7ab5299d35e
                          • Instruction Fuzzy Hash: DC61D42210D3C09DE322CA68888479BFFE55FB7608F48499DF1D447392C2AA824CC777
                          Function 00413F40 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 142libraryloaderprocessCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(00000000,1001CBD8), ref: 00413F5F
                          • GetCurrentProcess.KERNEL32 ref: 00413FC1
                          • OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 00413FD2
                          • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 00413FEC
                          • GetProcAddress.KERNEL32(00000000,00000057), ref: 00414084
                          • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 004140A2
                          • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 004140DD
                          • FreeLibrary.KERNEL32(00000000), ref: 00414104
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessToken$AddressProc$CreateCurrentDuplicateFreeInformationLibraryOpenUser
                          • String ID: A$C$D$G$I$S$S$T$W$c$d$i$i$l$n$n$v
                          • API String ID: 3565465414-2757491409
                          • Opcode ID: b06a62b53c6f24f8241f7e6d1d408f839615f8cde513654feb9b2be78c90788c
                          • Instruction ID: dff978d904fdbc0410d9ec7d6a4fba899372524d1f9a73e655d0715f7ee20440
                          • Opcode Fuzzy Hash: b06a62b53c6f24f8241f7e6d1d408f839615f8cde513654feb9b2be78c90788c
                          • Instruction Fuzzy Hash: 84513B7150D381AFE311CF688884A5BBFE4ABD9708F04495DF6C997241C3B9DA48CB67
                          Function 00416610 Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 132networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET ref: 004166B1
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 004166DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: InternetOpen
                          • String ID: $($)$.$/$0$4$M$MZ$b$c$e$m$o$o$p$t$z
                          • API String ID: 2038078732-1713945400
                          • Opcode ID: 5a8271f162c128e7efc500050388d57ccc173585aaf35a07164eb8660e1a9dfc
                          • Instruction ID: 6b0c8442cd035b1dc1504f68158382c3602ef8feb1831eb0ca13521179fdf0d4
                          • Opcode Fuzzy Hash: 5a8271f162c128e7efc500050388d57ccc173585aaf35a07164eb8660e1a9dfc
                          • Instruction Fuzzy Hash: BE41907110C380AEE311DB28C8C4BAFBFE9ABD5248F44595EF5D453282C27AD949C767
                          Function 10003820 Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 191filestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(?,?,?,?), ref: 1000385B
                          • wsprintfA.USER32 ref: 100038BD
                          • FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 100038CF
                          • wsprintfA.USER32 ref: 1000392D
                          • wsprintfA.USER32 ref: 1000395C
                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000398F
                          • ??2@YAPAXI@Z.MSVCRT(00000018,?,00000001), ref: 100039D5
                          • ??3@YAXPAX@Z.MSVCRT(0000005C), ref: 10003A44
                          • FindNextFileA.KERNEL32(?,?), ref: 10003A73
                          • FindClose.KERNEL32(?), ref: 10003A86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Findwsprintf$File$??2@??3@CloseD@2@@std@@D@std@@FirstGrow@?$basic_string@NextU?$char_traits@V?$allocator@lstrlen
                          • String ID: %$%$%$%$%$.$.$s$s$s$s$s
                          • API String ID: 3548485168-2213182201
                          • Opcode ID: 8801048ef37f47ca0d5438f87311025de14a0a63c2c2a837d97674c9f4253662
                          • Instruction ID: a04e71c7aca2e746a909f4cafa2b06f607349a9c3d08c6df00ef99d78a348e8f
                          • Opcode Fuzzy Hash: 8801048ef37f47ca0d5438f87311025de14a0a63c2c2a837d97674c9f4253662
                          • Instruction Fuzzy Hash: 4571CE7140C3809FE311CF28C884AABBBE9EBC9344F44896DF5D947291DB75EA08CB56
                          Function 00413660 Relevance: 33.5, APIs: 5, Strings: 14, Instructions: 247COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExA.KERNEL32 ref: 00413685
                            • Part of subcall function 00413610: LoadLibraryW.KERNEL32(1001CB94), ref: 00413619
                            • Part of subcall function 00413610: GetProcAddress.KERNEL32(00000000,1001CB7C), ref: 0041362B
                            • Part of subcall function 00413610: FreeLibrary.KERNEL32(00000000), ref: 00413655
                            • Part of subcall function 00413450: wsprintfA.USER32 ref: 0041349A
                            • Part of subcall function 00413450: gethostname.WS2_32(?,?), ref: 004134CE
                          • getsockname.WS2_32(?), ref: 004136F4
                          • GetSystemInfo.KERNEL32(?), ref: 00413730
                          • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00413751
                          • GetTickCount.KERNEL32 ref: 00413862
                            • Part of subcall function 004134F0: wsprintfA.USER32 ref: 00413546
                            • Part of subcall function 004134F0: lstrlen.KERNEL32(?), ref: 0041356C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Librarywsprintf$AddressCountFreeGlobalInfoLoadMemoryProcStatusSystemTickVersiongethostnamegetsocknamelstrlen
                          • String ID: %$:$@$D$Java(TM) Platform Sa 8$\$a$d$e$f$l$t$u$urq5pg==
                          • API String ID: 4032343896-3601108839
                          • Opcode ID: 70eb72a9e92911c8ee365cf28bf5566d6630de27dbc52bf49284658c7313cb89
                          • Instruction ID: 864d4cd0c8f7978dd741ed786030b971f6cb199673e5afb40a85fdc41baa3add
                          • Opcode Fuzzy Hash: 70eb72a9e92911c8ee365cf28bf5566d6630de27dbc52bf49284658c7313cb89
                          • Instruction Fuzzy Hash: C591A1715083849FD325CB69CC45BDFB7E5AFC9304F448A1EF58987281DBB89A08CB56
                          Function 0040B870 Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 191filestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,?,?), ref: 0040B8AB
                          • FindFirstFileA.KERNEL32(?,?,?,?), ref: 0040B91F
                          • ??2@YAPAXI@Z.MSVCRT(00000018,?,00000001), ref: 0040BA25
                          • ??3@YAXPAX@Z.MSVCRT(0000005C), ref: 0040BA94
                          • FindNextFileA.KERNEL32(?,?), ref: 0040BAC3
                          • FindClose.KERNEL32(?), ref: 0040BAD6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$??2@??3@CloseFirstNextlstrlen
                          • String ID: %$%$%$%$%$.$.$s$s$s$s$s
                          • API String ID: 296169792-2213182201
                          • Opcode ID: f0d2a5c4806a04f6fba77359b3a6a40edcaa920600d6e3cf40d57beb35485e70
                          • Instruction ID: 9b29e8669bfe22dcdcfbaba756726da111d74a0fdb31582fede345715bbc611b
                          • Opcode Fuzzy Hash: f0d2a5c4806a04f6fba77359b3a6a40edcaa920600d6e3cf40d57beb35485e70
                          • Instruction Fuzzy Hash: 5171D07150C3809FD310CF28C884AABBBE5EBC9304F44896DF59957391DB79DA09CB9A
                          Function 004148A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 173fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004148C7
                          • GetModuleFileNameA.KERNEL32(00000000), ref: 004148CE
                          • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00414948
                          • sprintf.MSVCRT ref: 0041497D
                          • exit.MSVCRT ref: 004149B2
                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 00414A26
                          • GetFileAttributesA.KERNEL32(?), ref: 00414A6F
                            • Part of subcall function 00416230: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416254
                            • Part of subcall function 00416230: _beginthreadex.MSVCRT ref: 0041627C
                            • Part of subcall function 00416230: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041628E
                            • Part of subcall function 00416230: CloseHandle.KERNEL32(?), ref: 00416299
                          • DefineDosDeviceA.KERNEL32(00000001,1001CCCC,?), ref: 00414AAA
                          • CopyFileA.KERNEL32(?,1001CCC0,00000000), ref: 00414AC3
                          • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00414AD5
                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 00414AE2
                          • CreateDirectoryA.KERNEL32(?,00000000), ref: 00414AEF
                            • Part of subcall function 00413B30: exit.MSVCRT ref: 00413B60
                            • Part of subcall function 00413B30: GetTickCount.KERNEL32 ref: 00413C0B
                            • Part of subcall function 004141B0: GetLocalTime.KERNEL32(?), ref: 004142AF
                            • Part of subcall function 00413B30: Sleep.KERNEL32(000001F4), ref: 00413CBA
                            • Part of subcall function 00413B30: CloseHandle.KERNEL32(00000000), ref: 00413CEB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Handle$AttributesCloseCreateModuleexit$CopyCountCtrlDefineDeviceDirectoryDispatcherEventFolderLocalMoveNameObjectPathServiceSingleSleepSpecialStartTickTimeWait_beginthreadexsprintf
                          • String ID: Java(TM) Platform Sa 8
                          • API String ID: 4262353719-3590864215
                          • Opcode ID: 1fbeedd05c0a7e6b39f765478e7a81072090381769b63a67232de546c47b5a74
                          • Instruction ID: bbfc0edefba3fa5ee2e69d622d5135a0ef52b6b05a48834a957e92fb12b5ed7b
                          • Opcode Fuzzy Hash: 1fbeedd05c0a7e6b39f765478e7a81072090381769b63a67232de546c47b5a74
                          • Instruction Fuzzy Hash: A251B4B1544351ABF310EBA0CC85FDF37A8EF88309F44881DF6455A191E779E9848BAA
                          Function 0040A64D Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 353fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(?,?), ref: 0040A768
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFindFirst
                          • String ID: *.*$\$\
                          • API String ID: 1974802433-2578839947
                          • Opcode ID: 3da8cdf6148dbe909578540df06cb36ebf240bcb5b8f103e3d96b2870e27e489
                          • Instruction ID: c9339f1dbd42c0d3393cd028705d23b294077bba3b628adb7a82ed1070ad7d55
                          • Opcode Fuzzy Hash: 3da8cdf6148dbe909578540df06cb36ebf240bcb5b8f103e3d96b2870e27e489
                          • Instruction Fuzzy Hash: FCB16736608B804BC3248A348C656BB7BD1AFD6320F1D4B3DE996A73D1DA79DD09C246
                          Function 0040B090 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164memoryfilestringCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00002800), ref: 0040B0B5
                          • wsprintfA.USER32 ref: 0040B0F5
                          • FindFirstFileA.KERNEL32(?,?), ref: 0040B10B
                          • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0040B160
                          • lstrlen.KERNEL32(?), ref: 0040B1EF
                          • FindNextFileA.KERNEL32(?,?), ref: 0040B242
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocFileFindLocal$FirstNextlstrlenwsprintf
                          • String ID: %$.$\$s
                          • API String ID: 1497773571-2419536285
                          • Opcode ID: b29f244903c925362b780607b53a40585843617aa85aad44b43928566aa4acee
                          • Instruction ID: 3e2decb299f8fcb5ab99b721fb7e74d65d869bfc6cb42da9e72bd6c1aec3264d
                          • Opcode Fuzzy Hash: b29f244903c925362b780607b53a40585843617aa85aad44b43928566aa4acee
                          • Instruction Fuzzy Hash: 145123315083819BD720CF248C9469BBBE5EF99354F044A29F898AB3C1D379D90DC79A
                          Function 0040D1F0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94filesleepshutdownCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32 ref: 0040D23C
                          • WriteFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 0040D283
                          • CloseHandle.KERNEL32(00000000), ref: 0040D2A1
                          • Sleep.KERNEL32(000007D0), ref: 0040D2AC
                          • GetVersion.KERNEL32 ref: 0040D2B2
                          • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 0040D2C6
                          • OpenProcessToken.ADVAPI32(00000000), ref: 0040D2CD
                          • LookupPrivilegeValueA.ADVAPI32(00000000,1001C2D4,00000000), ref: 0040D2DF
                          • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D307
                          • ExitWindowsEx.USER32(00000006,00000000), ref: 0040D311
                          • ExitProcess.KERNEL32 ref: 0040D319
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$ExitFileToken$AdjustCloseCreateCurrentHandleLookupOpenPrivilegePrivilegesSleepValueVersionWindowsWrite
                          • String ID: U
                          • API String ID: 2982780165-3372436214
                          • Opcode ID: 57a7360346bffb61a19dfbcca16d660c00000eafd9aa66888b2c214f70923c8c
                          • Instruction ID: e0bbd6f126e5348ddd0f32741e510cd5e57d72762e3e873a672d2d21aff937ff
                          • Opcode Fuzzy Hash: 57a7360346bffb61a19dfbcca16d660c00000eafd9aa66888b2c214f70923c8c
                          • Instruction Fuzzy Hash: 1631A731284310BFF3209B94CC8AF9B7BA4AB8CB10F248518F755AA1D1C7B4E508CB5A
                          Function 004162B0 Relevance: 15.1, APIs: 10, Instructions: 62processstringCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,100160C0,1001C6C0,?,10016280,004132AB), ref: 004162B8
                          • ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,100160C0,1001C6C0,?,10016280,004132AB), ref: 004162C4
                          • Process32First.KERNEL32(00000000,00000000), ref: 004162D6
                          • _strcmpi.MSVCRT ref: 004162E8
                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004162F9
                          • Process32Next.KERNEL32(00000000,00000000), ref: 0041630A
                          • lstrcmpiA.KERNEL32(00000024,?), ref: 00416315
                          • Process32Next.KERNEL32(00000000,00000000), ref: 00416321
                          • CloseHandle.KERNEL32(00000000,00000000,00000000), ref: 0041632B
                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00416332
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$??3@Next$??2@CloseCreateFirstHandleSnapshotToolhelp32_strcmpilstrcmpi
                          • String ID:
                          • API String ID: 4024064104-0
                          • Opcode ID: 775eae7cc438e1b2dbc5772d55fce85a0f346065b9271524d29880708ea1da7a
                          • Instruction ID: ca45dc22ed18edbe86bf64b759932da12eb53608cc7624ea1af25be3dba3e8e7
                          • Opcode Fuzzy Hash: 775eae7cc438e1b2dbc5772d55fce85a0f346065b9271524d29880708ea1da7a
                          • Instruction Fuzzy Hash: D401B5B670121527E6102763AC85AEB7B5CCF8279AF06003AFD05D1142FA2DE5458275
                          Function 02301817 Relevance: 14.2, Strings: 11, Instructions: 498COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: $tt$,tt$8tt$@tt$Htt$Ptt$Xtt$`tt$htt$ttt$|tt
                          • API String ID: 0-2781859846
                          • Opcode ID: e9f4318ea40c67a62db4fe0fd0c7dbdfe868dfc57d4a724f7bbfa29b4ccfdb70
                          • Instruction ID: 01d78e896faca4b33795b618a67faa9fe8d522795bd0ec2c889b80a589979edc
                          • Opcode Fuzzy Hash: e9f4318ea40c67a62db4fe0fd0c7dbdfe868dfc57d4a724f7bbfa29b4ccfdb70
                          • Instruction Fuzzy Hash: 38124D705183428FD324DF66C9E476BBBE5AFC5308F14892DE8DA862E0DB74D549CB22
                          Function 00411FB0 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00000000), ref: 00411FBA
                          • GetClipboardData.USER32(00000001), ref: 00411FC6
                          • CloseClipboard.USER32 ref: 00411FD6
                          • GlobalSize.KERNEL32(00000000), ref: 00411FE5
                          • GlobalLock.KERNEL32(00000000), ref: 00411FEF
                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00411FF8
                          • GlobalUnlock.KERNEL32(?), ref: 0041201F
                          • CloseClipboard.USER32 ref: 00412025
                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00412037
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$Global$Close$??2@??3@DataLockOpenSizeUnlock
                          • String ID:
                          • API String ID: 3218637236-0
                          • Opcode ID: 15d232e3d1df30162c3783f809b2ec4ed7e17a67f0859b30644568624683551c
                          • Instruction ID: 5f524cabe32060408d308523fe4361d399c393c37a98a13f15d944d84b51bd05
                          • Opcode Fuzzy Hash: 15d232e3d1df30162c3783f809b2ec4ed7e17a67f0859b30644568624683551c
                          • Instruction Fuzzy Hash: 670104356043246FE710AB24DC89AAB3B99FB48715F44822DF90683352DB79D908C6A1
                          Function 00411F40 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00000000), ref: 00411F42
                          • EmptyClipboard.USER32 ref: 00411F4E
                          • GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 00411F5E
                          • GlobalLock.KERNEL32(00000000), ref: 00411F6C
                          • GlobalUnlock.KERNEL32(00000000), ref: 00411F89
                          • SetClipboardData.USER32(00000001,00000000), ref: 00411F92
                          • GlobalFree.KERNEL32(00000000), ref: 00411F99
                          • CloseClipboard.USER32 ref: 00411FA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                          • String ID:
                          • API String ID: 453615576-0
                          • Opcode ID: 26bdf6f77c231c47c7449f095871f90ee316db1f33873c6592f3569354887fb1
                          • Instruction ID: dbc188f6772b957dfdb8c07fee7d7073f23a2c88a98028fb4bb402591ab30cbb
                          • Opcode Fuzzy Hash: 26bdf6f77c231c47c7449f095871f90ee316db1f33873c6592f3569354887fb1
                          • Instruction Fuzzy Hash: 82F01D72204225BFE7046B609CCDA6B7BACFB4C652B088419FA16D3251CB74C904C661
                          Function 0040A680 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 219filememorystringCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(?,?), ref: 0040A768
                          • strstr.MSVCRT ref: 0040A958
                          • LocalAlloc.KERNEL32(00000040,00000400), ref: 0040A970
                          • FindNextFileA.KERNEL32(?,?), ref: 0040AA16
                          • FindClose.KERNEL32(?), ref: 0040AA2F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$AllocCloseFirstLocalNextstrstr
                          • String ID: *.*$\$\
                          • API String ID: 3637013900-2578839947
                          • Opcode ID: 0c5ec5418c0d69487a496b7a6530c9da6b6f4a16f99c19df0f10e5f6c0d93486
                          • Instruction ID: 68f3e6cc4512283a50829b4cc5cac00b4532722b91941ef2e4c7596361125b2b
                          • Opcode Fuzzy Hash: 0c5ec5418c0d69487a496b7a6530c9da6b6f4a16f99c19df0f10e5f6c0d93486
                          • Instruction Fuzzy Hash: 3E614732604B440BD728893888656BB77D2EFC5320F594B3EF9AB973D0DE789D09C246
                          Function 00411D60 Relevance: 10.6, APIs: 7, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00416350: GetCurrentThreadId.KERNEL32 ref: 00416362
                            • Part of subcall function 00416350: GetThreadDesktop.USER32(00000000), ref: 00416369
                            • Part of subcall function 00416350: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 004163A1
                            • Part of subcall function 00416350: lstrcmpiA.KERNEL32(?,?), ref: 004163DD
                            • Part of subcall function 00416350: SetThreadDesktop.USER32(00000000), ref: 004163E8
                          • SetCursorPos.USER32(?,?,?,?,?,?,00411962,?,?,00000000), ref: 00411DC8
                          • WindowFromPoint.USER32(?,?,?,?,?,?,00411962,?,?,00000000), ref: 00411DD0
                          • SetCapture.USER32(00000000,?,?,?,?,00411962,?,?,00000000), ref: 00411DD7
                          • MapVirtualKeyA.USER32(?,00000000), ref: 00411E16
                          • keybd_event.USER32(?,00000000), ref: 00411E20
                          • MapVirtualKeyA.USER32(?,00000000), ref: 00411E34
                          • keybd_event.USER32(00000000,00000000), ref: 00411E3E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: DesktopThread$Virtualkeybd_event$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                          • String ID:
                          • API String ID: 2555699488-0
                          • Opcode ID: c6f42563ae57f4d90f7f93bb8a7dd31948a3120f2eaef07f75e39f71cbbaea22
                          • Instruction ID: fe82ae68987bc7a108ced06eea644ae922ec88219c3f19756236806e77db6520
                          • Opcode Fuzzy Hash: c6f42563ae57f4d90f7f93bb8a7dd31948a3120f2eaef07f75e39f71cbbaea22
                          • Instruction Fuzzy Hash: 4131B675640711A7F7249B68CC8AF9BB665EB48B00F248112FF11EF2E1C678ED81865D
                          Function 00415850 Relevance: 10.6, APIs: 7, Instructions: 63servicesleepCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00415862
                          • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 0041589D
                          • GetLastError.KERNEL32 ref: 004158A5
                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 004158B1
                          • ControlService.ADVAPI32(00000000,00000001,?), ref: 004158C6
                          • DeleteService.ADVAPI32(00000000), ref: 004158CD
                          • Sleep.KERNEL32(00000064), ref: 004158E1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$Open$ControlDeleteErrorLastManagerQuerySleepStatus
                          • String ID:
                          • API String ID: 160689180-0
                          • Opcode ID: a5cec3d77de77fa0bf0afbb8fb5e5e49bf7da689854d530b457bd50ff4054adf
                          • Instruction ID: 17d21bd907bda6ebeeae806d8328d55b914ff41cef0611a858ea4416cae64e39
                          • Opcode Fuzzy Hash: a5cec3d77de77fa0bf0afbb8fb5e5e49bf7da689854d530b457bd50ff4054adf
                          • Instruction Fuzzy Hash: 1411A7312412286FE314AB70DC8DEEF7BA9FB8D311F00451DFA1687290DAB59D08C7A1
                          Function 0040AED0 Relevance: 9.1, APIs: 6, Instructions: 130stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetLogicalDriveStringsA.KERNEL32 ref: 0040AEF1
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104,00000000), ref: 0040AF47
                          • SHGetFileInfo.SHELL32(?,00000080,?,00000160,00000410), ref: 0040AF65
                          • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 0040AFA6
                          • GetDriveTypeA.KERNEL32(?), ref: 0040AFED
                          • lstrlen.KERNEL32(?), ref: 0040B057
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Drive$DiskFileFreeInfoInformationLogicalSpaceStringsTypeVolumelstrlen
                          • String ID:
                          • API String ID: 3848079728-0
                          • Opcode ID: aca8e7606551a62fda32ce9df9ab07985e2db9b62576aa2ecdaaf93f19c1aecb
                          • Instruction ID: 196d24ad71c2a45d3bc999aac2053a1c636c8c36695b67d4a1080d829eb9f2fc
                          • Opcode Fuzzy Hash: aca8e7606551a62fda32ce9df9ab07985e2db9b62576aa2ecdaaf93f19c1aecb
                          • Instruction Fuzzy Hash: 4E41E7705083469FD715DF24CC40AEBBBEAEBCC304F04892DF98997251D774AA09CBA2
                          Function 0040FCC0 Relevance: 9.1, APIs: 6, Instructions: 128sleepkeyboardstringCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000005), ref: 0040FD2D
                            • Part of subcall function 0040FB20: GetForegroundWindow.USER32 ref: 0040FB29
                            • Part of subcall function 0040FB20: GetLocalTime.KERNEL32(?), ref: 0040FB79
                            • Part of subcall function 0040FB20: wsprintfA.USER32 ref: 0040FBCE
                            • Part of subcall function 0040FB20: SendMessageA.USER32(00000000,0000000D,00000400,1001DEF8), ref: 0040FC12
                          • lstrlen.KERNEL32(1001D6F4), ref: 0040FD41
                          • printf.MSVCRT ref: 0040FD7E
                          • GetAsyncKeyState.USER32(00000008), ref: 0040FD8D
                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040FDE0
                            • Part of subcall function 0040FA40: printf.MSVCRT ref: 0040FA52
                            • Part of subcall function 0040FA40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040FA65
                            • Part of subcall function 0040FA40: lstrcat.KERNEL32(?,\Sougou.key), ref: 0040FA75
                            • Part of subcall function 0040FA40: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0040FA92
                            • Part of subcall function 0040FA40: GetFileSize.KERNEL32 ref: 0040FAA5
                            • Part of subcall function 0040FA40: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040FAB9
                            • Part of subcall function 0040FA40: lstrlen.KERNEL32(?), ref: 0040FAC0
                            • Part of subcall function 0040FA40: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040FAC9
                            • Part of subcall function 0040FA40: lstrlen.KERNEL32(?,?,00000000,00000000), ref: 0040FAEF
                            • Part of subcall function 0040FA40: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040FAF8
                            • Part of subcall function 0040FA40: CloseHandle.KERNEL32(00000000), ref: 0040FAFF
                            • Part of subcall function 0040FA40: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040FB06
                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040FE44
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$??3@lstrlen$printf$??2@AsyncCloseCreateDirectoryForegroundHandleLocalMessagePointerSendSizeSleepStateSystemTimeWindowWritelstrcatwsprintf
                          • String ID:
                          • API String ID: 3359622159-0
                          • Opcode ID: cb2d626fa56f0ed2ec33e0a53ff9d528c83e429e180452ab3ceac0276689a1d1
                          • Instruction ID: cd69b0f3bbb564cb2ca99099b2e9e574b41f094dbbe3861eec2732afa1e5d6ef
                          • Opcode Fuzzy Hash: cb2d626fa56f0ed2ec33e0a53ff9d528c83e429e180452ab3ceac0276689a1d1
                          • Instruction Fuzzy Hash: B14104710047806FD310EF24CC84AABBBA0EF59304F48453EF58697B92D739D889CB5A
                          Function 022FE878 Relevance: 7.4, Strings: 5, Instructions: 1158COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: $9$@Bt$B$Trt
                          • API String ID: 0-1651311918
                          • Opcode ID: a4adbbbe55b893e41325d6a691ffd2b9dc93795af77cf94476e1f4a12881414e
                          • Instruction ID: 1bc1c692e82c2631a202dfafe03aa50361d9f2b69a85dd0360c6246db8b51a85
                          • Opcode Fuzzy Hash: a4adbbbe55b893e41325d6a691ffd2b9dc93795af77cf94476e1f4a12881414e
                          • Instruction Fuzzy Hash: BDB28D759102258FDB65DF68CC887A9B7B8FF08300F1541EAE949E72A4EB749E81CF50
                          Function 00413010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00413017
                          • CoCreateInstance.COMBASE(10019A68,00000000,00000001,10019A48,?), ref: 0041302F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateInitializeInstance
                          • String ID: `<u
                          • API String ID: 3519745914-3367579956
                          • Opcode ID: ffc0feca212c46c3dfa9cfc1f6a6f11f9baba2a3f9fafc28c211b931be10edfa
                          • Instruction ID: c626e6ea4b31c1d54a20c499fa181e8c107f83148c766c8b539bb46e822d46af
                          • Opcode Fuzzy Hash: ffc0feca212c46c3dfa9cfc1f6a6f11f9baba2a3f9fafc28c211b931be10edfa
                          • Instruction Fuzzy Hash: 3A310670204202AFE604CF65CC88E9BB7E8FF88705F04895DF549DB250DB75E98ACB62
                          Function 0040BC90 Relevance: 6.1, APIs: 4, Instructions: 88fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(?,?), ref: 0040BCD5
                          • FindClose.KERNEL32(00000000), ref: 0040BD4F
                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040BD67
                          • CloseHandle.KERNEL32(00000000), ref: 0040BD91
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileFind$CreateFirstHandle
                          • String ID:
                          • API String ID: 3283578348-0
                          • Opcode ID: 723f6051223aa6a21d6affbab7a654e6611d5a8dca8725815f65c44cf544f7fb
                          • Instruction ID: de195e710c1c3c5e3fea09ab6548378e26320150422b6d9e37ffc2c9cc632423
                          • Opcode Fuzzy Hash: 723f6051223aa6a21d6affbab7a654e6611d5a8dca8725815f65c44cf544f7fb
                          • Instruction Fuzzy Hash: 5331D571808311ABD7259F189C457ABB795EF88320F14893EF859AB3D0C738980587CE
                          Function 00410030 Relevance: 6.1, APIs: 4, Instructions: 54libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10015A26,000000FF), ref: 00410065
                          • GetProcAddress.KERNEL32(00000000,1001C5D8), ref: 00410073
                          • RtlDeleteCriticalSection.NTDLL(?), ref: 004100B2
                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10015A26,000000FF), ref: 004100BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                          • String ID:
                          • API String ID: 1041861973-0
                          • Opcode ID: 0b1915fb54bc513d845078f3be4591f1f7fe168a7762940deca3c76edf450d66
                          • Instruction ID: 29ceaf1ded4844712b9a7081bf4a7f3604c090ae0de8617a6ac008a90984853d
                          • Opcode Fuzzy Hash: 0b1915fb54bc513d845078f3be4591f1f7fe168a7762940deca3c76edf450d66
                          • Instruction Fuzzy Hash: 92119A715447459BC320DF68DC48B9BFBE8FB48721F000A2AF969D3290D7B8D9848AA1
                          Function 00414120 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExA.KERNEL32 ref: 00414134
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00414161
                          • wsprintfA.USER32 ref: 0041417C
                          • CloseHandle.KERNEL32(00000000), ref: 00414193
                            • Part of subcall function 00413B30: exit.MSVCRT ref: 00413B60
                            • Part of subcall function 00413B30: GetTickCount.KERNEL32 ref: 00413C0B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCountFileHandleModuleNameTickVersionexitwsprintf
                          • String ID:
                          • API String ID: 2625282314-0
                          • Opcode ID: 605396f90df6c3b3b5de06a0a55db3586a3bb4058cb949de0969ac58d9e9e224
                          • Instruction ID: 8162dc16c5d2284c6a99ef31ca749bd1735ab0064d3c3c87852882c2e45daf9a
                          • Opcode Fuzzy Hash: 605396f90df6c3b3b5de06a0a55db3586a3bb4058cb949de0969ac58d9e9e224
                          • Instruction Fuzzy Hash: F3F06271404252BFE760EBA0CC89FEB7BA8EF99305F44881DF18996152EB75D1888B52
                          Function 0040E0D8 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0040E0F7
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 0040E10F
                          • GetLastError.KERNEL32 ref: 0040E115
                          • CloseHandle.KERNEL32(?), ref: 0040E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AdjustCloseErrorHandleLastLookupPrivilegePrivilegesTokenValue
                          • String ID:
                          • API String ID: 2914293243-0
                          • Opcode ID: f076a75c665e81c89b9fe63f3ce8f4a9d579763f9818ebe3900ee04a80bbb3d8
                          • Instruction ID: 43925726096e56331307456324d7f6278b269eda8f145a69cfd95cbf8978ee81
                          • Opcode Fuzzy Hash: f076a75c665e81c89b9fe63f3ce8f4a9d579763f9818ebe3900ee04a80bbb3d8
                          • Instruction Fuzzy Hash: 4EF0B775254310ABE314DB54CC9AF6BB7A4BB88B01F00C91EFA8696290D6B5E904CB55
                          Function 0040BBD0 Relevance: 4.6, APIs: 3, Instructions: 66fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(?,?), ref: 0040BC33
                          • FindClose.KERNEL32(00000000,00000092), ref: 0040BC62
                          • FindClose.KERNEL32(00000000), ref: 0040BC7D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$Close$FileFirst
                          • String ID:
                          • API String ID: 3046750681-0
                          • Opcode ID: 582f78f1d9b7b7bae93e911792c0f500527dc6f1563cdb184b90c3d127bf4c6b
                          • Instruction ID: fd7a22913db0a28d3a9c08185314ffe9f955f5292f2652e67c48f6abeed13cd3
                          • Opcode Fuzzy Hash: 582f78f1d9b7b7bae93e911792c0f500527dc6f1563cdb184b90c3d127bf4c6b
                          • Instruction Fuzzy Hash: F911EB3224410457E7149A29DC856BAB395EB8D320F54463EED1BDB2D1DF7A9C088698
                          Function 10006030 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15shutdownCOMMON
                          Download Yara Rule
                          APIs
                          • ExitWindowsEx.USER32(?,00000000), ref: 10006046
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: ExitWindows
                          • String ID: SeShutdownPrivilege
                          • API String ID: 1089080001-3733053543
                          • Opcode ID: 29d2f41268306a4563203dd9e5d791a1e3ea6e88b61d61283997b45198a3fbd1
                          • Instruction ID: 871e5e7587db6e8c880b8f0bbd2e795bf825e80d51d131e5c71d88f25b317ca2
                          • Opcode Fuzzy Hash: 29d2f41268306a4563203dd9e5d791a1e3ea6e88b61d61283997b45198a3fbd1
                          • Instruction Fuzzy Hash: 2CD012363C422837F520D2D0CC5AFDF1545CB58B50F104405F3025E1C5CAB2F89083A9
                          Function 0040C180 Relevance: 3.1, APIs: 2, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1127d4b4bbbffdef243e87122d3d11c8cfbec8a59f9fb804e296b614eecb1e32
                          • Instruction ID: a2405b6b4dd130c0c7155505d3626cab5189685ee83b241e19ec4d2f42201963
                          • Opcode Fuzzy Hash: 1127d4b4bbbffdef243e87122d3d11c8cfbec8a59f9fb804e296b614eecb1e32
                          • Instruction Fuzzy Hash: 4141B4B2700305AFE714DF689CC1B677398EB84325F14417AFA05E76C2DAB5E8148BA4
                          Function 025472DF Relevance: 3.0, Strings: 2, Instructions: 542COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: @$L
                          • API String ID: 2994545307-22657231
                          • Opcode ID: eacaaf65ac481771e4f30a4eba721ba5fe69a98c3acd2585b657c6f0b5f5d95d
                          • Instruction ID: 5abe09a60c241623c36541d6e089ae844e6b4909b70a26c051843d22a1e2fcfc
                          • Opcode Fuzzy Hash: eacaaf65ac481771e4f30a4eba721ba5fe69a98c3acd2585b657c6f0b5f5d95d
                          • Instruction Fuzzy Hash: 0B324971A017199BDB61DF65CC88B9AFBF9FF48308F1041EAD509A7290DB70AA84CF54
                          Function 022D8D1B Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$@
                          • API String ID: 0-149943524
                          • Opcode ID: 006fa0dda9f4d683f3fc5006a8334ad831fd0bd994037c649b988c9e3db3b381
                          • Instruction ID: c93d7af63c137347b0332dcc6a7614d8fa055adbb86b26a107536e10a37c4f7e
                          • Opcode Fuzzy Hash: 006fa0dda9f4d683f3fc5006a8334ad831fd0bd994037c649b988c9e3db3b381
                          • Instruction Fuzzy Hash: CFD136752183419FD720CFA4C980AABBBE9FF88714F44492EF98687254DB70E949CF12
                          Function 022D8362 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @Bt$TBt
                          • API String ID: 0-4234350823
                          • Opcode ID: 8a7ea8878123eddc69dff9979df1bbaf910e66b262ab7865a20a8d160b4f24bd
                          • Instruction ID: b6ce862473a6e47560fc2d50a983f62e5a3b87d92865f28f15fe8925d4185a65
                          • Opcode Fuzzy Hash: 8a7ea8878123eddc69dff9979df1bbaf910e66b262ab7865a20a8d160b4f24bd
                          • Instruction Fuzzy Hash: 7EC1B074A203468FDF25CFE8C440BBAB7F1EF49304B54445AD896AB358D775A841DB60
                          Function 02337D71 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @Bt$zdbf
                          • API String ID: 0-2429547408
                          • Opcode ID: 951a575667a6970f8d5e8c36f4fe34423f432a664fc5fb3d93e2a12c92dd6b0f
                          • Instruction ID: 9f8eaa7869989577dfe06b1f01e300a37d7cc10a97ffcada89afd649703654b0
                          • Opcode Fuzzy Hash: 951a575667a6970f8d5e8c36f4fe34423f432a664fc5fb3d93e2a12c92dd6b0f
                          • Instruction Fuzzy Hash: 3041F1B1740300BBE727AA558D41F2BF2AD9B40F58F150555FA41EF5E1DBA0DF018AA1
                          Function 0258D0F6 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: $+
                          • API String ID: 0-1072098471
                          • Opcode ID: 9db76c8f905c226b5d2417b1a4fbe346fadc3a8baad2e89d6ede2a8bbed4964b
                          • Instruction ID: 8e47ffc235800a4d6568e95c92f3336cd3019bfb6eb35550f0948c6ba630c932
                          • Opcode Fuzzy Hash: 9db76c8f905c226b5d2417b1a4fbe346fadc3a8baad2e89d6ede2a8bbed4964b
                          • Instruction Fuzzy Hash: 4031E2727161069BC718AE39CC84BB77BF6FF89354B048528E909DB2C4DBB4D845C798
                          Function 024D004D Relevance: 2.2, Strings: 1, Instructions: 966COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 477c911b0f4dd28e0f4d50367ce480749b12ff3ff66702233f9d061c5071fb8b
                          • Instruction ID: 97de25beceb1b48ef4ff5b6066f342d0d46edda6f4fe993e00cc6f97623b1a18
                          • Opcode Fuzzy Hash: 477c911b0f4dd28e0f4d50367ce480749b12ff3ff66702233f9d061c5071fb8b
                          • Instruction Fuzzy Hash: E492CD70A04248DFDB25CF68C464BAEBBF1FF49304F14909AE859AB391D375A986CF50
                          Function 0256A3CC Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                          • Instruction ID: 020b218c07e4a47a0e1842ff586631fdf6b601f6785e77c48e142be74ef6b193
                          • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                          • Instruction Fuzzy Hash: 87621870D012188FCB98DFA9D4D4AADB7B2FF8C311F608199E9816BB45C7356A16CF60
                          Function 0255A2CD Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: w
                          • API String ID: 0-476252946
                          • Opcode ID: c378e8967446080749cc6738382d4ef20fb7a40afd5199e3d64fa7f9fa877182
                          • Instruction ID: ae0e5f7c86421c46a7bd7692858b5f0c11481707afec9eb87e9f8a83e9fbf048
                          • Opcode Fuzzy Hash: c378e8967446080749cc6738382d4ef20fb7a40afd5199e3d64fa7f9fa877182
                          • Instruction Fuzzy Hash: 32D1EE70900269EBCB24CF55C4A1ABEBBF2FF44308F14C65AEC999B641E334E991CB54
                          Function 0041B270 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 11ad64b6171f2947f4bc04ab6775169edb95353cc0a7a4c409cb593f74d56cde
                          • Instruction ID: 01bd403558253dfa9e2cbaea29612ed49888fccee5d34372df54f056b01ad023
                          • Opcode Fuzzy Hash: 11ad64b6171f2947f4bc04ab6775169edb95353cc0a7a4c409cb593f74d56cde
                          • Instruction Fuzzy Hash: F5D17C356083418FC724CF28C4806AFB7E1EFD9314F64892EE89597351D739D98ACB8A
                          Function 0041765B Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 9cb1166a05c120a11c651bd44ccfed39ce997e51e2c287b5b43fc250d54f390c
                          • Instruction ID: e34805e200c8addcd5b7734d03a7acb35ec40c6523f550c40756b4869d1fa88c
                          • Opcode Fuzzy Hash: 9cb1166a05c120a11c651bd44ccfed39ce997e51e2c287b5b43fc250d54f390c
                          • Instruction Fuzzy Hash: B5D16CB06083458FDB18CF18C4916ABBBF2BFC5300F14495EE8959B346DB35D985CB8A
                          Function 0232376F Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: b
                          • API String ID: 0-1908338681
                          • Opcode ID: d418424da2706b8bf2806df30bd3861980581bd15b570798ee1eca5b9a1ea864
                          • Instruction ID: 7ed80e99080c3341b8ef4b39f4aff99350422f3e2f1032e8304808daf96ca168
                          • Opcode Fuzzy Hash: d418424da2706b8bf2806df30bd3861980581bd15b570798ee1eca5b9a1ea864
                          • Instruction Fuzzy Hash: F6C18A71584710AFDB219F50D848F6BBBB8FF84B14F0049ADF1829B5A0DBB4D588CB61
                          Function 024BE39F Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: x$v
                          • API String ID: 0-3403762548
                          • Opcode ID: 48f1f3ce96d1ede3e1db01fae9034f25be328de0beedc664168e5e54a7dd091a
                          • Instruction ID: 0ec30910c1bd16696ca792aef221f3d078e6b4a9732580dbadbe6658ac19bd72
                          • Opcode Fuzzy Hash: 48f1f3ce96d1ede3e1db01fae9034f25be328de0beedc664168e5e54a7dd091a
                          • Instruction Fuzzy Hash: BDE102B19087809FE325CF26C081BABBBE5BF88315F10892FE59996350DB719509CF56
                          Function 00412414 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00412460: ReleaseDC.USER32(?,?), ref: 00412498
                            • Part of subcall function 00412460: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 004124E2
                            • Part of subcall function 00412460: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 004124EE
                            • Part of subcall function 00412460: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 004124F7
                            • Part of subcall function 00412460: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 00412500
                          • ??3@YAXPAX@Z.MSVCRT ref: 00412450
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??3@$Release
                          • String ID:
                          • API String ID: 1241932719-0
                          • Opcode ID: aaca3987289e21b5ac786d5795a872331c6feda5dcefee976e3926530940571e
                          • Instruction ID: cf291c33f3e38f9331d6dfdb95bf0e45f98a9ee9066df9e839a970f9a90bf167
                          • Opcode Fuzzy Hash: aaca3987289e21b5ac786d5795a872331c6feda5dcefee976e3926530940571e
                          • Instruction Fuzzy Hash: DFF0C97048A3928FC3935BB494001C1B7F0AF13338B1610EAD440DA121E2EE8CD7CB69
                          Function 025622E1 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 88cb77ca60f2038f69ed67a0a3cfc7bd6cb1601589a4218491c0b0ee26e844ff
                          • Instruction ID: 9fed9cfb780e106c9a195daf63233756d0a90c42fae06c0b9fa697821961e3a0
                          • Opcode Fuzzy Hash: 88cb77ca60f2038f69ed67a0a3cfc7bd6cb1601589a4218491c0b0ee26e844ff
                          • Instruction Fuzzy Hash: 00A17CB1A0120A9FDB21DF94C8A4BBEBBB9FF18344F14442AED15EB650E7749D40CB54
                          Function 0041194D Relevance: 1.5, APIs: 1, Instructions: 20keyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411D60: SetCursorPos.USER32(?,?,?,?,?,?,00411962,?,?,00000000), ref: 00411DC8
                            • Part of subcall function 00411D60: WindowFromPoint.USER32(?,?,?,?,?,?,00411962,?,?,00000000), ref: 00411DD0
                            • Part of subcall function 00411D60: SetCapture.USER32(00000000,?,?,?,?,00411962,?,?,00000000), ref: 00411DD7
                            • Part of subcall function 00411D60: MapVirtualKeyA.USER32(?,00000000), ref: 00411E16
                            • Part of subcall function 00411D60: keybd_event.USER32(?,00000000), ref: 00411E20
                          • BlockInput.USER32(?,?,?,00000000), ref: 00411969
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BlockCaptureCursorFromInputPointVirtualWindowkeybd_event
                          • String ID:
                          • API String ID: 3390882723-0
                          • Opcode ID: ddba526125c2a1f890d557fcfb2df261f2eb91eefe30313eebec5ffd3756fa84
                          • Instruction ID: 5ed8b7bafc75bcfe03069ebe497b1f10100d649f3cbdc494e3ceec6f3f4c1d14
                          • Opcode Fuzzy Hash: ddba526125c2a1f890d557fcfb2df261f2eb91eefe30313eebec5ffd3756fa84
                          • Instruction Fuzzy Hash: C0D02E76B045085BC228FB92E442FEEF328EBC1B11F00852FEA16473C0CE38A841C7A4
                          Function 0040E080 Relevance: 1.5, APIs: 1, Instructions: 15shutdownCOMMON
                          Download Yara Rule
                          APIs
                          • ExitWindowsEx.USER32(?,00000000), ref: 0040E096
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitWindows
                          • String ID:
                          • API String ID: 1089080001-0
                          • Opcode ID: 29d2f41268306a4563203dd9e5d791a1e3ea6e88b61d61283997b45198a3fbd1
                          • Instruction ID: 8128d64a9d59bda064c8f7c17956a6d2fc2ea3d315adc8239861e88cf142fb2f
                          • Opcode Fuzzy Hash: 29d2f41268306a4563203dd9e5d791a1e3ea6e88b61d61283997b45198a3fbd1
                          • Instruction Fuzzy Hash: A4D0123228423477E520B2D28C5AFDF15449B54714F004C1AF7016E2C1CAF6E89083AE
                          Function 023383ED Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 90934d25edfb854b4fa6561fef2c8059a3fdb2a971cd3ca952bea05586825734
                          • Instruction ID: 057220487eca823ea7fa64bd8a3abda6d6e785c5311967962e9118d98a426ae2
                          • Opcode Fuzzy Hash: 90934d25edfb854b4fa6561fef2c8059a3fdb2a971cd3ca952bea05586825734
                          • Instruction Fuzzy Hash: 26916DB1A40219EFDB16DF94CC40AEEB7B9AF08714F144569F905AB251EB74AB01CFA0
                          Function 024F336D Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: ba7821e0d1c61a2fce951978221cc810cc85586770ae6fb26259b9b9a9e195af
                          • Instruction ID: bf89f11f5d7e432980274350c2d07ffff1ed13fe1f3362e82e233f0131ddd3cd
                          • Opcode Fuzzy Hash: ba7821e0d1c61a2fce951978221cc810cc85586770ae6fb26259b9b9a9e195af
                          • Instruction Fuzzy Hash: A081DE719047569FCB26CE28C880B6FBBA5FBC4328F05856EFA599B240D730DC45CB96
                          Function 022E7FF2 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: qrks
                          • API String ID: 0-3937875505
                          • Opcode ID: 047ad95464aa263d675c512c5e4f3939af203946fce05cf69484fbc62fd6ef14
                          • Instruction ID: ccb02527c03f674c6e722dce4049b726b059d5437f8e26cedfdb72ec01dfb254
                          • Opcode Fuzzy Hash: 047ad95464aa263d675c512c5e4f3939af203946fce05cf69484fbc62fd6ef14
                          • Instruction Fuzzy Hash: 9981B071624341AFDB60CF55D880B6BFBE9EF88724F40092EFA89D7254D770E900CA96
                          Function 02318E51 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: (D#$
                          • API String ID: 0-2986077793
                          • Opcode ID: 3580e9392841e7aea6390d8e97100eeeed98c6073cec5db5d3d2043ccc2fe4af
                          • Instruction ID: 5112eb56d749f6fa017add66d8cd22d3344bd6aa0388deb6d90b2da0a05111e9
                          • Opcode Fuzzy Hash: 3580e9392841e7aea6390d8e97100eeeed98c6073cec5db5d3d2043ccc2fe4af
                          • Instruction Fuzzy Hash: 276159B7F403188FCB18DA74CC89B9ABBBEEB84304F2145AAD405EB155DB709A41CF50
                          Function 0233BC14 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 29236151a16af16276be03ffe27da4527d57a683cba54a380ed0205af6031f5e
                          • Instruction ID: 4ff7f5b1fa4e5eab68aaacff0fba39d0cbc2272e7c3602ce325d3e19904a18e2
                          • Opcode Fuzzy Hash: 29236151a16af16276be03ffe27da4527d57a683cba54a380ed0205af6031f5e
                          • Instruction Fuzzy Hash: 55713C71A006199FDB22CF28DC48B9AF7FEEF45718F1445AAE549E7250DB70AA84CF10
                          Function 02307E92 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: H{t
                          • API String ID: 0-2597746159
                          • Opcode ID: 901be36bfee8147b7672643fec167a57b161a34e503992c7f51045dde742d108
                          • Instruction ID: f243afa5f9c23ee9736ef7c4a3077d61a0fdf3c6d71a075490bdb59d66115798
                          • Opcode Fuzzy Hash: 901be36bfee8147b7672643fec167a57b161a34e503992c7f51045dde742d108
                          • Instruction Fuzzy Hash: B051FC35A00201DBCB25DF18C9E0A7AF7B7FF94744B198968D8429B695D731FD82C760
                          Function 0257D358 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: <Rv
                          • API String ID: 0-683284065
                          • Opcode ID: 021381036aa2a29ecd53c580aeb9a89101214b786af64d7a299b7b304d94ec90
                          • Instruction ID: d6d56a4b70d800a6fa7f49040a03e2c1393d8b03dd63b031bd2e82398bf8aac0
                          • Opcode Fuzzy Hash: 021381036aa2a29ecd53c580aeb9a89101214b786af64d7a299b7b304d94ec90
                          • Instruction Fuzzy Hash: 5B5194331A2591DFC712AF65E885E24B3B7FF08A24F15812EFA054B641CB38E850DE76
                          Function 0232662F Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: ea627057033129eeee2a9e6c735af9a9c360564f45693f9cbd294f9de0b2d36c
                          • Instruction ID: 0fa5fd4936846b497c98d78b98df907c3cbb80c5f55dc1ab672ff3d28c2b7cdf
                          • Opcode Fuzzy Hash: ea627057033129eeee2a9e6c735af9a9c360564f45693f9cbd294f9de0b2d36c
                          • Instruction Fuzzy Hash: 72518175981228AFDB21DF54DC89FDAB7BCEF48B04F0004E9E50AE6250DB74AA95CF50
                          Function 02331796 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 63e0c2b9ddbe891f98d90b8e7c67849202453b38551d4b3d3285839ab24b1b05
                          • Instruction ID: 16a475efce4fefec40cc13ffee0dcf96d375373ca25534433092714eaab11342
                          • Opcode Fuzzy Hash: 63e0c2b9ddbe891f98d90b8e7c67849202453b38551d4b3d3285839ab24b1b05
                          • Instruction Fuzzy Hash: 9C41B475E00265ABDB22DE64C840FAA7BB99F04724F058565ED89AF381D770DF40CBD1
                          Function 022E8297 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8
                          • API String ID: 0-4194326291
                          • Opcode ID: c7fda04ffca10b4d5164faa893944a34f3bb485a9db1a496542c27a282fb72dc
                          • Instruction ID: 6095175dde0fe77f372bf1a7597fb0beadba661bd50f06cc788ec5fc7d92eedc
                          • Opcode Fuzzy Hash: c7fda04ffca10b4d5164faa893944a34f3bb485a9db1a496542c27a282fb72dc
                          • Instruction Fuzzy Hash: E45115B2990658EFDF219FD0CC88B9EBBBDFF08B11F400529E646AA154CB71A911DB50
                          Function 0232F555 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: ea8a0395f56b589c7b7e78f2ee21eb3b36f1edade4ade2bbffbce7f71e465da0
                          • Instruction ID: 5a92273effb201ac7d51bd2458828c6692a80d59016eb18f58049d0ca18d4c6b
                          • Opcode Fuzzy Hash: ea8a0395f56b589c7b7e78f2ee21eb3b36f1edade4ade2bbffbce7f71e465da0
                          • Instruction Fuzzy Hash: 1341C571E80214BFD7219B94CC49FAEBBBCEB44B10F000155FA05BA691D7B1AA48CBA4
                          Function 0230283B Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 4f55af217bcc353e3a48233f7314db7a5a69fef10979decfff7e159938040e49
                          • Instruction ID: 5e78f01d683adb1640a5296e68eb8eae3000193f7b92b8742736f208f00b7e66
                          • Opcode Fuzzy Hash: 4f55af217bcc353e3a48233f7314db7a5a69fef10979decfff7e159938040e49
                          • Instruction Fuzzy Hash: A4417F76D40219EFDB118BA9C8A8FAFB7B8EB49724F110555E911E72D0DB30AE10CB70
                          Function 0233B013 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: zdbf
                          • API String ID: 0-2567057744
                          • Opcode ID: a89270b02d55edbc56253b4def88aee6917e8851c2406c80e86cfcaec00eb9dd
                          • Instruction ID: 4e76766f7cc94ec9a44bf69fdb80fac64d0992c11d59f3e33e44ae95aaf30858
                          • Opcode Fuzzy Hash: a89270b02d55edbc56253b4def88aee6917e8851c2406c80e86cfcaec00eb9dd
                          • Instruction Fuzzy Hash: 0941D432B40210EBDB12DF94C885B6EF7B6FB84329F104565EA16BB681C7749B41CF51
                          Function 0230D0B2 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: cafa7931ee23e262fafbca30c6b70a2107309fc91879fe04016cf79f8455fa02
                          • Instruction ID: d7a34e24c72fdc3aa703e64f74f8dbda3a87642dfd63667707d66e55bd7a8668
                          • Opcode Fuzzy Hash: cafa7931ee23e262fafbca30c6b70a2107309fc91879fe04016cf79f8455fa02
                          • Instruction Fuzzy Hash: 7C411D71D512699BEB219B94DC44FDABBBDEB48710F0045E6E90DB7140DB709E88CFA0
                          Function 0254D3D7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: {v
                          • API String ID: 0-1772808743
                          • Opcode ID: a137e7845ac9fdb9110e38a107ea25afc031d3b5968c9395fedadba38e4610b5
                          • Instruction ID: 080e5f7e6d58e8d194058dcfab2687e1ea098195665d8c3d000a05b7b1710d4f
                          • Opcode Fuzzy Hash: a137e7845ac9fdb9110e38a107ea25afc031d3b5968c9395fedadba38e4610b5
                          • Instruction Fuzzy Hash: B741A671A012289BCF20DB69CC58BDABBBDBF45308F5401E6A849A7244DE74DE84CF55
                          Function 0233AEE5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: #
                          • API String ID: 0-1885708031
                          • Opcode ID: de79c8f6ef8b4a1c4f8311fdeab7307b20a088bd8392dcfe1a69ea67cb364924
                          • Instruction ID: 7a39849cb3f66ab7c0e9562d1557493007a74252fb3469153a51e8376cb0c1c3
                          • Opcode Fuzzy Hash: de79c8f6ef8b4a1c4f8311fdeab7307b20a088bd8392dcfe1a69ea67cb364924
                          • Instruction Fuzzy Hash: 6741B376D00215EFDB15DF98CC41AAEB7B5EF84700F154469E94AEB250EB70AB01CB90
                          Function 0258D223 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: +
                          • API String ID: 0-2626494186
                          • Opcode ID: aac498df7e6dc558459d6b311368b1ee50a664644c14f39e5667d1ba48deae28
                          • Instruction ID: 738e769dfe8ed3005784943bed1b28cdddf8bed24fec9d637115e001dfc75b30
                          • Opcode Fuzzy Hash: aac498df7e6dc558459d6b311368b1ee50a664644c14f39e5667d1ba48deae28
                          • Instruction Fuzzy Hash: 3631E272611105ABD714BF39CC45BABBBF6FF88310F158428F509DB284DAB0E805C798
                          Function 022FE759 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: bce7a4b15198a8741f4dcb8fe73c1b5c4894570c14072f3b9a5ef593d756f306
                          • Instruction ID: d67d696f4f56dbba57aca412918cb15a2166654006a56e8959d2cc51188e6621
                          • Opcode Fuzzy Hash: bce7a4b15198a8741f4dcb8fe73c1b5c4894570c14072f3b9a5ef593d756f306
                          • Instruction Fuzzy Hash: A6416775A1020DAFDF129F95CC80AEEBBB6FB88714F118066FA14A3264C732DA51DB50
                          Function 022E07E7 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 0e310a8f8119cfbebcd4bb052b6f477c30466f46219a6fc3cf1e07afa19b1a19
                          • Instruction ID: 0d8e13a893df3c5dd3b171f932c8f089934ccaa143dd2e513edb3eb368715aec
                          • Opcode Fuzzy Hash: 0e310a8f8119cfbebcd4bb052b6f477c30466f46219a6fc3cf1e07afa19b1a19
                          • Instruction Fuzzy Hash: 55317971A41209AFDB21DF91DC49FAFBBBCEB45B04F800869E516B6140D7B0AA05DFA0
                          Function 02336C03 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4Vt
                          • API String ID: 0-3748090848
                          • Opcode ID: 8a516f9ee2be12c4f2d024050c796e8f492c5774e6b9303bb13cba5497011ef2
                          • Instruction ID: c7a55353a21dac0147dbc9b89f58921675a4a6cb61909bd142cdaaf2aba06216
                          • Opcode Fuzzy Hash: 8a516f9ee2be12c4f2d024050c796e8f492c5774e6b9303bb13cba5497011ef2
                          • Instruction Fuzzy Hash: DB31E871640240BFDB25EF50DD86FA676BDEF44700F0001A9E9065F595D770EA00CF64
                          Function 02318935 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: ebdef62250821736541edaa5b844660da3b3e757b50f6e0db50550c0b58b58bb
                          • Instruction ID: bcb80ef5699d66c0d52ded2a55b5ab126184fbd59ebcac9705f8294b903f2d69
                          • Opcode Fuzzy Hash: ebdef62250821736541edaa5b844660da3b3e757b50f6e0db50550c0b58b58bb
                          • Instruction Fuzzy Hash: CC41C1B1D01609DFEB25CF9AC884B9EBBF4BB08354F10852AE519A7280C7746945CF65
                          Function 0232158B Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: B
                          • API String ID: 0-1255198513
                          • Opcode ID: ef80bfdd53fa0b2c67fe1f36a24af592974f923b63b5a68593cebcf3d651d3cd
                          • Instruction ID: c7465fe3def5f2076d708ee2869a6620f9a30e6580e5623ddde099c4a761328e
                          • Opcode Fuzzy Hash: ef80bfdd53fa0b2c67fe1f36a24af592974f923b63b5a68593cebcf3d651d3cd
                          • Instruction Fuzzy Hash: 8331CDB1D0011DAFCF00CFA4C984AEEBBBCFF08314F04052AE919A7181C7709A08CBA0
                          Function 0232F725 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: \
                          • API String ID: 0-2967466578
                          • Opcode ID: 12632e1d090997fa8aee4c19d93378f98b3a557331c0e482bf0fe66c702771ae
                          • Instruction ID: afd96bc89c2eb69a951bb7ff42955b09f0e64d5c9373785a91c1376299a213bc
                          • Opcode Fuzzy Hash: 12632e1d090997fa8aee4c19d93378f98b3a557331c0e482bf0fe66c702771ae
                          • Instruction Fuzzy Hash: C71121BA680210AFD7249B59CC45EBBBBFCEF88310F014569F945D7A00EB74AA45CB70
                          Function 0232F874 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 837d8898fa2503efe980447667adaf21de33a7c4c38de3df3cff42a04edcba02
                          • Instruction ID: 8d47208020e76b5ba0cd0a8aba7aea0668e25b25fb7a4a39144a569937a9cb34
                          • Opcode Fuzzy Hash: 837d8898fa2503efe980447667adaf21de33a7c4c38de3df3cff42a04edcba02
                          • Instruction Fuzzy Hash: CB216DB1D40228ABCB25DF99C854FEEBBF8EB49710F00416AE905F7650E7749A44CBA0
                          Function 02337F22 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: HVt
                          • API String ID: 0-2743574106
                          • Opcode ID: 639f19c07d53fc98fef5115c957829fab19109abb71cbcb2ff7223201dc41f09
                          • Instruction ID: 45478d63774548b09b47552d85e12de4e5a9edbd79f790c30f32954d67d9f67e
                          • Opcode Fuzzy Hash: 639f19c07d53fc98fef5115c957829fab19109abb71cbcb2ff7223201dc41f09
                          • Instruction Fuzzy Hash: 9A113AB07457009BE736BB688C06B3AF3A5EF90714F00061DE52B9B5E1DBA05B01CF50
                          Function 022E778B Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 3c27d36b46e9309d196443a9b2d237339355a850eb7a3b2f3d9f2f19d1a6fc53
                          • Instruction ID: 48374d08abb1c898c2a260606e9e7b52d4a7f809d8197106db687ec45e1f1bd8
                          • Opcode Fuzzy Hash: 3c27d36b46e9309d196443a9b2d237339355a850eb7a3b2f3d9f2f19d1a6fc53
                          • Instruction Fuzzy Hash: 92019E3102024AEFCF219FD0C918AE97BAAEF04359F058564FA1681064DB75C964EF11
                          Function 024E72CD Relevance: 1.0, Instructions: 985COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 46625ac9db895fc0c0310a9c4257c0d52ce54855cbc1d49b1febb909ad200874
                          • Instruction ID: 53eb347814ac889425cc9f605f5ea6cf03bf942e189d277597991d92f0ef2fe5
                          • Opcode Fuzzy Hash: 46625ac9db895fc0c0310a9c4257c0d52ce54855cbc1d49b1febb909ad200874
                          • Instruction Fuzzy Hash: CA72A770A046168BEF25CE65C58037BFBB2BF95329F28C16AC8579B385E371D586C780
                          Function 0231581F Relevance: 1.0, Instructions: 950COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bcb13feb476bd28001c79c8f7abc9870e195fa6575f601eb21bf9c4c3dfce27d
                          • Instruction ID: 2606994400797227ecfd7ce5dde7f4f624ce616c7002bd6509d9108ef541eca0
                          • Opcode Fuzzy Hash: bcb13feb476bd28001c79c8f7abc9870e195fa6575f601eb21bf9c4c3dfce27d
                          • Instruction Fuzzy Hash: E1825975A00206CFCB28CF99C481ABAB7F6FB88304F658569D9069B751E735EA42CF50
                          Function 00417D69 Relevance: .9, Instructions: 897COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05ef8ad82474d886899858b7f93d956e56eb0cf032f5363d281a08dc8f4cd577
                          • Instruction ID: 5bf5aab4b6bd8782f82a092bc528e5222a66abbb65a251c0955e7241e412ab7d
                          • Opcode Fuzzy Hash: 05ef8ad82474d886899858b7f93d956e56eb0cf032f5363d281a08dc8f4cd577
                          • Instruction Fuzzy Hash: 4B7251716087458FCB58DF18C8906AABBE2FFC9300F14496EE895CB345EB74D985CB86
                          Function 023140AC Relevance: .9, Instructions: 891COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 843f5771ecce97a27fab68501a49760dca2d4c8f3065645bcaf1ce7e261716d8
                          • Instruction ID: 2c1dfbb526a9311e53dbf14542a685509d3f6338a170f9b3552606e5f3be5799
                          • Opcode Fuzzy Hash: 843f5771ecce97a27fab68501a49760dca2d4c8f3065645bcaf1ce7e261716d8
                          • Instruction Fuzzy Hash: AE823974A00206CFCB28CF59C490ABAB7F6FF88305F24856DDA569B685E735EA41CF50
                          Function 10011030 Relevance: .8, Instructions: 850COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f744a01b0eb50b1a89fa974c2541c75a8604ac51f765b0221468dd9b379f7844
                          • Instruction ID: 30cb394094ebbfb5d6333d149bebcbff7941b6152c87d1a577bbcc9161c1770f
                          • Opcode Fuzzy Hash: f744a01b0eb50b1a89fa974c2541c75a8604ac51f765b0221468dd9b379f7844
                          • Instruction Fuzzy Hash: ED626F74600B418FC328CF29D990A66B7F2FF85750B158A2DE897CBB41D631F886CB61
                          Function 024ED22D Relevance: .8, Instructions: 750COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5e7fbaf3daf377dd0306c45a4c459b90a1a276d51d9b4bbad4cc67354dc57e3
                          • Instruction ID: c0a0b42bb1623803d9d9239ae0a14408b8e5eab4a880600889e3e62b5c566d5e
                          • Opcode Fuzzy Hash: e5e7fbaf3daf377dd0306c45a4c459b90a1a276d51d9b4bbad4cc67354dc57e3
                          • Instruction Fuzzy Hash: AE62D471A00219DFDF14DFA4C880BAEBBB6FF49300F2445AAD915AB2C5D734EA49CB54
                          Function 0043FDA4 Relevance: .6, Instructions: 632COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e1084ef6601559fed245ceca353357809234e9dc78c5b138c93070b1dcf49066
                          • Instruction ID: a1d3d52c3e94df8309c348b9ab6a1711ee48e229ca20799c172c8bb35679c663
                          • Opcode Fuzzy Hash: e1084ef6601559fed245ceca353357809234e9dc78c5b138c93070b1dcf49066
                          • Instruction Fuzzy Hash: C4321AB7F507299BCB14CED5DCC05CDB3B2BF98214B1E9165C914F7306E6B8AA068B90
                          Function 02327DC3 Relevance: .5, Instructions: 514COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47fb78082bfc2d913f7312b4e845c3e70bdb7634c90ed1edd5c22730d7d45ba5
                          • Instruction ID: 69b60c4b624254b5e856f7db7d2d53fd6c94e090b7762fb66f2a53c0df3f8957
                          • Opcode Fuzzy Hash: 47fb78082bfc2d913f7312b4e845c3e70bdb7634c90ed1edd5c22730d7d45ba5
                          • Instruction Fuzzy Hash: 1C02B176E002259FCB21DFA4CD54BAEB7B9EF44714F054569EA02EB250EB30ED09CB60
                          Function 023194F0 Relevance: .5, Instructions: 495COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbd85d132cf7e5b4f747680f54e2a5b0fa49f5064d6ceeec28576a220da60581
                          • Instruction ID: da00997875accc6b0307c169a3d0c19c9a8285eb328cfdec8dbdfe9b42b02d74
                          • Opcode Fuzzy Hash: fbd85d132cf7e5b4f747680f54e2a5b0fa49f5064d6ceeec28576a220da60581
                          • Instruction Fuzzy Hash: 93F16372F002189FDB1CDAADDD916ADBBF6AFCC310B19806EE509EB350D6749D418B60
                          Function 004175AF Relevance: .5, Instructions: 482COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bbaf87dabc0e02c958f1fd98433b8e72b83cf20a479357f84522a3edd8687b32
                          • Instruction ID: d08eaeb0fe11c5d5bdbf29011c24d54dfb89d414ccd02ea496f12ce171b90eb5
                          • Opcode Fuzzy Hash: bbaf87dabc0e02c958f1fd98433b8e72b83cf20a479357f84522a3edd8687b32
                          • Instruction Fuzzy Hash: 560249B06083458FDB18CF18C4816ABBBF1BFC9700F14495EE8959B346DB39D985CB9A
                          Function 024D303D Relevance: .4, Instructions: 428COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30f4e554b6c3b6a5bd1844eec24fff477191840d8057c30a4d9223ac0289d724
                          • Instruction ID: 0114afc8ad5cb9d51b5e17a62fdc785dd5570f194c35bed9cbc9dd6d14a095ab
                          • Opcode Fuzzy Hash: 30f4e554b6c3b6a5bd1844eec24fff477191840d8057c30a4d9223ac0289d724
                          • Instruction Fuzzy Hash: 05F18D706083518BCB24CF59C5A072ABBE1FF89718F14896EF48ACB690E735D885CF56
                          Function 0041ADD0 Relevance: .4, Instructions: 428COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c04524dfe972d415d248e0322329a2a41c7abb83dbda8805e5aa9cafc54d8b2
                          • Instruction ID: e33c364ec0f845cf817166c50c7f7b366f35fabd64a69d3c1eebcd63e150841d
                          • Opcode Fuzzy Hash: 4c04524dfe972d415d248e0322329a2a41c7abb83dbda8805e5aa9cafc54d8b2
                          • Instruction Fuzzy Hash: D9F180312083458FC718DF2CC8A46AABBE1EF8A344F14496EE5D6C7341D779D886CB86
                          Function 02598053 Relevance: .4, Instructions: 425COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4e88cccf79c68cc4836fea358a6f10a96e4839441bdba8903607d5a05e9577e
                          • Instruction ID: b39c899afed32409b2ea85ba099087374708343473df455523535a3a318debca
                          • Opcode Fuzzy Hash: c4e88cccf79c68cc4836fea358a6f10a96e4839441bdba8903607d5a05e9577e
                          • Instruction Fuzzy Hash: 89F1A473E005269BCF18CEA8C99467DFBF5BF46204B19426AD856EB380D734EE40CB94
                          Function 0256E362 Relevance: .4, Instructions: 402COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5896f42db24b505dd13517bc930bc3f1adfab5733832e422e75e5fbca21fe02
                          • Instruction ID: 8f9cab2a0d54f5941bf06297268ad27f70548dfa89d42bb9171f2ba59c4ebfed
                          • Opcode Fuzzy Hash: a5896f42db24b505dd13517bc930bc3f1adfab5733832e422e75e5fbca21fe02
                          • Instruction Fuzzy Hash: 03F1FF35A11291EFCB25CF68C48AFBABBF1FF09308F448559E5819B641D730A944CFA5
                          Function 0043F16B Relevance: .4, Instructions: 385COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3512435af9cdc1feba41d7c3cff29ef4e07abd32adc5b2af22b78745dda9f121
                          • Instruction ID: 056ccc3ad086c53cadd12c30ca14f5f9cadd6f26af0ae3f749ece86c31f6353f
                          • Opcode Fuzzy Hash: 3512435af9cdc1feba41d7c3cff29ef4e07abd32adc5b2af22b78745dda9f121
                          • Instruction Fuzzy Hash: FFF1823BD106658BDB40CF6EDC8014EB7A2EBCA201B5FC1A5CA8467316D634BA13CBD4
                          Function 0041CB00 Relevance: .4, Instructions: 379COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                          • Instruction ID: d33b6728ad5599ca546737bf5dba35ea6ec3e6ce9b67271315a8bcdeb3077a28
                          • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                          • Instruction Fuzzy Hash: 5FF19FB65092408FC3098F18D8989E27BE6EF98714F1F42FEC4499B362D376D981CB95
                          Function 0041A4B0 Relevance: .4, Instructions: 367COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bec317907bbc7fe8dc6ca343aef2268597f6f3b02a96ccbc52464b7744bfd0c6
                          • Instruction ID: f65a0cd98bd8a31176db0b86cdcd406ec6ada54b9e0cc6cb3d26b122d77fefdb
                          • Opcode Fuzzy Hash: bec317907bbc7fe8dc6ca343aef2268597f6f3b02a96ccbc52464b7744bfd0c6
                          • Instruction Fuzzy Hash: 9FE13775601B018FD329CF29C890AA7B7E2BF88304B58892EE5D787B51D735F892CB45
                          Function 0231F04D Relevance: .4, Instructions: 356COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ffe5c74aa196e02033f09b87d2ad4463714672bce469651ca7d257236a9ad8c5
                          • Instruction ID: d6b9cb2818bdb6cc2caa62b7f6f50db4d1a5aaa0263791d7ee2fce9f56f2682f
                          • Opcode Fuzzy Hash: ffe5c74aa196e02033f09b87d2ad4463714672bce469651ca7d257236a9ad8c5
                          • Instruction Fuzzy Hash: 40E156B5D15715CBCB29CF98C8846ADBBF5FF88700F18815AE804ABB19E7749842CF90
                          Function 023241CB Relevance: .4, Instructions: 356COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65687a8affb97a2f533f329f74e5565007f86978b3203d503dbf19becfe64bec
                          • Instruction ID: 3960757411b5fb8b060c2dd7612c40fa9aa3bf252d6a1ea920640c7e5c0dc34c
                          • Opcode Fuzzy Hash: 65687a8affb97a2f533f329f74e5565007f86978b3203d503dbf19becfe64bec
                          • Instruction Fuzzy Hash: 2AD1CFB5A402349BDF319B14CC84BAAB7FCAF08714F50859AF749AB181D7709AC9CF94
                          Function 0041D080 Relevance: .3, Instructions: 297COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d02004115a51416f187ee5109947254c7092dffb3c91f3d930adf32af7f93d5c
                          • Instruction ID: 7d3a8d9d82eab03af2580bd3515d964dc2e62b0132a38b799bcd0ea1d56f4797
                          • Opcode Fuzzy Hash: d02004115a51416f187ee5109947254c7092dffb3c91f3d930adf32af7f93d5c
                          • Instruction Fuzzy Hash: 4DD19BB56092518FC719CF18E8D88E27BE5FF98700B1E82F9C9898B323D3359985CB55
                          Function 00419FC0 Relevance: .3, Instructions: 297COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae0f118b8393cff966a7e5cd4f0ddfd8c40e486958fbb17157c05b2b101dd4c0
                          • Instruction ID: 634b94675df28d2fa86be0fb55a1975cbed28ccda17551f0869390fe37c9a555
                          • Opcode Fuzzy Hash: ae0f118b8393cff966a7e5cd4f0ddfd8c40e486958fbb17157c05b2b101dd4c0
                          • Instruction Fuzzy Hash: EBC13775605B018FC328CF29C890AA7B7E2BF89304B58892EE5D7C7B51D635F891CB49
                          Function 10015030 Relevance: .3, Instructions: 297COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d02004115a51416f187ee5109947254c7092dffb3c91f3d930adf32af7f93d5c
                          • Instruction ID: 178b00e9cfd2de2a855bec1892d0dcd1dd5dc56df63a576b4f45b032e3afd92c
                          • Opcode Fuzzy Hash: d02004115a51416f187ee5109947254c7092dffb3c91f3d930adf32af7f93d5c
                          • Instruction Fuzzy Hash: 1ED188756092518FC719CF18E8D88E67BE5EF98740B1E82F8C9898F323D3329985CB55
                          Function 0232ED80 Relevance: .3, Instructions: 271COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df36d2894154e9a8d2497f9fd73b5a07a046af74c4ea048a6b3a1e505186a624
                          • Instruction ID: 7729855b5dce0555ac6048d89690e50ed3cef013073de7aaa9bb4dd605df3c37
                          • Opcode Fuzzy Hash: df36d2894154e9a8d2497f9fd73b5a07a046af74c4ea048a6b3a1e505186a624
                          • Instruction Fuzzy Hash: 84A14C769093619BC720DF65C880A1BBBF9AFC8B54F01492EF995A7340D730ED08CB92
                          Function 0040307F Relevance: .3, Instructions: 267COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 377178fc3e143b3dbc67d60a1ca2b2b4941accdbeaf1abb08f23abcb9ba0d2ae
                          • Instruction ID: 56d1d43b6177e3b05a8124d43a675fc0ed4a1de6578ab880891994ce931af7c2
                          • Opcode Fuzzy Hash: 377178fc3e143b3dbc67d60a1ca2b2b4941accdbeaf1abb08f23abcb9ba0d2ae
                          • Instruction Fuzzy Hash: 50B1AF35A006099FDB24CF54C8D0AA9BBB5FB48319F24C1AED8456F792C735EE42CB84
                          Function 02590204 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d036b430b62e9bfc9ff2246f754326bf47b84789c4358db9c18a5d3173369b83
                          • Instruction ID: bd3a4d8b16c999b1720aabef7f131b94ef588df1559a1faaa8d056fc4d0b6005
                          • Opcode Fuzzy Hash: d036b430b62e9bfc9ff2246f754326bf47b84789c4358db9c18a5d3173369b83
                          • Instruction Fuzzy Hash: B6B12871E0061ADFDF14CFA9C890BADBBF5BF49314F148569E928AB290D730A941CF94
                          Function 0041A920 Relevance: .3, Instructions: 265COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17080c5521b09106d080a24a0d98c67d154fb56d8c0a0a1d82c1bdc32cf7eb7c
                          • Instruction ID: c5ef64a60d35ca049e1f2a2dcd6945ab5bd2b8df52651719f54a57525d840116
                          • Opcode Fuzzy Hash: 17080c5521b09106d080a24a0d98c67d154fb56d8c0a0a1d82c1bdc32cf7eb7c
                          • Instruction Fuzzy Hash: 2D916D72605A418FC729CF29C8904E7B7E3EF85308B69896ED1D787701E735B892CB45
                          Function 024CE2AD Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e25ce06643cbc879e7b181a9f87f0382d1c01980a8810a3ae9398dcad93693ce
                          • Instruction ID: 9e3f9d4d0d3988cb19bfea8cf9dfc0aa0b41f168188d6d98363b808dfee1da36
                          • Opcode Fuzzy Hash: e25ce06643cbc879e7b181a9f87f0382d1c01980a8810a3ae9398dcad93693ce
                          • Instruction Fuzzy Hash: D1A1F5387002569FD765CF29C880BBAB7F2BF44304F24856EE89A8B785D334E945CB65
                          Function 0040385D Relevance: .3, Instructions: 259COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                          • Instruction ID: c0212edd0416a0c782fd88c9a01df7f1e8945406dbfcfc58c799d03a7a15993f
                          • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                          • Instruction Fuzzy Hash: CEB18C75A0020ADFDB15CF04C5D0AA9FBA5BB58319F14C1AED84A6B382C735EE42CB94
                          Function 0041B6F0 Relevance: .3, Instructions: 256COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                          • Instruction ID: a23b063101832716fef1bb3c6f1bddcc7e02fbe8cd266938c6f5128f16507a83
                          • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                          • Instruction Fuzzy Hash: DF71713775558207EB2CCE3E8CA02FBABD38FC521432EC87E94DAC7756EC6994165244
                          Function 0250B2A6 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                          • Instruction ID: 3483874b35edf882743b47067107af10df4bab3429b9e35d2f62b212267307c5
                          • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                          • Instruction Fuzzy Hash: 33912F71620A068FD725CF29C8C6666BFE1FF5532CB248A18E4E6DB6E1D335E511CB04
                          Function 0230BDAB Relevance: .2, Instructions: 235COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 95d713befe122320c2264d4fa544911ccac603546718dcb1569213e7ce5a7892
                          • Instruction ID: 45a40a9c8516c7fe8211b74ce5ccb22caf4d331dcf2d5dd48bc2517ed1cd26e2
                          • Opcode Fuzzy Hash: 95d713befe122320c2264d4fa544911ccac603546718dcb1569213e7ce5a7892
                          • Instruction Fuzzy Hash: 89919171941219AFCB21DF54CDD8FAAB7BAEB44714F140699E91997290DB30EE80CF60
                          Function 025492BD Relevance: .2, Instructions: 234COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad2da180640c4bd6f0a7b59c060f4b6e537a41be227f281b042dae027a4c7463
                          • Instruction ID: 1c233f8a53533255d13703a15a8802ee66fc819e77962ec4dbf341fdebb68bd9
                          • Opcode Fuzzy Hash: ad2da180640c4bd6f0a7b59c060f4b6e537a41be227f281b042dae027a4c7463
                          • Instruction Fuzzy Hash: 5C91A0721147029FC710DF65C885BABF7E5BF88718F240A2DE5A9C7290EB30E945CB56
                          Function 0233AAAA Relevance: .2, Instructions: 234COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac9a0944555e59f6786de7f0b383b6339f142992da32dc5fa183c34470c34fc3
                          • Instruction ID: b303bf00efd5bacd1dee0ecda77979c3df0f0e47ac5d7a4f72c172d04bee0b7c
                          • Opcode Fuzzy Hash: ac9a0944555e59f6786de7f0b383b6339f142992da32dc5fa183c34470c34fc3
                          • Instruction Fuzzy Hash: E671F371B00209AFDB2AAB94CC50FBE77B9AF44704F004256F985EB291EB709F41CB61
                          Function 0258C236 Relevance: .2, Instructions: 224COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6428f5d22a37f9271fa18637f99ea0596cc66b3e6544eda75c19f2761a8b442
                          • Instruction ID: 2e5dd7df02afbf640abba462ded163a83b4374e3f70ac812a1fd4276dfef5b20
                          • Opcode Fuzzy Hash: c6428f5d22a37f9271fa18637f99ea0596cc66b3e6544eda75c19f2761a8b442
                          • Instruction Fuzzy Hash: 6F819471E102198BDB18DFA8C8817BCB7B2FF85716F24821AD412BB2D0D7B59946CB58
                          Function 0231B51B Relevance: .2, Instructions: 224COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9c47a77bd3ec35e4d743bb01ad7556ab1e61dc371a6d0c11be6d7af3966daed
                          • Instruction ID: 98fa74d2274947a90f8e8b6b387f016e26403d87d333e89ea8e2879112038264
                          • Opcode Fuzzy Hash: f9c47a77bd3ec35e4d743bb01ad7556ab1e61dc371a6d0c11be6d7af3966daed
                          • Instruction Fuzzy Hash: 4271A776A80510AFD729AF65CD44F2AB7AEEF58B49F000474FA02DB590DB70ED10CB90
                          Function 025881ED Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 632a3a3cd5d2edcbc7b31f340646ed84f720dd61343c7beabbeaa2d25229a759
                          • Instruction ID: bae31a06623692119f5afe0a2aba9f015ef6e2cede0f2838f2ea0c147f7eb471
                          • Opcode Fuzzy Hash: 632a3a3cd5d2edcbc7b31f340646ed84f720dd61343c7beabbeaa2d25229a759
                          • Instruction Fuzzy Hash: DB81A135A006098FDF18DF99C884AAEBBF6FFC4314F588569D816AB354DBB4D901CB48
                          Function 0041B980 Relevance: .2, Instructions: 220COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fff05a903f629f08df50c95ea0e3aab8aa64d23fb1dcc275e9053c58a094206f
                          • Instruction ID: a4bdf79c0e1e4c059c649b9ebeb7f94d60edd588f6d044c1524e790cbd635573
                          • Opcode Fuzzy Hash: fff05a903f629f08df50c95ea0e3aab8aa64d23fb1dcc275e9053c58a094206f
                          • Instruction Fuzzy Hash: 078180367542528BEB1ACF29DCD056BB7A3FB8D300B19C43DE64987356CA30E91AC790
                          Function 02327004 Relevance: .2, Instructions: 217COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 195b7dee1a7bb77749629854f53507d3a203e03b8ef1d8cbab43f00f19982000
                          • Instruction ID: 5d407d8db8dcac98fb126cb1122bfd19778f6590846d7d8ee672da837398c53d
                          • Opcode Fuzzy Hash: 195b7dee1a7bb77749629854f53507d3a203e03b8ef1d8cbab43f00f19982000
                          • Instruction Fuzzy Hash: B891CD75A107258FDB24CF69C888BAAF7F9FF88304F108599E44A97652DB70E984CF50
                          Function 0230A1BB Relevance: .2, Instructions: 216COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55772e98262e8c0aa85544ea18ba54934bcd2cd53c0bc49a543d991a48f32da6
                          • Instruction ID: 35f039bb98e7dcbc4d8c38676d5a7a5f37221fc35866ffc169bb3e71e1627984
                          • Opcode Fuzzy Hash: 55772e98262e8c0aa85544ea18ba54934bcd2cd53c0bc49a543d991a48f32da6
                          • Instruction Fuzzy Hash: 9E81A235E10315DBCB24DFA4D8E4BAEB7F9AF08714F554568EA12A7284C770AD01CBA0
                          Function 024DE278 Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1af7e5a9b8a3e4a836ce212b582c014fa6c9c7ddc0c147cff5ff7a2284e7eaf
                          • Instruction ID: 664bdc84a35ee28e8aafe398111927bc54a30bc661c9b0d4b43fd38175364983
                          • Opcode Fuzzy Hash: a1af7e5a9b8a3e4a836ce212b582c014fa6c9c7ddc0c147cff5ff7a2284e7eaf
                          • Instruction Fuzzy Hash: 0571DD71A00205DBCB14DFA9C8A0BBEB7F6FF48704F29446ED906AB680E774A941CB51
                          Function 0230C31B Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e4425092a1a1b9ba0ed6335eacfdeed1f516a650cc27c15eae4eb078c278f8bb
                          • Instruction ID: f0eefa7410183d62e39047e19a33fc4dd12a812e573b254f998f6f5679715367
                          • Opcode Fuzzy Hash: e4425092a1a1b9ba0ed6335eacfdeed1f516a650cc27c15eae4eb078c278f8bb
                          • Instruction Fuzzy Hash: 8B819F76A40119ABCB21DF55CDD8BAF77B9EB44710F000A9AE91997290DB30AE84CF60
                          Function 02308F4B Relevance: .2, Instructions: 204COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e7173f34560c95d0937e5b81ce80f9d79fc06749e0f43ef37d97cd3bb00ed4c2
                          • Instruction ID: 44a67ab263ac49ba297832d587889daff0c63323cb324a459cf64dbdd72c3c8b
                          • Opcode Fuzzy Hash: e7173f34560c95d0937e5b81ce80f9d79fc06749e0f43ef37d97cd3bb00ed4c2
                          • Instruction Fuzzy Hash: 01619071A483019BD724CF54C8E4FABB7E9AB88B54F00492DF959972D2D7709D01CBA2
                          Function 02339CAB Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 204702ce8b067b028f0d1806156159ba071f8f0dfd5ea7fe2f25396c7f3f30f5
                          • Instruction ID: 947b11ee2fb13b420b7789cd195c0216bf9bc9290bb54eec98fb59df2fe6e913
                          • Opcode Fuzzy Hash: 204702ce8b067b028f0d1806156159ba071f8f0dfd5ea7fe2f25396c7f3f30f5
                          • Instruction Fuzzy Hash: B6616B71608301DFD716DF28C980B6AB7E5AFC8714F044A2DF99A97290DB70EA05CF92
                          Function 025850F3 Relevance: .2, Instructions: 193COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c5f85053ff4277a99571457d24c6b8e8143051333912939bb927b6c1ebf29f8c
                          • Instruction ID: 31ba94e10d1ce1e6fe18ee75355521540b8ef5dde28cc0cfc51dec4332c9ad7a
                          • Opcode Fuzzy Hash: c5f85053ff4277a99571457d24c6b8e8143051333912939bb927b6c1ebf29f8c
                          • Instruction Fuzzy Hash: C4512B756001265BCB14EF69C880ABABBE2FF88310B954159EC56F7384EF74D906C794
                          Function 0233B19C Relevance: .2, Instructions: 190COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e0e3681568ae2176238416030a8134a859db882c3f1a237ce2076e901cc6f82
                          • Instruction ID: 0194db0df50bfefb1fc61aea1a53ac28b585f7e5e5da1876c823b8d368f6f717
                          • Opcode Fuzzy Hash: 8e0e3681568ae2176238416030a8134a859db882c3f1a237ce2076e901cc6f82
                          • Instruction Fuzzy Hash: DF61AF71E00214DFDB16DFA8C840AAEFBF6EF88314F148569E905EB250DB30DA41CBA0
                          Function 0257B173 Relevance: .2, Instructions: 172COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31805868ba5e4099eae1d41f877a8a24939c56528a5f31ff48b1e7ae7d53a0ea
                          • Instruction ID: d35bdf629f129dbf64bfb74437e1cf09c629937daee0adf9cf1aa77a17410c3e
                          • Opcode Fuzzy Hash: 31805868ba5e4099eae1d41f877a8a24939c56528a5f31ff48b1e7ae7d53a0ea
                          • Instruction Fuzzy Hash: 40719770D006658FDB24CF6AE0816AEBBF1FF48309F04C59AD4A6AB245D335E985CF58
                          Function 02332F2F Relevance: .2, Instructions: 172COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: acdfc5fb6f24d563d14a4339d09733f809a02544b060385e433d2fc9470a2d69
                          • Instruction ID: 42f9fcae537ba1ac54d9bf14db713df184f6240628a16065b4d6c767d0d4775a
                          • Opcode Fuzzy Hash: acdfc5fb6f24d563d14a4339d09733f809a02544b060385e433d2fc9470a2d69
                          • Instruction Fuzzy Hash: A7512771F40214AFDB269B58CC44FAEBAA9EB04714F0581A5F812FB251DB70DE41CBE1
                          Function 0256B159 Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 382f9d7f64685a61e2561c3519b3c1394fc4f86546bd68e450b111ce1bb24c19
                          • Instruction ID: e11cb3e7e30cbb233731254b148b795e99b5a9e20d1d4d53a4abb69a10d5ec6d
                          • Opcode Fuzzy Hash: 382f9d7f64685a61e2561c3519b3c1394fc4f86546bd68e450b111ce1bb24c19
                          • Instruction Fuzzy Hash: B45125312102509AE764CF2AC88C7767BE2FF4528CF144C4AE8D2EB685E335D846DF29
                          Function 02327B0A Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e1d7165fa3476e9ade3c4d2623bd590e296212e7f5aacccb3b8d7b4f2655dcb
                          • Instruction ID: 73ecd26d37c8550420701b96964069d81376e206667f01396eed9511a5c73980
                          • Opcode Fuzzy Hash: 9e1d7165fa3476e9ade3c4d2623bd590e296212e7f5aacccb3b8d7b4f2655dcb
                          • Instruction Fuzzy Hash: 795153F5A002299BDF208FA5CD84B9AB7BCEB45704F0045F9AB09E3141EB719E84CF25
                          Function 024B5382 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d93bfd56b6d37a296dfaa5f123c430fc2e76396eabd99951f3e5808ec3a1660a
                          • Instruction ID: a79cb6f82357c810ea958abdcee40fb3b39e69e7580141a07f1b40268ebd1201
                          • Opcode Fuzzy Hash: d93bfd56b6d37a296dfaa5f123c430fc2e76396eabd99951f3e5808ec3a1660a
                          • Instruction Fuzzy Hash: B651DF71104342DBE722AF66C885B2AFBE5FF84714F14491EF4AA87691D7B4E840CFA1
                          Function 023063FE Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7d2e6a43521fd734fb0dc24e43683f97d7a0c3095b1e2907bb7b4152b5973c8
                          • Instruction ID: e6e7a66b9ecb812b5a7f976bd3b9715e8324560d647915fc444782b8e586eef2
                          • Opcode Fuzzy Hash: a7d2e6a43521fd734fb0dc24e43683f97d7a0c3095b1e2907bb7b4152b5973c8
                          • Instruction Fuzzy Hash: CD51AB72A40205DFDB24CF58C8D5FAEB7BAEF48314F154169E905AB299C730E821CF60
                          Function 023065A2 Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25bb3996f7052492753c67d2a847fddb54a60bdbee52beb12c9d980865e012c4
                          • Instruction ID: 37b9563173e20a7f9f7633632396a4ab12297e7e36f19b4326b445b86b00a2c8
                          • Opcode Fuzzy Hash: 25bb3996f7052492753c67d2a847fddb54a60bdbee52beb12c9d980865e012c4
                          • Instruction Fuzzy Hash: 7751BF32A40608DFDB14CF98C9D5FAABBB9EF48310F154159E945AB295C730EC21CFA0
                          Function 02541119 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70348de243262a76905cf291dedce4dca267542fd7f4425591a9799f079301a8
                          • Instruction ID: 689a5763980201080b2ae3048274dc1840e53d6f43d80ee38dc8599eedb823ef
                          • Opcode Fuzzy Hash: 70348de243262a76905cf291dedce4dca267542fd7f4425591a9799f079301a8
                          • Instruction Fuzzy Hash: 5C518032E4050D8BEF24CAA9D4A17FFB7E3BB41314F650809F859BB3C0CB65A986D558
                          Function 0233A42A Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c36053533dd918e09c3f2948945746d0f4a08b89d042bd942c8baefad79c9215
                          • Instruction ID: c60e28886860b80850e784570b1a855f356b07f91cad263f4d29c8a272d6ca19
                          • Opcode Fuzzy Hash: c36053533dd918e09c3f2948945746d0f4a08b89d042bd942c8baefad79c9215
                          • Instruction Fuzzy Hash: 88519271740205ABEB26DF58C850A7A77AAEBC4354F104155ED86DB381DB71DE02CF91
                          Function 0231B06B Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2cb366cee59318707c4d0ffbfe5b064c2d1d826137ce25420bd973d94208086
                          • Instruction ID: 3ff8a16d33c86bc26ce00bfae3978c02e490aba7216a54d1f5a7e24c0ca91527
                          • Opcode Fuzzy Hash: c2cb366cee59318707c4d0ffbfe5b064c2d1d826137ce25420bd973d94208086
                          • Instruction Fuzzy Hash: 8D519272A40246EFDB29CF64C984B6EB7BAFF44748F124579E901D7241EB70AE11CB50
                          Function 0231A81B Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef722881003af557174358d98dc4fbc97b0fe5fb2efa7c082a3add2089e5c34c
                          • Instruction ID: afa7b19aa0d87875d3e3ad9ca5d8e224865c451be99797bbfd8cf3015f250bb3
                          • Opcode Fuzzy Hash: ef722881003af557174358d98dc4fbc97b0fe5fb2efa7c082a3add2089e5c34c
                          • Instruction Fuzzy Hash: 9B5190B2E02119AFCB299B94DD44BBFBBBDEF48755F110469E801E7250DB309E41CBA0
                          Function 0254A29D Relevance: .1, Instructions: 148COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27251dfe29fa51d4ab34bb822ba5fbdf53c923776328025103892d4c16270f10
                          • Instruction ID: 8680ed102ad58d2a528500fbfef49e8a585e46d684a89f461e9786bfdce64004
                          • Opcode Fuzzy Hash: 27251dfe29fa51d4ab34bb822ba5fbdf53c923776328025103892d4c16270f10
                          • Instruction Fuzzy Hash: 4E519E76900215DFCB60DFAAC4D0AAEFBB6FF48318B21451ADA15A7700EB35E901CF94
                          Function 0230BBDB Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8bb7f556dd25a7c3b72b5f884d59cf232fc310e76ad4f256a906cb58b7a098f
                          • Instruction ID: cb8230ae5978e029d8cb2bb9983e4a993bda09927c41a7de485a1a1d54dcfbd3
                          • Opcode Fuzzy Hash: d8bb7f556dd25a7c3b72b5f884d59cf232fc310e76ad4f256a906cb58b7a098f
                          • Instruction Fuzzy Hash: D851B075A40219ABDF25CF10CCE5BABF7AEEB44748F004669F90596280EB70DD91CBA0
                          Function 0230B95B Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5075bdc0d85a0e30283cca52f1f00f988453c1e1c704b1460b243ce0a1b0f8d8
                          • Instruction ID: 3247146beffc0987e36e84948dbc5795d40ac218cb148d862513122736fa7b2f
                          • Opcode Fuzzy Hash: 5075bdc0d85a0e30283cca52f1f00f988453c1e1c704b1460b243ce0a1b0f8d8
                          • Instruction Fuzzy Hash: CB518576A412199BCB219F55CC98FABB7BEEB44748F0005A4F505D7191DB70ED50CBB0
                          Function 02335F29 Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f354e4f010fc43e3c067a018bca10ceb12bbace56c17f591df579037ccb2163
                          • Instruction ID: fe4813830a4e50da327fd332938ac5d9100221e271b32d3c0956e19dd62e8aa2
                          • Opcode Fuzzy Hash: 1f354e4f010fc43e3c067a018bca10ceb12bbace56c17f591df579037ccb2163
                          • Instruction Fuzzy Hash: F1414B72B04214EFDB16AF68CC42A6EF3B9EF44714F554529F546E7280EB709B04CB24
                          Function 02308D1B Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de590c2e8b6f48af5bb1ceaad16f90a2246bcee527d8ab0fe8870a39008bd52d
                          • Instruction ID: a654518935e48adb18a2b76a3bd70548bb77bd61cbb1beb7153fb41f9121ef97
                          • Opcode Fuzzy Hash: de590c2e8b6f48af5bb1ceaad16f90a2246bcee527d8ab0fe8870a39008bd52d
                          • Instruction Fuzzy Hash: DF41A471A40604EBCB21AF65CDA4F6FBBBEEF94B40F104565E8029B691DB70E911CB70
                          Function 0254329D Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 428bfaf78ac624c5897a3113ac131905d03eb80339cdc71c1df39c4314bb6aa8
                          • Instruction ID: 82a9475e045142405efadffee8887ffdea656ffd09a38dc5fd29e6b4ff66aa2c
                          • Opcode Fuzzy Hash: 428bfaf78ac624c5897a3113ac131905d03eb80339cdc71c1df39c4314bb6aa8
                          • Instruction Fuzzy Hash: B441F832B14551ABCB55BF7AC44166EBAA2BF44318F21416EEC5AEB250DF38C8008F59
                          Function 022DB561 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 434f640482d2e44e404d6371d5491f99617d6bcb475fb851b95fe81f3585b9af
                          • Instruction ID: 8022a0cf578cceacac6c5774db0f9fcaa88877018427c3576031f9a1fe9e50ee
                          • Opcode Fuzzy Hash: 434f640482d2e44e404d6371d5491f99617d6bcb475fb851b95fe81f3585b9af
                          • Instruction Fuzzy Hash: 6641AD75220106EFCF258FA5C8A4B6A77F5FF48718F164615F905C71A4EB71E890CB90
                          Function 0233B9A8 Relevance: .1, Instructions: 143COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f1c5a16f2f6c07582381d53c137dcecbf348e13f241b9a5c01ce8686cb24fec
                          • Instruction ID: b41a6867a4e322027dcbe3c9685b961511b40cac80b0854f9a6ae4b61538be78
                          • Opcode Fuzzy Hash: 1f1c5a16f2f6c07582381d53c137dcecbf348e13f241b9a5c01ce8686cb24fec
                          • Instruction Fuzzy Hash: 45411676A406018BC7379F688894B7BF7BBEF84B18F09052CE9468B615DF61DE01C7A1
                          Function 02322F1B Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21bb67ca1a293b29f3fb8bbefa0ad9a912de95965f304dad255d921539ea94fa
                          • Instruction ID: 05152708d67eae6d211959b857e1049f4d63e322ac2327da70596e7f1b33cb77
                          • Opcode Fuzzy Hash: 21bb67ca1a293b29f3fb8bbefa0ad9a912de95965f304dad255d921539ea94fa
                          • Instruction Fuzzy Hash: 0F515C71A083529FC710DF69C884A2BBBE9FF88714F04496DF889D7250E734D948CB52
                          Function 023073AB Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 211567c17d1feee6066198039925cd9501dde97239951ba71efa1ec36339a55a
                          • Instruction ID: 31d1cc828df6b07cca03b529c074c9d77e817da1d1cd8a7206ad439f94faa456
                          • Opcode Fuzzy Hash: 211567c17d1feee6066198039925cd9501dde97239951ba71efa1ec36339a55a
                          • Instruction Fuzzy Hash: EC519C71E40205AFCB219FA4DC94BAFBBF9FF49B04F104069E502A7290DB74E915CBA0
                          Function 022DB57B Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e61025dae34a6f5e32c7b7071405aee6bc6ce69beefd5952a241904d242b743
                          • Instruction ID: adc1d24584bbb2073d46a23ea723387b09b018aebd7e3c4f05152f76759d3453
                          • Opcode Fuzzy Hash: 2e61025dae34a6f5e32c7b7071405aee6bc6ce69beefd5952a241904d242b743
                          • Instruction Fuzzy Hash: FB517975220105EFCF159FA5C8A0EAA7BBAFF48718F164615F905C71A4EB31E8A0DB90
                          Function 0259122D Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fa92fd78aac39a45289874f6aed927787c4589bb3831bab2275937d4ae7174ba
                          • Instruction ID: 118702224af0596edda6403acaf98cc2fb949e0e27864da10c8833fe24f7b2cb
                          • Opcode Fuzzy Hash: fa92fd78aac39a45289874f6aed927787c4589bb3831bab2275937d4ae7174ba
                          • Instruction Fuzzy Hash: DF517C71610B42DFDB21DF29C990B6ABBF5FF88314F00892DE99A8B650D770E804CB95
                          Function 02319A48 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0cf33347a0f97149c6094b0b0f08babe7d1f4a099ff0296f460668e3d130e9d
                          • Instruction ID: 65d2eeb162f32bd968384efacb757706a9f61e4d373677e641cdfd60d289be09
                          • Opcode Fuzzy Hash: a0cf33347a0f97149c6094b0b0f08babe7d1f4a099ff0296f460668e3d130e9d
                          • Instruction Fuzzy Hash: EC51BF75A00219CFDB28CF18C894B96B7F8FF54308F0485AAD8199B251DB70ED85CFA1
                          Function 024EC2A9 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c66dac3322e5c4f9c8ed848f8cfd8774662fe43c972326820c53b75d67f4b0a
                          • Instruction ID: 24dacf115200e28dbb89a815419eeedf5b1aeac3cb777df52f37dc9f55192662
                          • Opcode Fuzzy Hash: 6c66dac3322e5c4f9c8ed848f8cfd8774662fe43c972326820c53b75d67f4b0a
                          • Instruction Fuzzy Hash: 6C41C2722047018FDB24DF29C880A1AB7E6FF89314F11492FE95BC7690D7B4E848CB59
                          Function 02307229 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91e51685ebb895b12db5d0985b16db5f8eb3da510298d752602c4f37c22f509f
                          • Instruction ID: 6a74ff24842cba53b4844effee680d275c059bb96f6aa7e90bcc1979abbd3c96
                          • Opcode Fuzzy Hash: 91e51685ebb895b12db5d0985b16db5f8eb3da510298d752602c4f37c22f509f
                          • Instruction Fuzzy Hash: 6B517A75610205DFDB24DF68C4E0A6AF7F9FF48744B1488A9E8069B291E370FD81CBA0
                          Function 023246E5 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d28f6b6406088cde24ec54f630c33923b89069b8634d5f9d95bc800c9cc85e68
                          • Instruction ID: 693d1c36a408aaab4f5d0f33f9a08bf875a6386b7b2e79205ed0b57e4b9dd8b2
                          • Opcode Fuzzy Hash: d28f6b6406088cde24ec54f630c33923b89069b8634d5f9d95bc800c9cc85e68
                          • Instruction Fuzzy Hash: 4D41E17A980254EFCB119FE4DC89B6A7BB8FF48B10F004495FA05DB2A0DB719950DB60
                          Function 02309C50 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b20c64a7b73d9bc05ec799fd1578a244a4eedf04aaa25c399aee6a2eaab4d9da
                          • Instruction ID: b9397d37573c88e521f46086794f2d1585ed800b6b89545eff330e9e18b8df21
                          • Opcode Fuzzy Hash: b20c64a7b73d9bc05ec799fd1578a244a4eedf04aaa25c399aee6a2eaab4d9da
                          • Instruction Fuzzy Hash: BE41D532E40256DBCF20CE59C5E0BAE77A9AF45B14F15416AE902AB296C730FD41CBB0
                          Function 023324CF Relevance: .1, Instructions: 136COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 888956ee25be583572eb79176626cc3499ec5c8dd4fb090dfa9e5cb7fef41edd
                          • Instruction ID: b4dee9e84c1727c85f3d9730f4202ea865ab8837b5fb9e5ec5a1378b751b54c9
                          • Opcode Fuzzy Hash: 888956ee25be583572eb79176626cc3499ec5c8dd4fb090dfa9e5cb7fef41edd
                          • Instruction Fuzzy Hash: 50411632A00105AFDB2A9F58CC65EBFF769EF44710F048258FD15A7254EB70AF51CA90
                          Function 0230C0DB Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a46d7f1c2154fdb1f9e81cdbd22b9fc3eb4053cbebdc68b8a1cb6f47468b39ae
                          • Instruction ID: 61a2c1071ce50ea3dca421f83aad05d0e3a60b0bebdfc192d0ff98a859f01904
                          • Opcode Fuzzy Hash: a46d7f1c2154fdb1f9e81cdbd22b9fc3eb4053cbebdc68b8a1cb6f47468b39ae
                          • Instruction Fuzzy Hash: F541A176940218ABCB219F54CCD8FAB7BB9FB58B50F100A95FA1597690DB30ED90CF60
                          Function 0231E137 Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a36d1fa2605507e3c1ecb11298daacdd6b2dccaa7ad770755193ca0617bfacf4
                          • Instruction ID: 2d9599d3cd5f9ed4866bcb1ce6b215125588e2e57b52e917c0bc191b18b4059f
                          • Opcode Fuzzy Hash: a36d1fa2605507e3c1ecb11298daacdd6b2dccaa7ad770755193ca0617bfacf4
                          • Instruction Fuzzy Hash: 3541E271A40215EFDB28EFA4C845BAFBBF9FF48700F10456AE956E7280D771A902CB50
                          Function 0230C5EB Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f05f3a756496523c3831f2db8192df0ab91bb0c97af94dff08a94b8a50f62b1
                          • Instruction ID: d81524205d6ecdba6f0117f96f76336938eae8c9d3646ec99b98a212e0d0f457
                          • Opcode Fuzzy Hash: 3f05f3a756496523c3831f2db8192df0ab91bb0c97af94dff08a94b8a50f62b1
                          • Instruction Fuzzy Hash: 4E41AF76940218AFCB219F54CDD8FAB7BB9EB48B50F140A95F915A7190DB30AD90CF60
                          Function 022F863C Relevance: .1, Instructions: 130COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44ffa4d56a765e210d367f9886a64cd965a0804eb0aa7f20f7d4c1af8dd3d3c2
                          • Instruction ID: e363f587f3c66fb89401029e1a2d6bcb9efabe8447161c40fe72b089ac7df89e
                          • Opcode Fuzzy Hash: 44ffa4d56a765e210d367f9886a64cd965a0804eb0aa7f20f7d4c1af8dd3d3c2
                          • Instruction Fuzzy Hash: D441D17AA102199FEB708B548C44FEAF3F9EB58754F1004B5E685A7144DBB09EC0CB51
                          Function 022F9A1B Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2bcd25e60e6f0993598dbab1b00390ea787d1cd88a17bed8db9c2e6a45800fe
                          • Instruction ID: 62efce03938d39efe1d315c5bfd0fdf5ce4c978a4e32ac4009246961cd3aa74b
                          • Opcode Fuzzy Hash: e2bcd25e60e6f0993598dbab1b00390ea787d1cd88a17bed8db9c2e6a45800fe
                          • Instruction Fuzzy Hash: C941B071950209AFCB52DFA8CD44FABBBBCEB49744F040474FA05A6214D7719D90CBA0
                          Function 0233670A Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 627f747aede3c2ec8f9a4340a0fc4c7cf63524e3cf54069764eaddbd36e6c157
                          • Instruction ID: c09aafa44d37a12dd2c9b82d8d6f2f5b937c01e88166b3dadf95d40a83b3daa3
                          • Opcode Fuzzy Hash: 627f747aede3c2ec8f9a4340a0fc4c7cf63524e3cf54069764eaddbd36e6c157
                          • Instruction Fuzzy Hash: 9A41C2B1A40615BFD725CF59CC46F9ABBB8FB48720F014269F519AB291D770AA00CFD4
                          Function 02307768 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5c34f6dd885e976dbbdf6e2f33c493bcc459f80affa84620b2d439807c3480e1
                          • Instruction ID: a2ce9e35ecf196091c7bede5a58a0f36da36c445b0bf589f6b0a48c2651fc2be
                          • Opcode Fuzzy Hash: 5c34f6dd885e976dbbdf6e2f33c493bcc459f80affa84620b2d439807c3480e1
                          • Instruction Fuzzy Hash: 6D416C76A00202DFDB24CF24D9A1B76B7F5FF58754B244469E846CB690E730F981CBA4
                          Function 02323FFC Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 883d7ba637ed806acf6ffba7cdeabe7a6450c640dd49921ad6d25daad41d68e5
                          • Instruction ID: d7c2e3c031a8d69a10b0f6d73d948f657c7c798694b2ce849ff07e4b5a6d00e2
                          • Opcode Fuzzy Hash: 883d7ba637ed806acf6ffba7cdeabe7a6450c640dd49921ad6d25daad41d68e5
                          • Instruction Fuzzy Hash: E241F775A40214ABDB209BA8DC09FAEB7FDEF58711F008525F611E72D0EB70E959CB60
                          Function 0254D289 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e3ce18ae449d0555d57d79fd6695766c4df859277378685231b7ff146d672e4
                          • Instruction ID: 214bf0da376a8e2ad05504c238c922e181fc3673eb64a7c33babb69452901b33
                          • Opcode Fuzzy Hash: 2e3ce18ae449d0555d57d79fd6695766c4df859277378685231b7ff146d672e4
                          • Instruction Fuzzy Hash: 9741C032A11105EBCB259F68CC50FAEBBB9BF8071CF194068E9059B280DB35DD01CBA4
                          Function 022DC7AC Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e54876113506dbcaff0bede87ed3866343be18765dd91a025ee2d6106ad9a9f8
                          • Instruction ID: 714516ad9db605b550cfa3dc683ce991356b1801ef375cdb88be418f3786da66
                          • Opcode Fuzzy Hash: e54876113506dbcaff0bede87ed3866343be18765dd91a025ee2d6106ad9a9f8
                          • Instruction Fuzzy Hash: 72318F72F90611BBD725D6A48C40F5ABABD9B41720F4002B5FE07EB299DBB5ED40C7A0
                          Function 024F92E8 Relevance: .1, Instructions: 121COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 592e1d29d239bcf48ed9872b1a23dec5d454385f371dc6fe8406be25227c81af
                          • Instruction ID: 9f073ea2c997f1bfa23bc5ca41ca9dfad78d9331518b948a2b7f0c0ab42a7b3b
                          • Opcode Fuzzy Hash: 592e1d29d239bcf48ed9872b1a23dec5d454385f371dc6fe8406be25227c81af
                          • Instruction Fuzzy Hash: 3941A273545209AFD311DA61D980B6BB7EDFBC8718F10492BE665C3180D7B0D548CFA6
                          Function 0258B2D4 Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 542c6d170d97527847747372ff6e86b74208f4f93dd7439ef93ed6d18ca45cae
                          • Instruction ID: fbdfbbe3ad36b00f31fe662e8e5a7c04bf72a8aeda09f21616d9817ef79b3499
                          • Opcode Fuzzy Hash: 542c6d170d97527847747372ff6e86b74208f4f93dd7439ef93ed6d18ca45cae
                          • Instruction Fuzzy Hash: 3241DF712043018BD715EF29C884B2ABBEAFBC4318F14492DE886D7391DBB4D845CB99
                          Function 0231A3E9 Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ea2e77e94d02a84b3fd81d3ca3cac9eeb217cb861f9b1e53a8dc7a9ad61e8aee
                          • Instruction ID: d8107772fa852fc534a93dbf25f8111c5d9e9e4229ec2d820c1cc6994fd74d02
                          • Opcode Fuzzy Hash: ea2e77e94d02a84b3fd81d3ca3cac9eeb217cb861f9b1e53a8dc7a9ad61e8aee
                          • Instruction Fuzzy Hash: 4B319375B01505AFDB18DFA8C994AAEB7BAEF88205B158469E806D7311EF34DE02CB50
                          Function 022DFABB Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e41c18cd897949ec0ee3fb3392f1bc553a903f8b10395a96c54d7189f4f6352
                          • Instruction ID: 0395a9f6cba4b70abc5c23d56f5fc8b64f06d449f15358e4a69184b87460a205
                          • Opcode Fuzzy Hash: 6e41c18cd897949ec0ee3fb3392f1bc553a903f8b10395a96c54d7189f4f6352
                          • Instruction Fuzzy Hash: 1E410B32B20645CBDBA4DAEAC8817AAF3D6AB84354F154178D656CB39CDFB4D841CA08
                          Function 02314B4F Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be77614cfa5f6c01c093cd325f1aaa31a5b5a092a1c4bbdfd9f3a61dff84c38f
                          • Instruction ID: 5f1b2bc7d2126c2906a20716cbc0e50a2b7172b8c2ab8bdd668232df80382c21
                          • Opcode Fuzzy Hash: be77614cfa5f6c01c093cd325f1aaa31a5b5a092a1c4bbdfd9f3a61dff84c38f
                          • Instruction Fuzzy Hash: D4418B75A00625EFCB18DF58C484B69B7B5FF44314F044569EA56EBA80DB30FD11CB90
                          Function 02331BC3 Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 313626a70519f198844517226135693ae9e323aeba97f965fe98663368ab6933
                          • Instruction ID: 02b02f959686d7b536909968ab4c3b38be53c19c3575c954144d2d6860e02593
                          • Opcode Fuzzy Hash: 313626a70519f198844517226135693ae9e323aeba97f965fe98663368ab6933
                          • Instruction Fuzzy Hash: EA411639A00606EFCB26DFA8C580AA9F7B5FF48304B10466DD98697760DB30BE51DB90
                          Function 0231F86B Relevance: .1, Instructions: 115COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d3fbe12af4ed8c718bdf92de9dd708b432860f95cbed56faf93066f4923cfc8
                          • Instruction ID: ed95d59f2922f31dc70a5cf1caeb61ad85542724f0011c5829447dd00fbca354
                          • Opcode Fuzzy Hash: 2d3fbe12af4ed8c718bdf92de9dd708b432860f95cbed56faf93066f4923cfc8
                          • Instruction Fuzzy Hash: 2F411271A40318AFDB24EF18CC88BAEB7F9EF85704F1101A5E41997A85E7709E84CF91
                          Function 02338004 Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11429dc7ce8949648a0f70364526a2419e285c3041d4f2d307f254de6a0473a1
                          • Instruction ID: 58ae3c00f125ff992da0ef9ca8b7cf0b512e75a3888a6eda88f002857871f480
                          • Opcode Fuzzy Hash: 11429dc7ce8949648a0f70364526a2419e285c3041d4f2d307f254de6a0473a1
                          • Instruction Fuzzy Hash: FE315AB2E402016FCB26AB38CC51B6BB7A9EB80754F554765FD42DB281F770DB41C650
                          Function 0232F169 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f79b0f6ee395c31de8d8f7a2ff0bccbf724ada8fd8431de5aa62aa02e32f8e9a
                          • Instruction ID: 080caf5c3c393196bdb50c14d0353e37d4cc15958381eeb5885a3bc6ff28ef23
                          • Opcode Fuzzy Hash: f79b0f6ee395c31de8d8f7a2ff0bccbf724ada8fd8431de5aa62aa02e32f8e9a
                          • Instruction Fuzzy Hash: F3319C36250B54BFDB329F95CC40F6A7ABAEB55740F110428F5029B960C631ED1AEB90
                          Function 022F97AB Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f180f206435296ab1541f74200b0becaffd363e593797f012bd1a84ae6ee3f04
                          • Instruction ID: bbfcf57fe1e9f3178727bf5b1433204c97345a56d0c48ebbe066603283a061f2
                          • Opcode Fuzzy Hash: f180f206435296ab1541f74200b0becaffd363e593797f012bd1a84ae6ee3f04
                          • Instruction Fuzzy Hash: BE416F7AD60105EFCB519FE4C848BAEBBBCEF08741F5008B6E502D7254EB749A90CB60
                          Function 0253A34D Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a39daa298e0f27eb29666f9130e4737c2caddec7c0117c637ea3f77f4231161
                          • Instruction ID: b6852f32023bde7bf4c866c0ef499001cf3b5a9cb65914152c4dfe6a655d3cad
                          • Opcode Fuzzy Hash: 0a39daa298e0f27eb29666f9130e4737c2caddec7c0117c637ea3f77f4231161
                          • Instruction Fuzzy Hash: DA31AF32900519BFDF22ABD5CC44FAEBBBAFB54710F00406AFA14AB150D7749E44CBA4
                          Function 0044F247 Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9205a66fdfec828f6a21eafbdbf5b6f8e439f5ca3b44246bf2363a832c7bfbd
                          • Instruction ID: c93dbb607f033cfddafd996734d77abf5288085c40286f49be00d4f0a7aba659
                          • Opcode Fuzzy Hash: a9205a66fdfec828f6a21eafbdbf5b6f8e439f5ca3b44246bf2363a832c7bfbd
                          • Instruction Fuzzy Hash: 6731683650C252EAF702AFA485411AA7791FB50308FA4097BD8D28B216E27D591F9ACF
                          Function 024B52ED Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 031f66273e0317124d3c0b0128e54bc5b9a8c8b06bca60cceba23be5f185e1fc
                          • Instruction ID: dc8750a85096347cc0f26eb57a23fbdc8b14b7272d973fde70b1028bb72dedc3
                          • Opcode Fuzzy Hash: 031f66273e0317124d3c0b0128e54bc5b9a8c8b06bca60cceba23be5f185e1fc
                          • Instruction Fuzzy Hash: BB315731501611EBE7329F55CC88F6AF7A6FF00B24F51861EE4594B6D0D7A0DD40CAA5
                          Function 024B637D Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de616eed80acdceef881b371dbac31abd0c71cca34b733af5ec7eb54a38b0229
                          • Instruction ID: 6c74a74872a59d87885fe0914eb96ffb052c529cffe6f296c36340a4fd72e7a2
                          • Opcode Fuzzy Hash: de616eed80acdceef881b371dbac31abd0c71cca34b733af5ec7eb54a38b0229
                          • Instruction Fuzzy Hash: 8E31E672900A009FDB22DF19C840A9AB7FAFF84324F22856FE45597390DB359C41CF64
                          Function 0231F71B Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19a4ef9f8553b215a87484ca27bae57805f0eb02c82b90741522338001170372
                          • Instruction ID: 0671c824f0a4388cbcd631374458d2b9f9c339c2cfa78f4430542382c0100350
                          • Opcode Fuzzy Hash: 19a4ef9f8553b215a87484ca27bae57805f0eb02c82b90741522338001170372
                          • Instruction Fuzzy Hash: 80311672D002189FDB25CF68CC81BE977B8EF59704F2000A5E55997A40C771A986CF90
                          Function 0230E5C9 Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae3ca606703b168d581b3380b1f195a8b27a261721d78f48b60a225958fe8e18
                          • Instruction ID: 3c963260f5d0d6d9a08a40fbf564cab378b94a78cb37f0edf3848fa75f7a5e96
                          • Opcode Fuzzy Hash: ae3ca606703b168d581b3380b1f195a8b27a261721d78f48b60a225958fe8e18
                          • Instruction Fuzzy Hash: 7F31C071F001199BDB24DFA8D890A6EB7BAEF84700F194839E806D7391EB709951CBA4
                          Function 022D8BC9 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6895e04dbb875806c662049c60726001b5df191a8f0e91b46e44e75fa2ceee39
                          • Instruction ID: 331a4411b6d1952a5938972059b6fb7332c2bb35a86dc0aed5461b6e4c82204f
                          • Opcode Fuzzy Hash: 6895e04dbb875806c662049c60726001b5df191a8f0e91b46e44e75fa2ceee39
                          • Instruction Fuzzy Hash: E3416DB2A0060AEFDB05CF99CC45AAABBF8FB48311F104729E11592590DB70B961CB91
                          Function 0257225D Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e0e1c8e2ab8a2f050b2aa13da3bd31e39b9096b373af5ff327ee9e980011d28
                          • Instruction ID: 70fd543dbd10fa26407cba777649cf7514d963010ed9938030086866294648d8
                          • Opcode Fuzzy Hash: 6e0e1c8e2ab8a2f050b2aa13da3bd31e39b9096b373af5ff327ee9e980011d28
                          • Instruction Fuzzy Hash: 81319C322543018FD724DF2AE880B2AB7E6FB88710F19496DFD59DB291D730E905CB5A
                          Function 0231FC3B Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 82e0aa15855fa377c62242bca2c8c9f7d30fafc4e51f921e2beb4d5cae3bc769
                          • Instruction ID: ebe0b2859e1ccbc91e226799e40520431137e5d6871bddaaa4835227fd7180ad
                          • Opcode Fuzzy Hash: 82e0aa15855fa377c62242bca2c8c9f7d30fafc4e51f921e2beb4d5cae3bc769
                          • Instruction Fuzzy Hash: 693133759503699BCF159F24CC84BEABBB8EF49300F0542A6E819DB201D730DA41CF90
                          Function 0232DF12 Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81de0e781f58fc544cd8e27f1ea9b31c9f5c92cb19f372f1313cca2656a9a7b1
                          • Instruction ID: 6b80d86e42cb7524a4b53bcb16043aec56c0bf613f950cf24376a4319f1e6525
                          • Opcode Fuzzy Hash: 81de0e781f58fc544cd8e27f1ea9b31c9f5c92cb19f372f1313cca2656a9a7b1
                          • Instruction Fuzzy Hash: A9312733A00268BBCB249B99C941B7EB3B9DF85B04F09406AF501DF690E634CD45D764
                          Function 0231FAEB Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 559ad38d40b4021fa2b1fbcb369ddc7890535a3dd480e5c932063622afa3dbd1
                          • Instruction ID: 6687ac208d3dc041abd36ac4b4fb5586c8bf432bddb546be258ec9ae5ab5b16b
                          • Opcode Fuzzy Hash: 559ad38d40b4021fa2b1fbcb369ddc7890535a3dd480e5c932063622afa3dbd1
                          • Instruction Fuzzy Hash: 813137759003589FCB168F24CC51BEAFBB9EF59300F0481E5E849AB302C670DA81DFA0
                          Function 0233A8C8 Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbc7d0057151910519dc407e178122d08a8143282f41221e685de93f5ee1f636
                          • Instruction ID: 690ecdfe8cac016f56add82e6e16458ca2cb201724a0f7bd8e682cc6d7ac480e
                          • Opcode Fuzzy Hash: fbc7d0057151910519dc407e178122d08a8143282f41221e685de93f5ee1f636
                          • Instruction Fuzzy Hash: 75310731700607AFD729DFA8CC80E66B7B9FF45304B044628D981A7641FB70FA51CB90
                          Function 0230C787 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a60236ad03600d241510c647b02734476fa9c0020378d291addbd25f799fb29
                          • Instruction ID: bc6fd02ed8c4b48c0cf686ca38366a0fe76d604e0fd4240d8b4a33beebdd9ddf
                          • Opcode Fuzzy Hash: 0a60236ad03600d241510c647b02734476fa9c0020378d291addbd25f799fb29
                          • Instruction Fuzzy Hash: 98312636A40345EFCB26CF18C8E0B6E77B9EF85B10F115A66E805DB690D730E901CB68
                          Function 02302BA9 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f8605a7d661a2599496cd409d11e32cb0418b51b261e8eb1b4059d8cdb6525a
                          • Instruction ID: a1779d6730ab32bcae75df060b8f83e7094c36d68c6bea2594771e6425520729
                          • Opcode Fuzzy Hash: 3f8605a7d661a2599496cd409d11e32cb0418b51b261e8eb1b4059d8cdb6525a
                          • Instruction Fuzzy Hash: 3131AF76D40588EFDB21CFD4CC98BAFBBB9EB45710F1101A5E901AB294DB74AD04DB60
                          Function 0044F30D Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 689eccd5c9b577c7f39819fd8577f009b7dd507b70b538f9f9fb935942613e2f
                          • Instruction ID: cae5575382266513e4a0a93f9a8f79d5fefbe20365ff34cd3af2fa3f47c715d9
                          • Opcode Fuzzy Hash: 689eccd5c9b577c7f39819fd8577f009b7dd507b70b538f9f9fb935942613e2f
                          • Instruction Fuzzy Hash: 1A218621A0C3A6EAF701AF6045152EFB7A0AB15300FA8453BE88783102E2BC051FD7CF
                          Function 02584284 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 924c849485370926be2b256e89ecbe45fc7b0672c1334e2cfd319feeb151490c
                          • Instruction ID: 8c10b46d87f6981bee88f668bf8781395083e1cd967175d9e3b35f4712bb0599
                          • Opcode Fuzzy Hash: 924c849485370926be2b256e89ecbe45fc7b0672c1334e2cfd319feeb151490c
                          • Instruction Fuzzy Hash: 7631A1316102009BCB14DF3AE9C5A8A7BE5FF48300F958469EA08DF245D770D949CBA4
                          Function 0231A569 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7ca65203f62fd444a2967894d63786a61a06d67d90add0cd94b12922b31874a
                          • Instruction ID: 10df46a6fdfbcd9183f672e30a3cef7a99c8e53e6d800a17a1e9b97cacb5a861
                          • Opcode Fuzzy Hash: a7ca65203f62fd444a2967894d63786a61a06d67d90add0cd94b12922b31874a
                          • Instruction Fuzzy Hash: AE31F43A5000019BCB1CDF68CC51ABAB3BAEF88700B59856DEC46C7754EB71AE12CB94
                          Function 02309F3B Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b105e8a90f1c12e127daea4f723b7871ccd71aeab41e367922af8e65518c542
                          • Instruction ID: 957737959e4a293d99bc84c3193a45a14aec383a1a0c2488cd77c321389828fc
                          • Opcode Fuzzy Hash: 3b105e8a90f1c12e127daea4f723b7871ccd71aeab41e367922af8e65518c542
                          • Instruction Fuzzy Hash: 2B31E4313107088BDB24CFA9D8F1FEA73DAAB48759F14453DDA168B2C4CB70E841D624
                          Function 022F8FCB Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ede3b0a7994d6514a0ca5cc6233de8841e9a1cc7b08053e1f46239a7907e2f9b
                          • Instruction ID: fb55f21db5792dc288e5be9d4c3b1ac4403edf9fed8b5722ec83d9d1b4038759
                          • Opcode Fuzzy Hash: ede3b0a7994d6514a0ca5cc6233de8841e9a1cc7b08053e1f46239a7907e2f9b
                          • Instruction Fuzzy Hash: F021397A650101EFCB25AFA4DC44B7BB76DEF84B00F04447CEE038AA54EB71A952CB90
                          Function 0232641B Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c684df5b18e5eb34281e295b991c4ddba610df7dbdd9c65ec8794b7ab848ada
                          • Instruction ID: e2ac0660dd7dd657ca1f7d5444f777d27d27b8786b7c009456f720ae173719ee
                          • Opcode Fuzzy Hash: 2c684df5b18e5eb34281e295b991c4ddba610df7dbdd9c65ec8794b7ab848ada
                          • Instruction Fuzzy Hash: 9B31B176A81225FBDB229F91CC42F9B7BACEF48B51F204465FA42A6145D770A904CF90
                          Function 02318B10 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e989ad99b83619c1d59a5073817d860172d4f2a6b157cac7db467a4cf3451dfd
                          • Instruction ID: ae1ce32211fd7a5dc2ba27f6e802f76c61cc3b7bcc932b7b66d9c51e00ba463d
                          • Opcode Fuzzy Hash: e989ad99b83619c1d59a5073817d860172d4f2a6b157cac7db467a4cf3451dfd
                          • Instruction Fuzzy Hash: 673152B5E00209EBEB19DF94C980FAEB779FF48744F144069E905A7781D771AE40CB94
                          Function 0258F2E9 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                          • Instruction ID: 6d0d56d5a8eed5e1b86f578cac26e109cf4f84ec3fb1191cb3d8eee9c45f2eb9
                          • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                          • Instruction Fuzzy Hash: 9631CFB1E10115EFCB14EF69C480AADB7F1FF98315F15816AE864EB341DB34AA11CBA0
                          Function 0231AB2D Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ade7184f1c747a4fa596f9d24509d6ea4d70e233035becabce7dabd0f10c6bc
                          • Instruction ID: d2aaeb4eb7f24f2045741ffc624488bb9dc02a07b300f7de07f39718d3974eca
                          • Opcode Fuzzy Hash: 4ade7184f1c747a4fa596f9d24509d6ea4d70e233035becabce7dabd0f10c6bc
                          • Instruction Fuzzy Hash: 6D219E76A01159EFDB15DB98C884EBFB7BEEF88745F158069E801D3210EB309E01CB90
                          Function 02319CCB Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9397fea23765e8082fe814f0842396a00541de96f8c9c51247355e98cccb0697
                          • Instruction ID: 8fe23f8f6ce8ee53fb2af69f60251a579252d7db0e278b26b471278ea255eca3
                          • Opcode Fuzzy Hash: 9397fea23765e8082fe814f0842396a00541de96f8c9c51247355e98cccb0697
                          • Instruction Fuzzy Hash: 5B31D17594020AEFDB15CF88C894BA9BFB8FF05358F1440AAED01A7391C771AE50CB50
                          Function 024EF329 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ec03f074bdda81b2116686c3d3dcdd6300a7eefdceaf3bafda43778d58c26c0
                          • Instruction ID: 62280c9806db1f34ab3ef9d1989a3435a7f35d371ec208d29d47df1b7bdde020
                          • Opcode Fuzzy Hash: 1ec03f074bdda81b2116686c3d3dcdd6300a7eefdceaf3bafda43778d58c26c0
                          • Instruction Fuzzy Hash: 5631453AA006108FDF02EFA9C5C03AA37A5FF24315F16007ADD0ADB604D778CA0ACB81
                          Function 0231A2FB Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24ba790d8f640e3aaef4839c0f2baafa2373055ec2e66e997534af3700a01562
                          • Instruction ID: 382fe0e43c9318a66f3ba725480396d85fddb9e5313a9bd9ae1f21e35352b919
                          • Opcode Fuzzy Hash: 24ba790d8f640e3aaef4839c0f2baafa2373055ec2e66e997534af3700a01562
                          • Instruction Fuzzy Hash: 2421F276642610EFD7296A24CC84B3BB3ADEF84762F444829F842D3690DF74EC11DBA1
                          Function 0231B3BB Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24edba22ff44de73f0d420ca5575831086af09506513ccfc30175482392e664a
                          • Instruction ID: 821121896bb41f90e32de66941a4dee9da15cf48d803adbcb0672ffdd0c0a71f
                          • Opcode Fuzzy Hash: 24edba22ff44de73f0d420ca5575831086af09506513ccfc30175482392e664a
                          • Instruction Fuzzy Hash: E821F8B6744611AFD7399A64CC46B2BB3AEEF98769F008429F845D3250DF34EC01CBA1
                          Function 023203DB Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 45c3f91f59943d50d534817adc4436e8db9d299e026db94aa780b6e60ba7fd01
                          • Instruction ID: 02da3430c2e33db082d3a7990b0cb76fdb48ef7172fed8a3fe9284c564091859
                          • Opcode Fuzzy Hash: 45c3f91f59943d50d534817adc4436e8db9d299e026db94aa780b6e60ba7fd01
                          • Instruction Fuzzy Hash: 52313A75A40219EFCF159FA4DC04BAE7BB9BF18701F008594FA01E61A0DB34EA68EF50
                          Function 0233207E Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5fdfdeb7a061911537e459f2e30a21ea031964344b87cf855922595e3fd50595
                          • Instruction ID: 83266519e9e92605faca80b8e70e624d49a323f49fd64b04f4cda56836c145f4
                          • Opcode Fuzzy Hash: 5fdfdeb7a061911537e459f2e30a21ea031964344b87cf855922595e3fd50595
                          • Instruction Fuzzy Hash: B0210A776405A07ED32247558C00F33FAACAB89711F054281FBACCE691C75CDA51C7B0
                          Function 02318BFC Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1c8d5c2e0e60d2708a4fb0275152f771ef776fb9770bc30b960d932c762069f
                          • Instruction ID: 85df0392302cd181a7fa59b38dd6a06ea68474a236ec0bb9e20609454aaf17fb
                          • Opcode Fuzzy Hash: a1c8d5c2e0e60d2708a4fb0275152f771ef776fb9770bc30b960d932c762069f
                          • Instruction Fuzzy Hash: 0A214C76A02208EFEB159F99CD44EAABBBDEF88750F144069F906D7250D770AD11CB60
                          Function 0233C0FF Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 192deacd4bbe6d67dbab5f790716c0ced44948d026706ec9ef65c224b0f46de3
                          • Instruction ID: fcbde286c033cdf47ffc8cd63cc44e50d8857294e87b395799d7b3107c848d81
                          • Opcode Fuzzy Hash: 192deacd4bbe6d67dbab5f790716c0ced44948d026706ec9ef65c224b0f46de3
                          • Instruction Fuzzy Hash: F921D671E40310ABC7229F68DC45B6EB7B9EF94B24F104A6AF416A72D0DB705A11DB80
                          Function 0233C1CC Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5cbc6cda8bf9fd37d765f966061906b1f1f663916d996a1c1176493c95fef7d
                          • Instruction ID: 85afa034846b22ce9b7e589f943365bd4972ec5694d32f84e4e8b4acd9934514
                          • Opcode Fuzzy Hash: a5cbc6cda8bf9fd37d765f966061906b1f1f663916d996a1c1176493c95fef7d
                          • Instruction Fuzzy Hash: 6C21C471A40614ABCB229FA8DC45B6EB7B8FF84F24F105A6AF515F72D1DB705A10C780
                          Function 0233BB3E Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7d812ca46430bce20d59e44e927d86d3590420e0f8fc28e160e178005733922
                          • Instruction ID: bf1f99a36809d7c3db1c1bda6fe2ff3fa9cc2da94cbf7398729021e7f513e584
                          • Opcode Fuzzy Hash: a7d812ca46430bce20d59e44e927d86d3590420e0f8fc28e160e178005733922
                          • Instruction Fuzzy Hash: D4210E72A41010DBC72BDA2C8959A7AFAAFEB8422CF290164E503D7714DF60DF01C750
                          Function 0233988B Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19d92ae48430801eec2dbd69be4b8e1344b002dd7a495a6d53c55e5cf987c614
                          • Instruction ID: 7326c077c61fbe66d7f23c5437d13b8a6ef6b0a3b8b6c23f3d4cd5b4423c116d
                          • Opcode Fuzzy Hash: 19d92ae48430801eec2dbd69be4b8e1344b002dd7a495a6d53c55e5cf987c614
                          • Instruction Fuzzy Hash: A83127B6E00209EBDB12DF95C984EEFBBB9FB98310F104166E916A7250D7709B41CF91
                          Function 0233215D Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9f0635613aaa92579e37f2375f1556a19ecedbed7d5c4638bd416cdfcd9a441
                          • Instruction ID: 5d1eb70d317789a368a9c2daabe94b53a08dacab1b454657dc5c3c0330861054
                          • Opcode Fuzzy Hash: f9f0635613aaa92579e37f2375f1556a19ecedbed7d5c4638bd416cdfcd9a441
                          • Instruction Fuzzy Hash: A4219271E40215BBDB129B94CD49F9BBABCEB05750F0145A2F905E7150D7B0AF01CB90
                          Function 0231AA4F Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 281b1ad7d5485627b10c53cf14211516d1a032812001dbb2326bdbae50b13c23
                          • Instruction ID: eb6555624b1fe4be7139d3a4a02560a023567ef62c3d60df7886f0a76760c62c
                          • Opcode Fuzzy Hash: 281b1ad7d5485627b10c53cf14211516d1a032812001dbb2326bdbae50b13c23
                          • Instruction Fuzzy Hash: F121057A6016019FDB2D8B58CED4A7B77BDEF84212B14466DE90283240EB71AD05C7A0
                          Function 025992AE Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c797565a8ca37f2532e383e413b87a9ecf3cec628733ce552d0bfcb20c1e19d
                          • Instruction ID: 9fb9369b1435d0e0d6fb613192bc8b8fbace441185a702946248702a9fa69a76
                          • Opcode Fuzzy Hash: 0c797565a8ca37f2532e383e413b87a9ecf3cec628733ce552d0bfcb20c1e19d
                          • Instruction Fuzzy Hash: 5C21FD72A00250EFDF219F8AC888F9EBBB9FF45714F064069E905AB290D334ED40CB95
                          Function 025933FD Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b40bf39b6180c00af540a47306d74720766af2af2e4eb8480ef4198e2282394b
                          • Instruction ID: 5dd51a49929fdcd71dd1c80fde223f9dadeab429451b649b20bffd7ddc09635d
                          • Opcode Fuzzy Hash: b40bf39b6180c00af540a47306d74720766af2af2e4eb8480ef4198e2282394b
                          • Instruction Fuzzy Hash: 7E219C32600545EFCF129F59C988A5EBBA7FF46704F1940A5EC094B265CB39DD14EF50
                          Function 022FF90C Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f140e898ed09b9c99f83fea0867d84b95edfb37a024c8bfb6075eb7efde30fba
                          • Instruction ID: 28ef1f2559a006275d1b587fe060b667cb55beb4d09a3431ba7c743aac0b4e2b
                          • Opcode Fuzzy Hash: f140e898ed09b9c99f83fea0867d84b95edfb37a024c8bfb6075eb7efde30fba
                          • Instruction Fuzzy Hash: CA311675952129EBCB719B94CA4CB9AF7BCFB04705F4404E4E508A29A4CB34AE94CF20
                          Function 0233BE91 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16b29ce21a12a9ec72ffe88e7d259463aac2bdcfd8bf83bbe4f4c51508bb1a44
                          • Instruction ID: cf06022079e4ee731fd6710c0884c0dc55d73cb3738cd1b3448694025249d4fa
                          • Opcode Fuzzy Hash: 16b29ce21a12a9ec72ffe88e7d259463aac2bdcfd8bf83bbe4f4c51508bb1a44
                          • Instruction Fuzzy Hash: 63218776981550EFCB229B99DD08F5FBFBEEF89B40F110494F10697160CB71AA10EBA0
                          Function 02307D08 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8262709b7a53821b12c17db43227a7c6cb717c476bc9dc41114d0e4e20d1fa4b
                          • Instruction ID: 29cb36f41bc18c930bf6c598cb30e16f0d83e39adedb4591f245ea35f3839060
                          • Opcode Fuzzy Hash: 8262709b7a53821b12c17db43227a7c6cb717c476bc9dc41114d0e4e20d1fa4b
                          • Instruction Fuzzy Hash: BD21D272A40114BFDB269BA8CD94F7EBBBDEF84B84F150065F901A7290D774AD11CBA0
                          Function 0231AFBB Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d94027eaca43eb012e282d29f7f890f4e90fd169f8a1c5b507ea08587614244
                          • Instruction ID: e1c3aa48b3bcb900b44cb167d23a952794f9b0f5956f67ecd88ae1da9d2725fc
                          • Opcode Fuzzy Hash: 0d94027eaca43eb012e282d29f7f890f4e90fd169f8a1c5b507ea08587614244
                          • Instruction Fuzzy Hash: 1111C1B6281655AFDB2A8F94DC88F277B6EFF447E8B040424F91686650DB71EC10CBB0
                          Function 024CE26B Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75de4a5b8c29da2b69e8af38a650b2e543b5d12e2c5cc8a854782a6eb4fafb55
                          • Instruction ID: 35f71b6eaf17403eddc25c52d9eb9f4f0f4087fc333de144abb0c7029fc25734
                          • Opcode Fuzzy Hash: 75de4a5b8c29da2b69e8af38a650b2e543b5d12e2c5cc8a854782a6eb4fafb55
                          • Instruction Fuzzy Hash: 7011CD3A3111118BD7698E29D484F26B7A6FF41710F24822EE80ACF2C4DB34D845CE65
                          Function 022F884B Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ca950bd0e2dd8da77bd3d423fca13267724d720ebe9543bf39247b9b9c8bdca
                          • Instruction ID: c96f2013df8a323b68f340b5acb99b6f3e0298460f36d2a491f26d31c070dcc1
                          • Opcode Fuzzy Hash: 0ca950bd0e2dd8da77bd3d423fca13267724d720ebe9543bf39247b9b9c8bdca
                          • Instruction Fuzzy Hash: 0611B1766A1249FFE751ABE0CD48F6BBAADEF48741F4008B0F606C6050DBB49D50DB61
                          Function 024B527A Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4a27ec9718d72797baf9398192a9099c0408dcc95cf032f6036f86a2e0b3974
                          • Instruction ID: 64f654043abee6afc42e7aa2ae238b6357c2570ebebacfbab8743e83b16c4655
                          • Opcode Fuzzy Hash: b4a27ec9718d72797baf9398192a9099c0408dcc95cf032f6036f86a2e0b3974
                          • Instruction Fuzzy Hash: B3110F35A02211ABDB359F68C450BAAFBA2AF54720F64092AE8469B680D721C842CF60
                          Function 02331957 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0250590042148cc190ee00a73339286d2f6b2c5938fc5bcb3a60a8d84eebcd8b
                          • Instruction ID: dadfa0fb54b0c4a7609aa0f06e868b5d35bd5754e81a0a9aab3c9b7e2c35dacc
                          • Opcode Fuzzy Hash: 0250590042148cc190ee00a73339286d2f6b2c5938fc5bcb3a60a8d84eebcd8b
                          • Instruction Fuzzy Hash: 5D216A32651601AFDB26CF68C944F67B7FAEB84756F004868E18AC7990CB71FA54CB90
                          Function 0230F7EE Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c55a32590d7fe670a2d771fb056fdd063212e1b25cb61650a3ae0a400b89b94
                          • Instruction ID: 4c737143243f46dd3550da4694124d7cbbeecdc315dc3856fe62a0c1a2569852
                          • Opcode Fuzzy Hash: 8c55a32590d7fe670a2d771fb056fdd063212e1b25cb61650a3ae0a400b89b94
                          • Instruction Fuzzy Hash: 2711BF72B40610ABDB349B69C8E4FAE76A9EB84790F214061E905D79D0EF74EC41CA64
                          Function 0231A76F Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 56512c747a3c70fe507835a01f7c84bcf54e379d87e6e7d26f4c6a7ac3f6b004
                          • Instruction ID: 31aa1d1afb73859c7a03ac3d57f622dd99b263e2ee5e5859426e9326f1ad2c20
                          • Opcode Fuzzy Hash: 56512c747a3c70fe507835a01f7c84bcf54e379d87e6e7d26f4c6a7ac3f6b004
                          • Instruction Fuzzy Hash: AA11CEB2601114AFD7199B58CC55E6BB6BEEB88715F24016DF406E3320DF30DE118AA0
                          Function 022FA91B Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 004cbab5ec2ff302081a898e21a67c23702aa6412cc097788f175f686b5b8a5a
                          • Instruction ID: e4aef0613d8e0430df32918fe591716218c65b0ba485c731791fe00499679d49
                          • Opcode Fuzzy Hash: 004cbab5ec2ff302081a898e21a67c23702aa6412cc097788f175f686b5b8a5a
                          • Instruction Fuzzy Hash: 9121A175A00204EFC7109FA9C848FAFB7F8EF84715F114165F905AA280CB70AA04CFA0
                          Function 02302748 Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3a35f96bbd128943f5027045bf0c70ea9e57d49f6fd60b61cace6e7d9c69073
                          • Instruction ID: ade284c6181f0ecde2b3d0caadf974e34fcb920deb26cc1a57d854039da68518
                          • Opcode Fuzzy Hash: f3a35f96bbd128943f5027045bf0c70ea9e57d49f6fd60b61cace6e7d9c69073
                          • Instruction Fuzzy Hash: 7B117F75A00115EFC714CF98C5D8AAEBBF9EF44B54B06406AED059B352D770ED41CBA0
                          Function 02338195 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2b9ddbc52dc184145be50aa2dc0a1f239f98852444f44ef4ab5dcc74a3ff34e
                          • Instruction ID: ee91f9392f204e0548f09389b27ea551f3e0aeb2dcac7c8bb5e028a22c839864
                          • Opcode Fuzzy Hash: f2b9ddbc52dc184145be50aa2dc0a1f239f98852444f44ef4ab5dcc74a3ff34e
                          • Instruction Fuzzy Hash: BD114071B90B00ABD3367B158C05F277BE9FB54B51F004918FA56E6591DBB4DA04CB90
                          Function 0230C9AB Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ffb92ac8f4ce5c8111c8368c962e4ef70eb2e40228a13afd3fd7872c54d3463
                          • Instruction ID: 48772f13624704001995320d550cb4fb74fa7cfb2f6740de6dcdc175a8259989
                          • Opcode Fuzzy Hash: 0ffb92ac8f4ce5c8111c8368c962e4ef70eb2e40228a13afd3fd7872c54d3463
                          • Instruction Fuzzy Hash: DB11B436A50118ABCB20DF25CC94BDE77B9EF55720F104766E916A72C0DB70EE44CBA0
                          Function 0231A9CA Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96125de6c9ebc94c45abe6c065e0d4768f4c29df985d63b062b2d8b9cf473b0c
                          • Instruction ID: ca200af3297d8cc48b1de6b4ba03a2ae611bdb4d2c27ad9d76eac79c9d52437d
                          • Opcode Fuzzy Hash: 96125de6c9ebc94c45abe6c065e0d4768f4c29df985d63b062b2d8b9cf473b0c
                          • Instruction Fuzzy Hash: 431122B6286206BFEB194B64CD49F767B6CEF88396F140469F502C60D2EB61A811CB60
                          Function 0230007A Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51848ee2bc72d9bc4b086467f9b6039b781f5ff95ce4ae46ffab08f8e0d81175
                          • Instruction ID: b9fe90cc357eaac1be5bd3caf50a83d246e065a95f7509908e49e2dfd012a1f7
                          • Opcode Fuzzy Hash: 51848ee2bc72d9bc4b086467f9b6039b781f5ff95ce4ae46ffab08f8e0d81175
                          • Instruction Fuzzy Hash: 42118E7A640600EFD7298B44DDA4F6ABBADEB49714F100469FA0697680CB74AD11DB60
                          Function 023315E2 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a45f827137c05e3c10575e2f0242dcdf0156128bc5f0b23486e1d7447695d95
                          • Instruction ID: 65501f4705dd388177053c3372f4bbbe6de1e0816c919eb55465a1e4c706fc15
                          • Opcode Fuzzy Hash: 8a45f827137c05e3c10575e2f0242dcdf0156128bc5f0b23486e1d7447695d95
                          • Instruction Fuzzy Hash: 6B118276A00A119BC3239F59C450E1AFBE6EFC4B64B15851AE99D8B304DF70EE02CB80
                          Function 024B53EE Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8f0fcd912af53f2e596a1fb97ac7bdede5082ad9d7e4eb00e843d6c39ab2b2b
                          • Instruction ID: fb3db09515bd830682c677c20578d3d557d7a096ff4c42ac97322284943f68f7
                          • Opcode Fuzzy Hash: b8f0fcd912af53f2e596a1fb97ac7bdede5082ad9d7e4eb00e843d6c39ab2b2b
                          • Instruction Fuzzy Hash: 35014E725016509BC3279B29C440F67F7E7DF81B56B5A409FE8499B310CB30C802CFA0
                          Function 02328B5B Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a8fb88994ae12d052108701d6dfb198188f8f16480ba0642259b61d80281f353
                          • Instruction ID: 4e2c1482284848541b44eee4f9ecf786556ed28f38602f7463a7728dce67f265
                          • Opcode Fuzzy Hash: a8fb88994ae12d052108701d6dfb198188f8f16480ba0642259b61d80281f353
                          • Instruction Fuzzy Hash: 7411CEB5654301AFE308DF64CC46FAB77ACEB88710F00481DF952CB690E670E914C7A1
                          Function 0230CFAB Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 130f48e93ccf7647f02cbc32fec5f9c4b97c20296de86d9c46c23f9632a36fb9
                          • Instruction ID: d6cbd4637e3736d5766ac6cddfb0888f1863242a87bdf1bf9715219e13fa034a
                          • Opcode Fuzzy Hash: 130f48e93ccf7647f02cbc32fec5f9c4b97c20296de86d9c46c23f9632a36fb9
                          • Instruction Fuzzy Hash: 8311A5B5D0020CAFCB108FD89884F9EBBFCEB48754F1105A6E919E3280D7719E46CBA1
                          Function 0230C8FB Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3471c30134d06d1763fe363b6ec0c9bb917b6046ea59351e0d71c91931520bc9
                          • Instruction ID: a270f14440a0326363443a57fd8a6c576f2efad1cb8608277fc4d33bdfd8f00f
                          • Opcode Fuzzy Hash: 3471c30134d06d1763fe363b6ec0c9bb917b6046ea59351e0d71c91931520bc9
                          • Instruction Fuzzy Hash: B5119036A00118ABCB21DF55CC94BDA77BAEB58310F000A96E94697280DB70AD84CFA0
                          Function 02337B1F Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca8e7e14fbc83e456f8faac86db17cbb1e348670cbf8a0f3f54d40d23f6bd094
                          • Instruction ID: a1068730323aa552b581dccf5e96d604e175348fb15e091a8f595d2a4b4e0d15
                          • Opcode Fuzzy Hash: ca8e7e14fbc83e456f8faac86db17cbb1e348670cbf8a0f3f54d40d23f6bd094
                          • Instruction Fuzzy Hash: E21106B5641A809FC7369F26D948F93BBF9FF84B55F04485DA45A82A60CB71E940CF10
                          Function 025923DD Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11fd773aad626bdaa2774d376b6f056b2ea1a21a2967530fd5150c9a4f23ce02
                          • Instruction ID: e0dfd887387571e69b9e9733b4d686ad6e7e1e53030a893533f62dcb6909fd24
                          • Opcode Fuzzy Hash: 11fd773aad626bdaa2774d376b6f056b2ea1a21a2967530fd5150c9a4f23ce02
                          • Instruction Fuzzy Hash: CB018C33600149ABCB10DFAADC85EAFBBBAFB49614F140015E50AE7211C630DA11CBA5
                          Function 02328C9B Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 82d1f84176bb38ea05f9f1dc34650e94d85e6fc60fe553b0fb1abcc32297bd58
                          • Instruction ID: 614f464a34d380b82754256ddcbfdaf8e690ba9482b5a177c0ee352b3eb5d315
                          • Opcode Fuzzy Hash: 82d1f84176bb38ea05f9f1dc34650e94d85e6fc60fe553b0fb1abcc32297bd58
                          • Instruction Fuzzy Hash: AA01AD72644346AFD710DF69DD49F6BBBACAFD8B00F004849F951872D1DAB0E908CB61
                          Function 0233B8BB Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74c8d6825414ad8d4e27f72881480f6c146b1c3c743f87740ff84bda98316cdd
                          • Instruction ID: 3b0455fe2b3791e68c558f359b38624e1f065724dd5a4d8650bb7f61606fd75a
                          • Opcode Fuzzy Hash: 74c8d6825414ad8d4e27f72881480f6c146b1c3c743f87740ff84bda98316cdd
                          • Instruction Fuzzy Hash: 57019ABAA41418AFD721CB64CC49FBBBBBDEF49B50B0000A5F801D6110EB20AE10DBA0
                          Function 0233C299 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 359bf6ea06ecd72babd43201fb151358ef32c5a96eea117d7ae7459d0104fef5
                          • Instruction ID: 9e3a64333bc9f6ad9d32fcc89813265df0097a4f4445fca1a13da5c2586412da
                          • Opcode Fuzzy Hash: 359bf6ea06ecd72babd43201fb151358ef32c5a96eea117d7ae7459d0104fef5
                          • Instruction Fuzzy Hash: BA01F73A751902DFCB228F98C990F12B3A9FB98F04F151429F402E7A60CB71ED11CB50
                          Function 025422BC Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e9cfb69e283937f186d247afe2033f0d18fd19eda5f945e6a50ccc815750e1a1
                          • Instruction ID: ef31ef566dcea746e4f8fb8f38307c7f68a837219eb489d0912739c1e03108eb
                          • Opcode Fuzzy Hash: e9cfb69e283937f186d247afe2033f0d18fd19eda5f945e6a50ccc815750e1a1
                          • Instruction Fuzzy Hash: 590184767102119BDB119FAAD9C0B5DBBF9BB48758F210059FE04E7200CBF4DD458B64
                          Function 0231E761 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b0ccad4912b8a66ab30c92d2f7e4177146b1b29178b8eba20bcfe1d3fc137c59
                          • Instruction ID: bd5eff0d02ee60a3dabb5a5948c40f9a2bb1fa671a7a85e6f3bdff9d8987fd26
                          • Opcode Fuzzy Hash: b0ccad4912b8a66ab30c92d2f7e4177146b1b29178b8eba20bcfe1d3fc137c59
                          • Instruction Fuzzy Hash: 3D0169B2540A409FD7249F69DDC4B53BBACFF44764F040A28FA69C3AA0CB31AC51CB20
                          Function 02324CDB Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 271cb25956db03a30d946238be230de782a24b2af34362f46b8141f569746f08
                          • Instruction ID: 3572cedcebe3c8823cd002db1bf22eab4403969b6da0dddbf13becb3f1594a65
                          • Opcode Fuzzy Hash: 271cb25956db03a30d946238be230de782a24b2af34362f46b8141f569746f08
                          • Instruction Fuzzy Hash: 8D01F93880126AEBCB10DB64C5007F9BBB4FF45705F408596E9869B885E774DB48DB54
                          Function 004F4F22 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed1bb5c5cb7ebc2e983afd470e281c463f9b431f80b722dd3a93fe7694619144
                          • Instruction ID: 869243b5fb23204fcefd6f32e04efdf16777cdebd1168b82829cc38188a6a09c
                          • Opcode Fuzzy Hash: ed1bb5c5cb7ebc2e983afd470e281c463f9b431f80b722dd3a93fe7694619144
                          • Instruction Fuzzy Hash: F0F024B0808519DEC3054B428802633BBA4FBD2356B20864FA98F264819E392493A6BB
                          Function 0232873B Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b58a2ede74182fdf0f2a66af2f5b128a69feba6ac380de6e765801931efbb0b
                          • Instruction ID: 27fc5915eec9f11b6130858ab12dff45e5af9dc1fb361597831ee84b4c807ffe
                          • Opcode Fuzzy Hash: 9b58a2ede74182fdf0f2a66af2f5b128a69feba6ac380de6e765801931efbb0b
                          • Instruction Fuzzy Hash: FA01F971658345AFD710DF68CC45F9B7BE8EB88700F008958F4A5C72C2E670D914C751
                          Function 022E7AD8 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f8af07a15bcf2910e4124fc2693e1121335449556b3a3d9a23f4086c9ce0e47
                          • Instruction ID: 0075e210f2b69112fc1db0211fbcb617fcbd4b7cbea6325958a3504f817064a2
                          • Opcode Fuzzy Hash: 6f8af07a15bcf2910e4124fc2693e1121335449556b3a3d9a23f4086c9ce0e47
                          • Instruction Fuzzy Hash: 8B01A2B5261240EFCB01DFA4C9C8E16B7AEFF60758F514169E50247619C734E940EAA0
                          Function 022E6BB6 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 066a2da0866d9be1b35eded124db5c59075248f0cc3baf9d73f4147ed3019baf
                          • Instruction ID: cc6ca887fecc7cd8973453c24a397eaa1f068f28b7a444980e0240ce84d77474
                          • Opcode Fuzzy Hash: 066a2da0866d9be1b35eded124db5c59075248f0cc3baf9d73f4147ed3019baf
                          • Instruction Fuzzy Hash: C7F05972710A046BCB069A8E4A4496FF2AFEFD8710F444024B406A7240CEB5DD0095A0
                          Function 02331574 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d25bfc140a35552a397bbb7695c39a5477beca02528c7ca008ad5832d2af337
                          • Instruction ID: 264a433f350d7c2d3b9f7d35343ccaf39a4db40da7e8133f794383222528143b
                          • Opcode Fuzzy Hash: 7d25bfc140a35552a397bbb7695c39a5477beca02528c7ca008ad5832d2af337
                          • Instruction Fuzzy Hash: 64018137280A40EFDB238F04D988F12B7B9FB98B11F140564F8155BAA1C7B5EAA1CB50
                          Function 023316BC Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d40489374adeac9f3fc3d556e4cf68daa55d1efa107a77aa03b98669e6fb32e2
                          • Instruction ID: 890f9afb98dedbf27507502f0c12446fd1c66f7ef7386135f082e3a0d02ea395
                          • Opcode Fuzzy Hash: d40489374adeac9f3fc3d556e4cf68daa55d1efa107a77aa03b98669e6fb32e2
                          • Instruction Fuzzy Hash: FF0119B16447009FD3298F59D504A12BFE8EF99B20F0AC0AFE54DCB261EB70D900CB90
                          Function 0231C4E6 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a70c8ada00dfb391aec99f1be9885379693aff033bb5be8484b093408471607
                          • Instruction ID: bd8093dfbb63cdfc312e489202a7dc52d054c1ea0b7f216c1ce893494605e52b
                          • Opcode Fuzzy Hash: 6a70c8ada00dfb391aec99f1be9885379693aff033bb5be8484b093408471607
                          • Instruction Fuzzy Hash: 63F05972A8262057D33956AA6D40BA7A7CE8FD0B94F051466FD0687240DFA0DC00C7D5
                          Function 022FDFFB Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8ae1bf11666d10a51f50aec1b5a378a7016508897008c179112865917755bad
                          • Instruction ID: 3df17c41fe8666960f342bcecb429dbd7b16b7e6b45e2d098294a53f9d5d23c3
                          • Opcode Fuzzy Hash: e8ae1bf11666d10a51f50aec1b5a378a7016508897008c179112865917755bad
                          • Instruction Fuzzy Hash: 64F0FF36190245DBDB229F94D808F57BBB9EF89700F02483AFA0197A20D735E824CFA5
                          Function 023288BB Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 78c30229848772593e8f231301357a08b88a0832456ad199566bad0043cd1a6f
                          • Instruction ID: e79b6184d1b14a50896e2ad46baf26e177f1240e3f2a1a6af8219c11c5b02267
                          • Opcode Fuzzy Hash: 78c30229848772593e8f231301357a08b88a0832456ad199566bad0043cd1a6f
                          • Instruction Fuzzy Hash: F9018175A14308AFCB09DF68D881E9A77F9FB4C700F108569F406EB281DB70EA00CB64
                          Function 0232892B Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cbca4942d5ae1cd9a4fd8b9bf4842c364e144982fcf4d0c013021a8e346edbb
                          • Instruction ID: dc7371caa41dea2a61d161c0f59e6498ba8f59ad9db6a94f576729691441ce0b
                          • Opcode Fuzzy Hash: 5cbca4942d5ae1cd9a4fd8b9bf4842c364e144982fcf4d0c013021a8e346edbb
                          • Instruction Fuzzy Hash: 55018175A50309AFCB09CF68D895E9AB7F9FB4C300F108568F406EB281EB70E900CB60
                          Function 023076BA Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 505e6fb90e96fba93fa3a1c39fc5caab999cb42439f75f15e1fc8d852c717609
                          • Instruction ID: a8717d7d741f3d170d8ca49838d143503200dc501b4ea2a0c4c79ad63d357ddd
                          • Opcode Fuzzy Hash: 505e6fb90e96fba93fa3a1c39fc5caab999cb42439f75f15e1fc8d852c717609
                          • Instruction Fuzzy Hash: 1301A476541980EFC7329F0ADA58F13BBF9FBA5B51B0148A9F00683A30C775A891CB60
                          Function 0231E7EC Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d288d6234eae5069dd6f311b1f303b47c4625436ee4bed82eac489ed92e56ae
                          • Instruction ID: 4dab26302ed00a34b06cbcc020b473a1de51a729c1dd915c702f9553ccf2cd90
                          • Opcode Fuzzy Hash: 3d288d6234eae5069dd6f311b1f303b47c4625436ee4bed82eac489ed92e56ae
                          • Instruction Fuzzy Hash: E5F0B4B16406019FD7255F96CC40B13B7E9EFC8B10F104C3AE59B86551DA71E851DB10
                          Function 025463CD Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55e2b1ee6351a8719708c574e386149acfb04aae3195ad1960d0aebb8871ecf5
                          • Instruction ID: af18cfa47df49ec10ce9bc1cab261579001950b38ea0727923d15b8ff101b603
                          • Opcode Fuzzy Hash: 55e2b1ee6351a8719708c574e386149acfb04aae3195ad1960d0aebb8871ecf5
                          • Instruction Fuzzy Hash: E1F02B321002549BCB266E2A98C8B5AFB5EFB85758FB64019E959271118B386C80CA94
                          Function 02333C4C Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d7de25c25547bbd4517983ac6adca0d3543af512341d1d41b082da112110186
                          • Instruction ID: ffb039cd0f5a49d7f901d6dc27eb9482f8978e8ccfaaf5dad93a8fa99b64d655
                          • Opcode Fuzzy Hash: 6d7de25c25547bbd4517983ac6adca0d3543af512341d1d41b082da112110186
                          • Instruction Fuzzy Hash: 9AF02732040751ABE7334A4DDD48B62BBA8EF81B69F2885ADF944165A0D7B29BC0C6D0
                          Function 02333121 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f290015fbeed41d41d28b9f412efc27ec36e2aaf9e2180ffeb4d598c85f7ae4
                          • Instruction ID: c0e7324f3fa7f92a578111e7d01f86e2b566e7eba8211921246f42cdfb90edfd
                          • Opcode Fuzzy Hash: 1f290015fbeed41d41d28b9f412efc27ec36e2aaf9e2180ffeb4d598c85f7ae4
                          • Instruction Fuzzy Hash: 6CF03736441940EFC333AF19D904E13BBF9FBE8B01B0549A9E48242A20C776A992CF90
                          Function 0231A29B Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8db0e18a7b8a3efd590e1b54d32ff54e17d55024c27497d7bbf7e158f0ebdda6
                          • Instruction ID: a24baa54d1f0c9b95f56e63d3e0550d86f921ebfe0be7a61598e50bd16242964
                          • Opcode Fuzzy Hash: 8db0e18a7b8a3efd590e1b54d32ff54e17d55024c27497d7bbf7e158f0ebdda6
                          • Instruction Fuzzy Hash: 1AF0E236212104FBCF2DDB44C911F9D77B6EB84752F304024E402A7190CB76CE52EB00
                          Function 0231B35B Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8db0e18a7b8a3efd590e1b54d32ff54e17d55024c27497d7bbf7e158f0ebdda6
                          • Instruction ID: 43bfd30c21e0e6b4d7316954b11a9f575a045ac17846a4fc0ff35568f57dd724
                          • Opcode Fuzzy Hash: 8db0e18a7b8a3efd590e1b54d32ff54e17d55024c27497d7bbf7e158f0ebdda6
                          • Instruction Fuzzy Hash: A1F0E236200508FBCF2ADB54C915F9DB7B7EB80759F204828E402E7194DB74CE21EB00
                          Function 0231B4BB Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8db0e18a7b8a3efd590e1b54d32ff54e17d55024c27497d7bbf7e158f0ebdda6
                          • Instruction ID: 3d43d852dd077a93a0985ea86bc55662157f2c640ec881970cde884c0a884225
                          • Opcode Fuzzy Hash: 8db0e18a7b8a3efd590e1b54d32ff54e17d55024c27497d7bbf7e158f0ebdda6
                          • Instruction Fuzzy Hash: AEF0BE36200104FBCF299B44C911F9EB7B7EB90759F208024E402A7190CB74CE00EA00
                          Function 0257D244 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: caa62822cdf465053e146b63b1076e98f3c4c9c5e15be613f938f6d9073517bc
                          • Instruction ID: 3b054c91fa84da4d3d5fc0f29cd5c469e30bae02ae8e5f0f207b583e9c773b4c
                          • Opcode Fuzzy Hash: caa62822cdf465053e146b63b1076e98f3c4c9c5e15be613f938f6d9073517bc
                          • Instruction Fuzzy Hash: D6F05871A01648ABDB04DBBAD98AB9E7BB5AF48304F040059E606EB2C0DA74E901CB58
                          Function 0257D2FC Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: caaf3ff05f40857a9e1fe01e2b41a6701177823435337d7f4a48a3e6a347ff6c
                          • Instruction ID: f9bd434f174e79603212a9f5142571273b16546dce6505917733a6aa9d825cd8
                          • Opcode Fuzzy Hash: caaf3ff05f40857a9e1fe01e2b41a6701177823435337d7f4a48a3e6a347ff6c
                          • Instruction Fuzzy Hash: 3AF08271A01248ABDB04DBB9D94AF9E77B5AF48304F440059F906EB2C0DA74D900CB58
                          Function 0257D2A0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76dcb2c30b152f84234d5cfbcf800d55997d907a86c9b671275c5a6feccc04c4
                          • Instruction ID: caa1ce30352ed42e879f2dd28a8f47a924bb5843d9aeae2d3b0fb86db993bfcb
                          • Opcode Fuzzy Hash: 76dcb2c30b152f84234d5cfbcf800d55997d907a86c9b671275c5a6feccc04c4
                          • Instruction Fuzzy Hash: 52F08271A01248AFDB04DBF9D84AF9E77B5AF48304F040059F606EB2C0DA74D901CB5C
                          Function 02323BDB Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8bda759f7de99c8430d6e6271968dd8f3a86250589c99ae43482654c2ea934f6
                          • Instruction ID: 18b5b2f5fedaacab707493b1629d8c0e15523b4d57b58e29e63b4d0f29efe49f
                          • Opcode Fuzzy Hash: 8bda759f7de99c8430d6e6271968dd8f3a86250589c99ae43482654c2ea934f6
                          • Instruction Fuzzy Hash: 92E05D36280430ABC3211B1ADD08B53BAAAEBC0F60F2400A0F80487280CB72A891E7A0
                          Function 024BC2CD Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aacb0741113de6204d24c7fb5f08aa5759b2144f5af342047bfa67bb57800d67
                          • Instruction ID: 45dbd18422188d8d6f9d414276c2fd00a972cb9bdad77cedcbefcf8c854fe04f
                          • Opcode Fuzzy Hash: aacb0741113de6204d24c7fb5f08aa5759b2144f5af342047bfa67bb57800d67
                          • Instruction Fuzzy Hash: 43F0A032100248EFEB169B54D8C4F963795FF44724F88A01BF8498B181C7B4D881CF6A
                          Function 0232653B Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e9a3895bc8445b2f303cb289edb855c44a1646ad1aac6533cee0e93f53bc3fe
                          • Instruction ID: 09dd37725958f2134421be1a77fd5f40241a30f354ed8917ccb2d7bbc3846568
                          • Opcode Fuzzy Hash: 3e9a3895bc8445b2f303cb289edb855c44a1646ad1aac6533cee0e93f53bc3fe
                          • Instruction Fuzzy Hash: B8E02232A80260ABCB21ABA1DC09F133BECDF48B51F0008A0F606DB450DB70E820DFD0
                          Function 0254B3F4 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1bd2ed319a9e3416ad33544a48a84ac6c83901c4270f9882c4798708eeb7069a
                          • Instruction ID: f9f41798f3424dae8b1784dbc533b2269b6225f823962f66664c6efbf0973a1a
                          • Opcode Fuzzy Hash: 1bd2ed319a9e3416ad33544a48a84ac6c83901c4270f9882c4798708eeb7069a
                          • Instruction Fuzzy Hash: 1EF05E73A01710DFDF60DF7AE98171477AAF740329F70812AC20BA6A80E7358540CF06
                          Function 022DD153 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16eaa15d03d5caffbe175ce4336b85558d842d732afa2dce92c9c257f2db952e
                          • Instruction ID: 3c488f314e001928788ebf4ad353fab230bba3cbc3aaada518ed36a2644c2b94
                          • Opcode Fuzzy Hash: 16eaa15d03d5caffbe175ce4336b85558d842d732afa2dce92c9c257f2db952e
                          • Instruction Fuzzy Hash: 33F06D77A90746EFCB22DFB8E504B697BE0EF59754F1405BAD412CA2A4DB30C850CB50
                          Function 02307722 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e0f1266b83fa251ae973f8d758c75bb4e56855a91b49c58df74d39b4c1e1640b
                          • Instruction ID: 5ee5ffb49c708fed34d07f4b8d118567e2f7af596cd05a0d6b12be2e2af3cd23
                          • Opcode Fuzzy Hash: e0f1266b83fa251ae973f8d758c75bb4e56855a91b49c58df74d39b4c1e1640b
                          • Instruction Fuzzy Hash: 54F0A032641650DBC7329F00D954F22B7B4FB80FA0F160858E5556BA90C372FC42CBA0
                          Function 02336873 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31d55f8b8264ca50b80b4b2a2b9bc4afa03fdda552acfa5b14be85f0dc5c9c75
                          • Instruction ID: 9e1059565d8cbd8cc054a4d689c05aefc9d596137f6779eab2efd2af913f8917
                          • Opcode Fuzzy Hash: 31d55f8b8264ca50b80b4b2a2b9bc4afa03fdda552acfa5b14be85f0dc5c9c75
                          • Instruction Fuzzy Hash: 56F02B32041601EFE3339F09D819B92B7BDEF94B11F14042CE4215B960CBB0A951CF48
                          Function 024CF30D Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a85babe915e70a0c2f41e37aa755ebf4a83c6f44567fffbd54535ce48456aa6
                          • Instruction ID: cdf59046a41a592bd7207681c2550e5d4fd848394d0c50520d656ba1af2fcca9
                          • Opcode Fuzzy Hash: 3a85babe915e70a0c2f41e37aa755ebf4a83c6f44567fffbd54535ce48456aa6
                          • Instruction Fuzzy Hash: 3FE09B39601550BB4E95AA5E801061A7F479B84650B2B801FD80557B20C79CDC45C595
                          Function 0233248B Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 161497f25321e1aacfe66e88fc74d645e7d57f8770688533718a648bd47814ec
                          • Instruction ID: 7611291936d00dfc4cdc2720216d9f32710f8b0e247797a3eb89a7fbdb503921
                          • Opcode Fuzzy Hash: 161497f25321e1aacfe66e88fc74d645e7d57f8770688533718a648bd47814ec
                          • Instruction Fuzzy Hash: 28F06572551B20EBD7365B04D905B2373E4EB40F25F058819A85A46990D3B49C90CA50
                          Function 02331A05 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c6358c78eee5a257a9833e84f11393522b369cd0ecf8d3933df0641ec37e657
                          • Instruction ID: e4527eb627f59cf52db6c6d1ade33be20eac682b11242587d5745da211280c4d
                          • Opcode Fuzzy Hash: 1c6358c78eee5a257a9833e84f11393522b369cd0ecf8d3933df0641ec37e657
                          • Instruction Fuzzy Hash: 2EE0ED79841A10DFC7328F06D904D53FBF9FBD4B22715C96EE4AA52A20C731A952DF60
                          Function 023188FB Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 040ed3658dcb1af3d545bc525139435b42f154503831f9f98753a0b035ff0a2f
                          • Instruction ID: 0afc2724d6e74a1693a4deec317e2cac86c6d7b015b6988afcf4dfad8ad4f439
                          • Opcode Fuzzy Hash: 040ed3658dcb1af3d545bc525139435b42f154503831f9f98753a0b035ff0a2f
                          • Instruction Fuzzy Hash: ECE01A37641154ABC7219B45DC08F4ABBBDEBC8F71F168065F90897620C630EC11CBA0
                          Function 02338E4D Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aef4cc96bc72c3e41a8e6dd5b21b125eaea99618acd6ad2b8df13a47af68bf5d
                          • Instruction ID: c0db48e862515bf44e1a6edaded0bc9cbdd655aecb034bc0df292739a0b91762
                          • Opcode Fuzzy Hash: aef4cc96bc72c3e41a8e6dd5b21b125eaea99618acd6ad2b8df13a47af68bf5d
                          • Instruction Fuzzy Hash: CEF0F2B5A02112CFD711DF08C644B91BBE5FF99714F2A81A9F0589F212D372AC82CB80
                          Function 02324C9B Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf393dc18c8146b55fd448a9685b8ed303b6ee35732ed12ed9574824e201e52c
                          • Instruction ID: f7edbb0aeca7e6ac7096fe4d72304cc6af732192e106d1bf896e4a757b3ed566
                          • Opcode Fuzzy Hash: cf393dc18c8146b55fd448a9685b8ed303b6ee35732ed12ed9574824e201e52c
                          • Instruction Fuzzy Hash: 44E02676100114FBCF08EB81CD15FEBB7BDEB80748F100098E50712580EAB2EE02DBA0
                          Function 02324D6B Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a8642e3b1becec72ddabd79755291fe2f86216eb28ed19da2470aa1ac7946a8e
                          • Instruction ID: 69c488133ad8f0f72f0af7222993283fd4949662c930a70440bdbf3398c5c50b
                          • Opcode Fuzzy Hash: a8642e3b1becec72ddabd79755291fe2f86216eb28ed19da2470aa1ac7946a8e
                          • Instruction Fuzzy Hash: 22E0DF76100114EBCB08EB81C915FAAB7BDEB80648F100098E50A12580EAB2AE42DAA0
                          Function 02328FD7 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                          • Instruction ID: 3f8b86acc01dedcdae8f431aeb8ea55a00f07c86e91a9356e3b38a0f7e2ae7c2
                          • Opcode Fuzzy Hash: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                          • Instruction Fuzzy Hash: 25D01733212128BBC725AE8EDC04DD3BFAEFF89BA0B018059B61C871208530E810CBE0
                          Function 02319DCB Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1abafba6580b1529a3f51d7f6ee3ad89a6ec124e62f7230ce872bb1bbed25a7d
                          • Instruction ID: 0d7de5f07f24ca7284f3e0cdf7de4204ebe690df44061ead74f0c88d503e087e
                          • Opcode Fuzzy Hash: 1abafba6580b1529a3f51d7f6ee3ad89a6ec124e62f7230ce872bb1bbed25a7d
                          • Instruction Fuzzy Hash: 8BE08C32481610EFC7329F06D818F93BBE8EF40B61F04882AF519568A4CB79B860CFD0
                          Function 022DB4E2 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ba390899d2dd3261167f18f3e90d4006d3a6e3cd4aad0d12ff764e8a91147776
                          • Instruction ID: 3563d5f6f6a888a95204fbb8d000a0fd858fa5174736013d1d91d26ed3c9ba6b
                          • Opcode Fuzzy Hash: ba390899d2dd3261167f18f3e90d4006d3a6e3cd4aad0d12ff764e8a91147776
                          • Instruction Fuzzy Hash: B7E08C31021621CFDB399F45D428B6272F9EF48B19F16482DA09603CA4CBB4A8C0CA40
                          Function 0231F477 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed07f5f1f9eaa862ff44e0e1887b1d6a2dd31e8a587b8b2a41bac0f6ecdce935
                          • Instruction ID: 9adff307179c30d9c803fba827fecdb11f2df2a2033d9f363152d70fa8928703
                          • Opcode Fuzzy Hash: ed07f5f1f9eaa862ff44e0e1887b1d6a2dd31e8a587b8b2a41bac0f6ecdce935
                          • Instruction Fuzzy Hash: 67E0B675655540AFCB1A9F58EA45F2A77B9FB98B00F050558B006D2960CB35E850CA50
                          Function 02310BDB Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee012789f962e8c9202d38419ee700e107523d27072e73c399ca0897c7fa19c4
                          • Instruction ID: 82f442d621cff8345d22b648274341f567d8acccc65f198c23947c0e4b4729b2
                          • Opcode Fuzzy Hash: ee012789f962e8c9202d38419ee700e107523d27072e73c399ca0897c7fa19c4
                          • Instruction Fuzzy Hash: 4BD05E36281258A7C3355A49AD08F82BF9CDB94B64F280065FE08976A1C6B1A890C7D4
                          Function 022E053C Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 64adae068c7ce90a9a42eeb87ceaae34762043070be0519c6079a3662632da68
                          • Instruction ID: c143025f6451e4328f1d2c0f1b66b93bc0b13d691d44254ffd0ebc4a8c4cb35f
                          • Opcode Fuzzy Hash: 64adae068c7ce90a9a42eeb87ceaae34762043070be0519c6079a3662632da68
                          • Instruction Fuzzy Hash: 5FD0C7B2A10B50CBDB219B88951038CB3B0E740B30F10022BC012A73C0C3781A008F80
                          Function 02319E0B Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                          • Instruction ID: b169bef009d519d37ba6e11e8cdb336dc4834248067be68e5e61afa61ce67f29
                          • Opcode Fuzzy Hash: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                          • Instruction Fuzzy Hash: EBD0A7396182899BCB25CA19D654F6177D8974CE54F088014E8098F511C734F940C730
                          Function 0231C54C Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c8620dcf557ceb84eba038a733c53d7bdb7d16af9f06cfc3982425546509a75
                          • Instruction ID: 1ae13df68ad841a2fd8b5a97655d0119f14661c1a0c35a2d2505852d9264093f
                          • Opcode Fuzzy Hash: 9c8620dcf557ceb84eba038a733c53d7bdb7d16af9f06cfc3982425546509a75
                          • Instruction Fuzzy Hash: 04D0C9724910509FC7219B58EC08F8137ECEF49710F1908A2F101D7120CA74EC11CB90
                          Function 0232014F Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f00d2cb61a6c833f6160ea02dbf231047ee2c33659bda834c43cd2b9f680fa4b
                          • Instruction ID: 6c2e2ce05c5734102487808876dfa6762b4c4abca6c535dd1c0442e3daf37fdc
                          • Opcode Fuzzy Hash: f00d2cb61a6c833f6160ea02dbf231047ee2c33659bda834c43cd2b9f680fa4b
                          • Instruction Fuzzy Hash: 6ED01C39880018DBCF1A8B84CA48BDCBBBABB18B05F0804A0E000704B0C77668E9CB20
                          Function 02318A71 Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15c7382892aff15104916d67f80e182033c40b085e1c01ce1b5deb30857d804c
                          • Instruction ID: c81722c7d66b8a3df1edc48cea71ac7f7093695120f8fe5b08a87fa309344a30
                          • Opcode Fuzzy Hash: 15c7382892aff15104916d67f80e182033c40b085e1c01ce1b5deb30857d804c
                          • Instruction Fuzzy Hash: 4AD01271C82915DFDF36DF45C644B6EB678FB44B05F014068E50562590C3399481CF94
                          Function 022E199B Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ccda87c64faed6c0f413981131d53860ac8724194056ffea492cd7effe3f8dbc
                          • Instruction ID: 139d9ec0fd4a9bd426c0a703d3de7637df6d410881cc916f324e5c8b9bc4be60
                          • Opcode Fuzzy Hash: ccda87c64faed6c0f413981131d53860ac8724194056ffea492cd7effe3f8dbc
                          • Instruction Fuzzy Hash: 7FD01232081648EBCB229F44D908F567BA9F7A4B51F544020FA0D0A9B0C775E9B0DA84
                          Function 022E7C75 Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f27f3773505e653e5494781b0ac8a64f8a3bc5a1d4a6d5adf6535a1616b21891
                          • Instruction ID: d94d307c4b1ed83b71058c158bdef82f0bbc47bb73433a2a2266a9b93258d390
                          • Opcode Fuzzy Hash: f27f3773505e653e5494781b0ac8a64f8a3bc5a1d4a6d5adf6535a1616b21891
                          • Instruction Fuzzy Hash: BFC012716B1D408EDF515B74C904B1573E9E740646F0408B4A002C1064DB65C492F600
                          Function 024BB34D Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                          • Instruction ID: c6c65e690959229e90afeeaf942529d512a1c014b1facf98a780b7a27af07b4a
                          • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                          • Instruction Fuzzy Hash: 6EC08C31381A409AEB221F20CD11B113AE1BB00B0CF8800A0A702D90F0CBB8CC00DE10
                          Function 024D13CD Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2174306563.000000000248E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0248E000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_248e000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                          • Instruction ID: 0c0e8f15db3adc5b5004c56fe22e1b88d5dd7dd423a0705bc8801ea2029c287e
                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                          • Instruction Fuzzy Hash: BFB092383159408FDF12CB19C090B0633F4BB45A80F8400D0E808C7B10D368E8008900
                          Function 00412E40 Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 129registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32 ref: 00412FC9
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00412FEA
                          • RegCloseKey.ADVAPI32(?), ref: 00412FF5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: 0$C$C$H$N$O$P$P$T$W$a$c$l$m$n$o$o$y
                          • API String ID: 3677997916-1107408310
                          • Opcode ID: 6eb189276da701b0ba90fe686f33c3aa95aba2da2649f31bd4b1283a92efad3f
                          • Instruction ID: a5777189d56fedae015b9355907268087e766051899948bfe1eef91ba4eb6ddf
                          • Opcode Fuzzy Hash: 6eb189276da701b0ba90fe686f33c3aa95aba2da2649f31bd4b1283a92efad3f
                          • Instruction Fuzzy Hash: 4451062110D3C19ED312CB68849469FBFE16BF6244F485D9DF2D847392C6A6C60CCBA7
                          Function 0040DD10 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 85filestringCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040DD21
                          • GetTickCount.KERNEL32 ref: 0040DD59
                          • wsprintfA.USER32 ref: 0040DD6A
                          • lstrcat.KERNEL32(?,?), ref: 0040DD7D
                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040DD9A
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040DDC3
                          • CloseHandle.KERNEL32(00000000), ref: 0040DDCA
                          • strrchr.MSVCRT ref: 0040DDE1
                          • GetFileAttributesA.KERNEL32 ref: 0040DE0C
                          • ShellExecuteA.SHELL32(00000000,?,?,00000000,00000000,00000005), ref: 0040DE29
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$AttributesCloseCountCreateDirectoryExecuteHandleShellTickWindowsWritelstrcatstrrchrwsprintf
                          • String ID: %$.$R$X$\$d$e$n$o$p$u
                          • API String ID: 3537760123-2425385760
                          • Opcode ID: 80abced88884a7643756e84ed838d5ca5ba06c8ab6c0ffe030403fb4095c33ef
                          • Instruction ID: 7c2f6da5e87feae07e94fd4893d29b9b083686c953222e2c151086b22e6d6017
                          • Opcode Fuzzy Hash: 80abced88884a7643756e84ed838d5ca5ba06c8ab6c0ffe030403fb4095c33ef
                          • Instruction Fuzzy Hash: 83314D30008780AEE311CBA4CC49BABBBE8AF99705F04891CF5959A2D1D7B5D50CCB67
                          Function 00413300 Relevance: 34.6, APIs: 1, Strings: 22, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00413412
                            • Part of subcall function 004167D0: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041683C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Openwsprintf
                          • String ID: %$C$C$E$M$T$Y$\$\$\$c$i$l$n$n$o$o$t$t$t$u$v
                          • API String ID: 2091901810-2259266472
                          • Opcode ID: e89dfe868929942b115469450514a8eceef43b0ac92d9587f8c1b7a6e96b2e31
                          • Instruction ID: 404ad6dcdc71f127c21ce46b71b477a40729a57155f5c35406a7686f57ad7c8d
                          • Opcode Fuzzy Hash: e89dfe868929942b115469450514a8eceef43b0ac92d9587f8c1b7a6e96b2e31
                          • Instruction Fuzzy Hash: 3D411A2110D3C0DDE352C668844479BFFD15BEA648F48599DF2D817382C6BA961CC77B
                          Function 00409AC0 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 78networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000202,?), ref: 00409B30
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00409B3E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEventStartup
                          • String ID: $ $.$=$?$E$G$H$P$c$d$e$f$o$r$t$v
                          • API String ID: 1546077022-2843977485
                          • Opcode ID: 112d71714a78db2a92b1885b83c1eb64f633aff59267a22b8db1396b039c5999
                          • Instruction ID: ff51a993914484f43e55ea4c2a5163c86b5279fed40e7423313777a9cfc51c46
                          • Opcode Fuzzy Hash: 112d71714a78db2a92b1885b83c1eb64f633aff59267a22b8db1396b039c5999
                          • Instruction Fuzzy Hash: 9731E53100D3C19EE312DF68885979BBFD15BA6708F08499DF5D81A282C7BA960CC7A7
                          Function 00413110 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 49libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32 ref: 00413182
                          • GetProcAddress.KERNEL32(00000000), ref: 00413189
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: G$I$N$S$a$f$i$m$n$o$s$v$y
                          • API String ID: 1646373207-1145449097
                          • Opcode ID: 9d2d806d9a12a02dc0df1381acb42fa9bb7885ecc2daa18e2f04d8cac32ae2a9
                          • Instruction ID: 62d4c462513c5264fc099211cdd11fd740871937b8766a0845fba1bbf5f5d289
                          • Opcode Fuzzy Hash: 9d2d806d9a12a02dc0df1381acb42fa9bb7885ecc2daa18e2f04d8cac32ae2a9
                          • Instruction Fuzzy Hash: 19110D1050C3C2DDE312DB68884479BBFD55BA2604F48888DE4C846292D2AAC69CC7B7
                          Function 10002C10 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 200stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: strrchr
                          • String ID: "%1$%s\shell\open\command$D
                          • API String ID: 3418686817-1634606264
                          • Opcode ID: 3d95508baf0b9914f8a715bc5ab35efb6fb5ad174408959a0d5f481e26e8d5c9
                          • Instruction ID: abf737447dde02aa48551020cb3b181a4de64a5b390a5b4168966a1f008039e7
                          • Opcode Fuzzy Hash: 3d95508baf0b9914f8a715bc5ab35efb6fb5ad174408959a0d5f481e26e8d5c9
                          • Instruction Fuzzy Hash: 695114321487846BF724C624CC55FEBB3D5EBC8351F40492DFA55972C0EAB6E948CB92
                          Function 0040F9C4 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • printf.MSVCRT ref: 0040FA52
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040FA65
                          • lstrcat.KERNEL32(?,\Sougou.key), ref: 0040FA75
                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0040FA92
                          • GetFileSize.KERNEL32 ref: 0040FAA5
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040FAB9
                          • lstrlen.KERNEL32(?), ref: 0040FAC0
                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040FAC9
                          • lstrlen.KERNEL32(?,?,00000000,00000000), ref: 0040FAEF
                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040FAF8
                          • CloseHandle.KERNEL32(00000000), ref: 0040FAFF
                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040FB06
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$lstrlen$??2@??3@CloseCreateDirectoryHandlePointerSizeSystemWritelstrcatprintf
                          • String ID: \Sougou.key
                          • API String ID: 1205179895-2681673768
                          • Opcode ID: 0426067e4fc9f9e8bb2c13d7c9abc7661a00f27c6fbbd89c8e7acfb26a624020
                          • Instruction ID: d01b7ffbd0e4aa21fd858b23476d347331728b475cf0bbae3088cc0b3755bcae
                          • Opcode Fuzzy Hash: 0426067e4fc9f9e8bb2c13d7c9abc7661a00f27c6fbbd89c8e7acfb26a624020
                          • Instruction Fuzzy Hash: 4441EF7624D3D06FE32387304C89B963F299B4B304F0944AAE6866A1D3D679990DCB66
                          Function 0040D000 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 98stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: mallocstrrchr
                          • String ID: 0$S$W$\$e$f$i$l$n$u
                          • API String ID: 4015919094-2110482952
                          • Opcode ID: 021a82a7e36cc6b4a8cfdd105335c01447507dfad826c9b66bc0ab53eea4b1cd
                          • Instruction ID: 59982c7b64dd3e03eb000cc3e8e04c972671aaffe5f64e1a66e2920706f36926
                          • Opcode Fuzzy Hash: 021a82a7e36cc6b4a8cfdd105335c01447507dfad826c9b66bc0ab53eea4b1cd
                          • Instruction Fuzzy Hash: EB31C63160C3809AE311C6289C4479BBFC59BE5718F44492EF6859B3C1D6BAC50AC7B7
                          Function 0040FA40 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 75stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • printf.MSVCRT ref: 0040FA52
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040FA65
                          • lstrcat.KERNEL32(?,\Sougou.key), ref: 0040FA75
                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0040FA92
                          • GetFileSize.KERNEL32 ref: 0040FAA5
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040FAB9
                          • lstrlen.KERNEL32(?), ref: 0040FAC0
                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040FAC9
                          • lstrlen.KERNEL32(?,?,00000000,00000000), ref: 0040FAEF
                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040FAF8
                          • CloseHandle.KERNEL32(00000000), ref: 0040FAFF
                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040FB06
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$lstrlen$??2@??3@CloseCreateDirectoryHandlePointerSizeSystemWritelstrcatprintf
                          • String ID: \Sougou.key
                          • API String ID: 1205179895-2681673768
                          • Opcode ID: c0f9fd7a0b99d89fc43e287de6960931e2640a415f71e670be8ece2a73d9037c
                          • Instruction ID: e0b5b0d09919709e536723d97690caa08eb1683e952990e8dc126d902346c514
                          • Opcode Fuzzy Hash: c0f9fd7a0b99d89fc43e287de6960931e2640a415f71e670be8ece2a73d9037c
                          • Instruction Fuzzy Hash: AD2106B52403107FF3219B608C8AFAB3B1CEB4DB15F048424F746951D2DA79E548C766
                          Function 00415360 Relevance: 21.3, APIs: 14, Instructions: 337memoryservicestringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415396
                          • LocalAlloc.KERNEL32(00000040,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF), ref: 004153CC
                          • LocalAlloc.KERNEL32(00000040,00000400,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF), ref: 004153F9
                          • OpenServiceA.ADVAPI32(?,00000800,000F01FF,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415450
                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,?,00002000,00002000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415477
                          • lstrcpy.KERNEL32(?,?), ref: 004154A1
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF,0040CCB3), ref: 004157F6
                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415804
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocalService$Open$CloseConfig2HandleManagerQuerylstrcpy
                          • String ID:
                          • API String ID: 842639456-0
                          • Opcode ID: 391456d064f7fe0e45d11283bcfa402338f6d4eaaf79984abd85a8b57a12883c
                          • Instruction ID: e38f1ba9e12d5fc9c32ca498c04b85621e75031826115e43c661d7ad8e0ba384
                          • Opcode Fuzzy Hash: 391456d064f7fe0e45d11283bcfa402338f6d4eaaf79984abd85a8b57a12883c
                          • Instruction Fuzzy Hash: A1C15C712043469FD728DF24CC95AABB7E6FBC8704F40891DF98A97240DB75E909CB92
                          Function 1000A410 Relevance: 19.6, APIs: 13, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • ReleaseDC.USER32(?,?), ref: 1000A448
                          • DeleteDC.GDI32(?), ref: 1000A458
                          • DeleteDC.GDI32(?), ref: 1000A45E
                          • DeleteDC.GDI32(?), ref: 1000A464
                          • DeleteDC.GDI32(?), ref: 1000A46D
                          • DeleteObject.GDI32(?), ref: 1000A479
                          • DeleteObject.GDI32(?), ref: 1000A47F
                          • DeleteObject.GDI32(?), ref: 1000A488
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10015BFE,000000FF,1000A3F8), ref: 1000A492
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10015BFE,000000FF,1000A3F8), ref: 1000A49E
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10015BFE,000000FF,1000A3F8), ref: 1000A4A7
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,10015BFE,000000FF,1000A3F8), ref: 1000A4B0
                          • DestroyCursor.USER32(00000000), ref: 1000A4D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Delete$??3@$Object$CursorDestroyRelease
                          • String ID:
                          • API String ID: 2735177900-0
                          • Opcode ID: f474a92b8d48d5b6725fe7483a2314ee6cbf909e89f77f74c79bf5491a89367c
                          • Instruction ID: 61c0e9c0f8e7e3ce1935cee4efaa01a947d572eaa86b5d6a36df27cad98912fc
                          • Opcode Fuzzy Hash: f474a92b8d48d5b6725fe7483a2314ee6cbf909e89f77f74c79bf5491a89367c
                          • Instruction Fuzzy Hash: FB21E6B66007509BE720DB69CC80A57F3E8FF88650F158E1DF69687750DBB9F8408BA0
                          Function 00413DD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00413E2E
                          • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00413E43
                          • GetEnvironmentVariableA.KERNEL32(1001C368,?,00000104), ref: 00413E5B
                          • ShellExecuteEx.SHELL32 ref: 00413ED3
                          • GetCurrentProcess.KERNEL32(00000100), ref: 00413EF1
                          • GetCurrentThread.KERNEL32 ref: 00413EFC
                          • SetThreadPriority.KERNEL32(00000000), ref: 00413F03
                          • SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 00413F13
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentNameThread$ChangeEnvironmentExecuteFileModuleNotifyPathPriorityProcessShellShortVariable
                          • String ID: <$@
                          • API String ID: 199731047-1426351568
                          • Opcode ID: 790a9a99085931344bddd0cd1b9094bef67aeb8ba876bffc1c0d7be9ac9bc884
                          • Instruction ID: 2b75dba822d1e8fc8b1160359650c1eab24eee46a86d95224beeec679e70f17f
                          • Opcode Fuzzy Hash: 790a9a99085931344bddd0cd1b9094bef67aeb8ba876bffc1c0d7be9ac9bc884
                          • Instruction Fuzzy Hash: 88316DB1108345AFE320CB64CC84BDBBBA8FBC9341F00492DF78996190DA75D6488B92
                          Function 0040DFC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56servicefileCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0040DFDC
                          • OpenServiceA.ADVAPI32(00000000,Java(TM) Platform Sa 8,000F01FF), ref: 0040DFED
                          • DeleteService.ADVAPI32(00000000), ref: 0040DFF4
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E004
                          • DeleteFileA.KERNEL32(?), ref: 0040E03D
                            • Part of subcall function 004165A0: wsprintfA.USER32 ref: 004165C7
                            • Part of subcall function 004165A0: lstrlen.KERNEL32(?,00000003), ref: 004165DA
                            • Part of subcall function 0040DE40: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,\Sougou.key), ref: 0040DE57
                            • Part of subcall function 0040DE40: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0040DE74
                            • Part of subcall function 0040DE40: GetEnvironmentVariableA.KERNEL32(1001C368,?,00000104), ref: 0040DE94
                            • Part of subcall function 0040DE40: lstrcpy.KERNEL32(?,1001C35C), ref: 0040DEAF
                            • Part of subcall function 0040DE40: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,?), ref: 0040DF68
                            • Part of subcall function 0040DE40: ResumeThread.KERNEL32(?), ref: 0040DF89
                          • exit.MSVCRT ref: 0040E061
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteFileNameOpenService$CreateDirectoryEnvironmentManagerModulePathProcessResumeShortSystemThreadVariableexitlstrcpylstrlenwsprintf
                          • String ID: Java(TM) Platform Sa 8$\Sougou.key$urq5pg==
                          • API String ID: 2242889592-1662626513
                          • Opcode ID: b71fd93ea570de32525c792c842a2e28e44f9c3db36aeff1bb1ad5427ae356ff
                          • Instruction ID: 7a9f5a9e06a80204f3fbccd372b0c8be0460dfa86001a56d078445b6b0de8a55
                          • Opcode Fuzzy Hash: b71fd93ea570de32525c792c842a2e28e44f9c3db36aeff1bb1ad5427ae356ff
                          • Instruction Fuzzy Hash: AD01F9756402007BD714A7B59C89F9F3A54FF88332F408629F7279A1D1DEB5D944C215
                          Function 00410E50 Relevance: 15.2, APIs: 10, Instructions: 197registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 00410E74
                          • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 00410EA6
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00410EE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocInfoLocalOpenQuery
                          • String ID:
                          • API String ID: 2864171124-0
                          • Opcode ID: 62b1bebeb1334b61c0aaf0f541bd57fac12a36217b78a482289cd37edeb07b62
                          • Instruction ID: a9020e77cc8cfaed33eaf899413ece504e14c67cb430865be9e5e422daf0b5f1
                          • Opcode Fuzzy Hash: 62b1bebeb1334b61c0aaf0f541bd57fac12a36217b78a482289cd37edeb07b62
                          • Instruction Fuzzy Hash: 5661ACB1604315AFD310CF18CC84AABBBE9EB8C354F048A2DF68987310E675D985CB96
                          Function 0040DE40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120processstringthreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,\Sougou.key), ref: 0040DE57
                          • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0040DE74
                          • GetEnvironmentVariableA.KERNEL32(1001C368,?,00000104), ref: 0040DE94
                          • lstrcpy.KERNEL32(?,1001C35C), ref: 0040DEAF
                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,?), ref: 0040DF68
                          • ResumeThread.KERNEL32(?), ref: 0040DF89
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Name$CreateEnvironmentFileModulePathProcessResumeShortThreadVariablelstrcpy
                          • String ID: D$\Sougou.key
                          • API String ID: 1297247071-2636641532
                          • Opcode ID: dcecbe676664645b004d2155a65d112b30c019abebdce1085a57994f43e1f12d
                          • Instruction ID: 5c9b1e45f1e3e1154b47ebc05a552f60b17b131f9e897c9c983497b2c3122df6
                          • Opcode Fuzzy Hash: dcecbe676664645b004d2155a65d112b30c019abebdce1085a57994f43e1f12d
                          • Instruction Fuzzy Hash: A54153B1644355ABE710DBA4CC85FABB7ACFBC8700F04891DF64597180DBB9E908CB66
                          Function 10001420 Relevance: 13.6, APIs: 9, Instructions: 98windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10007E20: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,1000552E,?,74DF23A0,00000000,1000BC2C,?,?,?), ref: 10007E3E
                            • Part of subcall function 10007F10: WaitForSingleObject.KERNEL32(?,000000FF,10009BC0,?,?,?,?,?,10015BC0,000000FF), ref: 10007F16
                            • Part of subcall function 10007F10: Sleep.KERNEL32(0000012C,?,?,?,?,?,10015BC0,000000FF), ref: 10007F21
                          • CreateDialogParamA.USER32(00000000,00000067,00000000,10001770,00000000), ref: 10001492
                          • UpdateWindow.USER32(00000000), ref: 100014A7
                          • ShowWindow.USER32(?,00000001), ref: 100014B6
                          • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 100014CF
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 100014FF
                          • SendMessageA.USER32(?,00000111,00000068,00000000), ref: 10001518
                          • TranslateMessage.USER32(?), ref: 10001521
                          • DispatchMessageA.USER32(?), ref: 10001528
                          • EndDialog.USER32(?,00000000), ref: 10001546
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Message$Window$CreateDialog$DispatchEventObjectParamSendShowSingleSleepTranslateUpdateWait
                          • String ID:
                          • API String ID: 720321572-0
                          • Opcode ID: cd962a2dc541ac116af59e807577d7df683b5d13c8eeb055f2151b7ec44cf51c
                          • Instruction ID: 96f83ec6ae1319603fb923dae4b51caf586e10b6161c43611a384f7e5464f2ab
                          • Opcode Fuzzy Hash: cd962a2dc541ac116af59e807577d7df683b5d13c8eeb055f2151b7ec44cf51c
                          • Instruction Fuzzy Hash: B231D035244350AFE620CB64CC86F9AB7E8EB88B40F00490DF7A5AB2C5CBB4E500CB56
                          Function 1000D800 Relevance: 13.6, APIs: 9, Instructions: 63servicesleepCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,00000030), ref: 1000D812
                          • OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,00000030), ref: 1000D84D
                          • GetLastError.KERNEL32(?,00000030), ref: 1000D855
                          • QueryServiceStatus.ADVAPI32(00000000,?,?,00000030), ref: 1000D861
                          • ControlService.ADVAPI32(00000000,00000001,?), ref: 1000D876
                          • DeleteService.ADVAPI32(00000000), ref: 1000D87D
                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1000D88A
                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1000D88D
                          • Sleep.KERNEL32(00000064), ref: 1000D891
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Service$CloseHandleOpen$ControlDeleteErrorLastManagerQuerySleepStatus
                          • String ID:
                          • API String ID: 2697554486-0
                          • Opcode ID: a5cec3d77de77fa0bf0afbb8fb5e5e49bf7da689854d530b457bd50ff4054adf
                          • Instruction ID: 1b27e2a7bfdfe62933688d0325b18f499ed29002b13c72f242a42f9133ccfdb8
                          • Opcode Fuzzy Hash: a5cec3d77de77fa0bf0afbb8fb5e5e49bf7da689854d530b457bd50ff4054adf
                          • Instruction Fuzzy Hash: 0411A7316412246FE314EB70DC8DEAF7BA9FB8D351F008519FA1687290DAB59D08C7A1
                          Function 0040965C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 129timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 0040968C
                          • wsprintfA.USER32 ref: 004096D2
                          • SetDlgItemTextA.USER32(?,00000067), ref: 00409785
                          • GetDlgItem.USER32(?,00000067), ref: 00409794
                          • SendMessageA.USER32(00000000,00000115,00000007,00000000), ref: 004097A4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Item$LocalMessageSendTextTimewsprintf
                          • String ID: $:
                          • API String ID: 1507969849-4289614325
                          • Opcode ID: 50da4107415e05ea6c2103623f62174c1a52d15a8753cc985daa85ab976e125e
                          • Instruction ID: 0c8812048e720c8f74548fbe2c9d36635f11cbb98dc548ad0e1e01764a2b5e60
                          • Opcode Fuzzy Hash: 50da4107415e05ea6c2103623f62174c1a52d15a8753cc985daa85ab976e125e
                          • Instruction Fuzzy Hash: 3D31BD326049095BDB2C8A789C5697B76D7FFD4331B68432EBA27876D4CEB5CD098240
                          Function 0040AC60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 200COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: D
                          • API String ID: 0-2746444292
                          • Opcode ID: f686c5d2ac5b8e3a04cbcf577231168b013f8a7aa67cae689b34eb6b95a34bdd
                          • Instruction ID: b112b7359a3844e155b82611438566a5406dd2f843005d6f2025a0320a88a94a
                          • Opcode Fuzzy Hash: f686c5d2ac5b8e3a04cbcf577231168b013f8a7aa67cae689b34eb6b95a34bdd
                          • Instruction Fuzzy Hash: 0151F1321487446BF724D624CC41BEBB3D9EBC8311F00492EFA55972C0EAB9E949CB97
                          Function 004101C0 Relevance: 10.6, APIs: 7, Instructions: 99libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(1001C5E4), ref: 004101CE
                          • GetProcAddress.KERNEL32(00000000,1001C5D8), ref: 004101DE
                          • LoadLibraryA.KERNEL32(1001C5E4), ref: 00410240
                          • GetProcAddress.KERNEL32(00000000,1001C5F0), ref: 0041024C
                          • GetLastError.KERNEL32(?,?,00000000), ref: 00410286
                          • CloseHandle.KERNEL32(00000000), ref: 004102CA
                          • FreeLibrary.KERNEL32(?), ref: 004102F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressLoadProc$CloseErrorFreeHandleLast
                          • String ID:
                          • API String ID: 1145761178-0
                          • Opcode ID: 5b56116401a495b4c11631e15d10592b0122f800eddac1e2d5bb8a64bb73b82f
                          • Instruction ID: ac477cfb1e10f9622c06a67b0d5318ecaf9d19fff6cdad3b04f857c48c76b244
                          • Opcode Fuzzy Hash: 5b56116401a495b4c11631e15d10592b0122f800eddac1e2d5bb8a64bb73b82f
                          • Instruction Fuzzy Hash: C1317071644211ABD714DFA88C98BAF77A8FB8C304F04495EF68596241D778ED80C799
                          Function 0040B3B0 Relevance: 10.6, APIs: 7, Instructions: 96stringfilememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000), ref: 0040B3FF
                          • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000), ref: 0040B41E
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0040B427
                          • lstrlen.KERNEL32(?,?,?,?,00000000), ref: 0040B42E
                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,00000000), ref: 0040B43C
                          • lstrlen.KERNEL32(?,?,?,?,00000000), ref: 0040B46A
                          • LocalFree.KERNEL32(00000000,?,?,?,00000000), ref: 0040B492
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                          • String ID:
                          • API String ID: 2793549963-0
                          • Opcode ID: 00e3a30b768503fcf043b23d890dce749384a789b417df862aa33b28897dfc9f
                          • Instruction ID: 7f55aafe44f71d2c6de6cec326d5ce5abd0f9e11b5c3bcde37b2cb8583eb43e0
                          • Opcode Fuzzy Hash: 00e3a30b768503fcf043b23d890dce749384a789b417df862aa33b28897dfc9f
                          • Instruction Fuzzy Hash: E62123327003146FD7089A78DC95A6BB6DAEBCC721F44863DFA12C73D0DAB59D09C2A0
                          Function 0040B4B0 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,0040A562), ref: 0040B4E7
                            • Part of subcall function 0040B590: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,0040A562), ref: 0040B5B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??3@CreateFile
                          • String ID:
                          • API String ID: 1804927778-0
                          • Opcode ID: e7c4bb1288bc5caa4c108add47049ebcb17f3483f7f5a045a0c57b8ede115ba7
                          • Instruction ID: 53e5603ef101d6b18b600e6930a3aa27e4c30f74b5b25536780b758a69926977
                          • Opcode Fuzzy Hash: e7c4bb1288bc5caa4c108add47049ebcb17f3483f7f5a045a0c57b8ede115ba7
                          • Instruction Fuzzy Hash: 5021CF72340210ABE210DB65DC88F6BB7A8DB89721F10C63AF705EB2D1D775E80487A9
                          Function 10009C10 Relevance: 10.6, APIs: 7, Instructions: 83keyboardwindowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(0000000A), ref: 10009C5C
                          • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 10009C7A
                          • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 10009C8D
                          • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10009CA9
                          • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 10009CBC
                            • Part of subcall function 100096D0: WaitForSingleObject.KERNEL32(?), ref: 100096FC
                            • Part of subcall function 100096D0: CloseHandle.KERNEL32(?), ref: 10009709
                            • Part of subcall function 100096D0: ??2@YAPAXI@Z.MSVCRT(00000110), ref: 10009737
                          • BlockInput.USER32(?), ref: 10009CCC
                          • BlockInput.USER32(00000000), ref: 10009CFF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: BlockInfoInputMessageParametersSendSystem$??2@CloseHandleObjectSingleSleepWait
                          • String ID:
                          • API String ID: 485892433-0
                          • Opcode ID: ceb80e25ab596cdd6f0d7e260bbe8260c3d54293d2d8911d9314dbf2732811c1
                          • Instruction ID: f21c747afb2fd7d24e83240927e8c8296de5b0b301897ac43d9a2153712c530d
                          • Opcode Fuzzy Hash: ceb80e25ab596cdd6f0d7e260bbe8260c3d54293d2d8911d9314dbf2732811c1
                          • Instruction Fuzzy Hash: F221C33074035926FA14EA354C93FAE66C98B46BD0F004238F726AF2CBCDB5EC848264
                          Function 0040E3E0 Relevance: 10.6, APIs: 7, Instructions: 71fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0040E20D,00000000,?), ref: 0040E403
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68,000000FF,0040CAF3), ref: 0040E413
                          • SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68), ref: 0040E42F
                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68,000000FF,0040CAF3), ref: 0040E438
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,1001C1F8), ref: 0040E44C
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 0040E472
                          • CloseHandle.KERNEL32(00000000,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68,000000FF,0040CAF3), ref: 0040E47C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$??2@??3@CloseCreateHandlePointerReadSize
                          • String ID:
                          • API String ID: 3967827567-0
                          • Opcode ID: f1b629f23adc0aa79a85ff52dea92b1b55c44c71aa1675412555696ddfcf192e
                          • Instruction ID: b878e1b400193e4826b4db86cc9e96cc32e6be611c60d624592c1d4b7cfdbb55
                          • Opcode Fuzzy Hash: f1b629f23adc0aa79a85ff52dea92b1b55c44c71aa1675412555696ddfcf192e
                          • Instruction Fuzzy Hash: 701153721013302BE33117328C4DF9B7E9CDF89B60F124A2AF946A3282DA74D904C2F4
                          Function 1000B400 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 1000B44A
                            • Part of subcall function 1000E780: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?,74DF23A0,?,?), ref: 1000E7EC
                          • lstrlenA.KERNEL32(?), ref: 1000B476
                          • gethostname.WS2_32(?,?), ref: 1000B47E
                          • lstrlenA.KERNEL32(?), ref: 1000B485
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: lstrlen$Opengethostnamewsprintf
                          • String ID: Host$SYSTEM\CurrentControlSet\Services\%s
                          • API String ID: 2381335061-3973614608
                          • Opcode ID: 2e778622f5c338f978a490f7dcac3cba242bce6c4ef578fecc09e2276728937d
                          • Instruction ID: 4d7e28b31c5f4e2e47fb59b5726dd24bb540aeb78f000c55e67253381e295ec5
                          • Opcode Fuzzy Hash: 2e778622f5c338f978a490f7dcac3cba242bce6c4ef578fecc09e2276728937d
                          • Instruction Fuzzy Hash: 1A01D6712002187FF7249614CC56FEB739AEFC8758F418829F705A3240DA75EE4986B6
                          Function 00412170 Relevance: 9.2, APIs: 6, Instructions: 209COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorA.USER32(00000000,00000000), ref: 00412233
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CursorLoad
                          • String ID:
                          • API String ID: 3238433803-0
                          • Opcode ID: 7e40160624d79d99cf58fd852b477e3705fd93471c1f4074cac7d1634da1f778
                          • Instruction ID: 120d8a7f82d49f4a4870cbcf3d8bd14f08501f228c711819e214b311e7bfbc84
                          • Opcode Fuzzy Hash: 7e40160624d79d99cf58fd852b477e3705fd93471c1f4074cac7d1634da1f778
                          • Instruction Fuzzy Hash: E381E6B0504B459FD320DF6AC884A6BFBE9FB88704F004A1DE59A87750DBB9F8458B91
                          Function 00415581 Relevance: 9.2, APIs: 6, Instructions: 202servicememorystringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenServiceA.ADVAPI32(?,00000800,000F01FF,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415450
                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,?,00002000,00002000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415477
                          • lstrcpy.KERNEL32(?,?), ref: 004154A1
                          • lstrcpy.KERNEL32(?,1001CD5C), ref: 004155D1
                          • LocalSize.KERNEL32(00000000), ref: 00415600
                          • LocalReAlloc.KERNEL32(00000000,00002001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 0041560E
                          • CloseServiceHandle.ADVAPI32(?,?,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 004157CB
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF,0040CCB3), ref: 004157F6
                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415804
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$Local$AllocCloseHandlelstrcpy$Config2OpenQuerySize
                          • String ID:
                          • API String ID: 3688964639-0
                          • Opcode ID: 57d7d373bdbde9a0607095b243a231fdc07fb449f71db1d85ae2d244c8d6be0b
                          • Instruction ID: 3912a2ef1d92fb019d887051c316ec5f677097f9d25d25edb90051ee024050a1
                          • Opcode Fuzzy Hash: 57d7d373bdbde9a0607095b243a231fdc07fb449f71db1d85ae2d244c8d6be0b
                          • Instruction Fuzzy Hash: A56152762047058BC728DF24D8909BFF3E6FBC8704F44491DE98A97341CA39E94ACB95
                          Function 00415590 Relevance: 9.2, APIs: 6, Instructions: 202servicememorystringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenServiceA.ADVAPI32(?,00000800,000F01FF,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415450
                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,?,00002000,00002000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415477
                          • lstrcpy.KERNEL32(?,?), ref: 004154A1
                          • lstrcpy.KERNEL32(?,1001CD5C), ref: 004155D1
                          • LocalSize.KERNEL32(00000000), ref: 00415600
                          • LocalReAlloc.KERNEL32(00000000,00002001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 0041560E
                          • CloseServiceHandle.ADVAPI32(?,?,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 004157CB
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF,0040CCB3), ref: 004157F6
                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415804
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$Local$AllocCloseHandlelstrcpy$Config2OpenQuerySize
                          • String ID:
                          • API String ID: 3688964639-0
                          • Opcode ID: d385b7517b6c22bf92cab67fd05ddea946de00b99ce413c90450ae71a11a6330
                          • Instruction ID: 698d362917072422929bd88da0ce3131c1ca5a2b8d3d2a3dc1e15ac500c69ccf
                          • Opcode Fuzzy Hash: d385b7517b6c22bf92cab67fd05ddea946de00b99ce413c90450ae71a11a6330
                          • Instruction Fuzzy Hash: 5C6152762047058BC728DF24D8909BFF3E6FBC8704F44491DE98A97341DA39E94ACB91
                          Function 0041559F Relevance: 9.2, APIs: 6, Instructions: 202servicememorystringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenServiceA.ADVAPI32(?,00000800,000F01FF,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415450
                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,?,00002000,00002000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415477
                          • lstrcpy.KERNEL32(?,?), ref: 004154A1
                          • lstrcpy.KERNEL32(?,1001CD5C), ref: 004155D1
                          • LocalSize.KERNEL32(00000000), ref: 00415600
                          • LocalReAlloc.KERNEL32(00000000,00002001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 0041560E
                          • CloseServiceHandle.ADVAPI32(?,?,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 004157CB
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF,0040CCB3), ref: 004157F6
                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415804
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$Local$AllocCloseHandlelstrcpy$Config2OpenQuerySize
                          • String ID:
                          • API String ID: 3688964639-0
                          • Opcode ID: 68a3564f8c02d45fe105cb6dd3d926aef1bbc0f5bb26d8bea1d4be9c8d4abfbd
                          • Instruction ID: c5ec3402ec8ff368c8c17e59a3c66b36a595f18c39fdc07a7d1837005dcd75c5
                          • Opcode Fuzzy Hash: 68a3564f8c02d45fe105cb6dd3d926aef1bbc0f5bb26d8bea1d4be9c8d4abfbd
                          • Instruction Fuzzy Hash: AC6152766047058BC728DF24D8909BFF3E6FBC8704F44491DE98A97341CA39E90ACB51
                          Function 004155A6 Relevance: 9.2, APIs: 6, Instructions: 202servicememorystringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenServiceA.ADVAPI32(?,00000800,000F01FF,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415450
                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,?,00002000,00002000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415477
                          • lstrcpy.KERNEL32(?,?), ref: 004154A1
                          • lstrcpy.KERNEL32(?,1001CD5C), ref: 004155D1
                          • LocalSize.KERNEL32(00000000), ref: 00415600
                          • LocalReAlloc.KERNEL32(00000000,00002001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 0041560E
                          • CloseServiceHandle.ADVAPI32(?,?,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 004157CB
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF,0040CCB3), ref: 004157F6
                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415804
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$Local$AllocCloseHandlelstrcpy$Config2OpenQuerySize
                          • String ID:
                          • API String ID: 3688964639-0
                          • Opcode ID: 358b08963f6ac802f09667f7cbb6ee680ef46dd9d50c1106cdbf090270ba256e
                          • Instruction ID: b8c8a6a99a53269dcf8019b909d10939f1140fde8b2c68817d0a65ffde667f24
                          • Opcode Fuzzy Hash: 358b08963f6ac802f09667f7cbb6ee680ef46dd9d50c1106cdbf090270ba256e
                          • Instruction Fuzzy Hash: 766152762047058BC728DF24D8909BFF3E6FBC8704F44491DE98A97341CA39E94ACB91
                          Function 004155B5 Relevance: 9.2, APIs: 6, Instructions: 202servicememorystringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenServiceA.ADVAPI32(?,00000800,000F01FF,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415450
                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,?,00002000,00002000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?), ref: 00415477
                          • lstrcpy.KERNEL32(?,?), ref: 004154A1
                          • lstrcpy.KERNEL32(?,1001CD5C), ref: 004155D1
                          • LocalSize.KERNEL32(00000000), ref: 00415600
                          • LocalReAlloc.KERNEL32(00000000,00002001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 0041560E
                          • CloseServiceHandle.ADVAPI32(?,?,?,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 004157CB
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38,000000FF,0040CCB3), ref: 004157F6
                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042,?,?,0041533E,1001C1F8,?,?,004151AE,00000030,?,?,?,00000000,10015C38), ref: 00415804
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$Local$AllocCloseHandlelstrcpy$Config2OpenQuerySize
                          • String ID:
                          • API String ID: 3688964639-0
                          • Opcode ID: d71fc03120e562a347c3927acb6570014d4d4c1f4adb4650213615b6b8ef486f
                          • Instruction ID: 621bbdce2fdb86cbbfbd743704dc0bd97ef1ea78020c46e4a6ca3346f2338f7c
                          • Opcode Fuzzy Hash: d71fc03120e562a347c3927acb6570014d4d4c1f4adb4650213615b6b8ef486f
                          • Instruction Fuzzy Hash: 2A6152762047058BC728DF24D8909BFF3E6FBC8704F44491DE98A97341DA39E94ACB91
                          Function 004127F0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(?,0000005C,00000000,00000000,00000060,00000000,0041232D,?,?,00000001), ref: 0041281B
                          • GetDC.USER32(00000000), ref: 00412876
                          • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 00412883
                          • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412896
                          • ReleaseDC.USER32(00000000,00000000), ref: 0041289F
                          • DeleteObject.GDI32(00000000), ref: 004128A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@BitmapBitsCompatibleCreateDeleteObjectRelease
                          • String ID:
                          • API String ID: 1095915628-0
                          • Opcode ID: da8626790f9b00ac3c055f98ad32e36f4a7136cd433681f8bbdaf56eab40e7b2
                          • Instruction ID: 8049cba281d31ae5997f224025e92c46ecd9dbfe15c4627fb1461bb914252f4d
                          • Opcode Fuzzy Hash: da8626790f9b00ac3c055f98ad32e36f4a7136cd433681f8bbdaf56eab40e7b2
                          • Instruction Fuzzy Hash: 9A31F3712017054FD324CF29CC84B6BFBE6FF99308F048A6DE0468B291E7B0A519CB50
                          Function 00409470 Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FE70: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,0040949A,?), ref: 0040FE8E
                            • Part of subcall function 0040FF60: WaitForSingleObject.KERNEL32(?,000000FF,00411C10,?,?,?,?,?,10015BC0,000000FF), ref: 0040FF66
                            • Part of subcall function 0040FF60: Sleep.KERNEL32(0000012C,?,?,?,?,?,10015BC0,000000FF), ref: 0040FF71
                          • CreateDialogParamA.USER32(00000000,00000067,00000000,10001770,00000000), ref: 004094E2
                          • UpdateWindow.USER32(00000000), ref: 004094F7
                          • ShowWindow.USER32(?,00000001), ref: 00409506
                          • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 0040951F
                          • DispatchMessageA.USER32(?), ref: 00409578
                          • EndDialog.USER32(?,00000000), ref: 00409596
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$CreateDialog$DispatchEventMessageObjectParamShowSingleSleepUpdateWait
                          • String ID:
                          • API String ID: 3480751822-0
                          • Opcode ID: 1d7b6e67898aacad6d35d0b7780379e1d35af11013f859fe2b69a04cffe9e766
                          • Instruction ID: 121de915ddbc45b863730c422c4551d965c994b5fb5068725c758dd2d206f488
                          • Opcode Fuzzy Hash: 1d7b6e67898aacad6d35d0b7780379e1d35af11013f859fe2b69a04cffe9e766
                          • Instruction Fuzzy Hash: 99319631244310BFE624DF65CC46F9BB7A8AB48B14F10492EF795A72D1CBB8E904CB59
                          Function 004139E0 Relevance: 9.1, APIs: 6, Instructions: 78fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 00413A19
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?), ref: 00413A32
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00413A3B
                          • rand.MSVCRT ref: 00413A78
                          • WriteFile.KERNEL32(00000000,?,00000400,00000000,00000000,00000000), ref: 00413AAA
                          • CloseHandle.KERNEL32(00000000), ref: 00413AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandlePointerSizeWriterand
                          • String ID:
                          • API String ID: 2843381408-0
                          • Opcode ID: b4ac9d9f731f5794f9992d927280b367817fbf91527505d7809acbbc0f37557c
                          • Instruction ID: 94323543e679b579830e2eafba7e663c2aa98c14806e5b033c5b6ad210b6dab1
                          • Opcode Fuzzy Hash: b4ac9d9f731f5794f9992d927280b367817fbf91527505d7809acbbc0f37557c
                          • Instruction Fuzzy Hash: 94213A752403607FF3209B64CC89FBF7658AB88B81F008526FF96A62C1CA799949875C
                          Function 004143F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strrchr
                          • String ID: D
                          • API String ID: 3418686817-2746444292
                          • Opcode ID: f38c56b1f3b124d6632bea9b4c0046acae4e7071f6f2881ca646e14b74fd91b1
                          • Instruction ID: 35c459f17de2a5f5fed2adb5f3e1463d15cefeb786be0a666e6c26abdbb327c0
                          • Opcode Fuzzy Hash: f38c56b1f3b124d6632bea9b4c0046acae4e7071f6f2881ca646e14b74fd91b1
                          • Instruction Fuzzy Hash: 24416172244345ABE614CB64DC80FEBB3ECEBC8314F048D1EFA5497250DA75E54987A2
                          Function 1000E030 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 1000E03E
                          • GetProcAddress.KERNEL32(00000000), ref: 1000E045
                            • Part of subcall function 10007F30: SetEvent.KERNEL32(?,10009885), ref: 10007F34
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: AddressEventLibraryLoadProc
                          • String ID: /$KERNEL32.dll$WriteFile
                          • API String ID: 3618500942-2955203401
                          • Opcode ID: 062eb61644b10e4f370a9105e02ace05ae66045ae877b6a3ce671070a10d2ec2
                          • Instruction ID: c4cb73489d300caf7f2179ffc9de7229d5e6fe079b52cd3bf2237533034edc3d
                          • Opcode Fuzzy Hash: 062eb61644b10e4f370a9105e02ace05ae66045ae877b6a3ce671070a10d2ec2
                          • Instruction Fuzzy Hash: 36F0A7733142512BE228E754DC49EEB676AEBD9761F10851EF24696140CB70EC80C370
                          Function 004111A0 Relevance: 7.7, APIs: 5, Instructions: 196registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?,00000000), ref: 004111BF
                          • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 004111F1
                          • LocalAlloc.KERNEL32(00000040,?,10016210,10016218), ref: 00411244
                          • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,00000000,?,?), ref: 00411317
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocEnumInfoLocalOpenQueryValue
                          • String ID:
                          • API String ID: 3558969620-0
                          • Opcode ID: 229884f0463b02ca1bd475e7f72f2cfebc0cd233d85e993d75d6fdb445fff803
                          • Instruction ID: 3b58771d32d87447fbebb87af8a30f3b15750cf36ba1b8e861471b08018df77d
                          • Opcode Fuzzy Hash: 229884f0463b02ca1bd475e7f72f2cfebc0cd233d85e993d75d6fdb445fff803
                          • Instruction Fuzzy Hash: B761AA716083059FD718CF28C880A6BBBE9FBC9714F444A2DF69AD7310D635EA05CB96
                          Function 0041226C Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00412AD0: ReleaseDC.USER32(?,?), ref: 00412AED
                            • Part of subcall function 00412AD0: GetDesktopWindow.USER32 ref: 00412AF3
                            • Part of subcall function 00412AD0: GetDC.USER32(00000000), ref: 00412B00
                          • GetDesktopWindow.USER32 ref: 00412282
                          • GetDC.USER32(00000000), ref: 0041228F
                          • GetTickCount.KERNEL32 ref: 004122A6
                          • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 004123D1
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 004123E0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: DesktopWindow$??2@CountRectReleaseTick
                          • String ID:
                          • API String ID: 3492594220-0
                          • Opcode ID: 13f6ed0cfeb2f3835602a54da88036d826a5fa5bd3afcfeab851904b952143ba
                          • Instruction ID: 978d26ede1d75a2946a5862198732c04915febb9136706d22b7ebf8450a6eaaa
                          • Opcode Fuzzy Hash: 13f6ed0cfeb2f3835602a54da88036d826a5fa5bd3afcfeab851904b952143ba
                          • Instruction Fuzzy Hash: E251F5B5500B049FD324DF6AC980A67FBE9EF88700B018A1EE59683B10DB75F841CB60
                          Function 00410B10 Relevance: 7.6, APIs: 5, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 00410B56
                            • Part of subcall function 00410CC0: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,00410719,?,00410719,00000000), ref: 00410CDB
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00410BB0
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 00410BC0
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 00410C17
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 00410C2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??3@$??2@$Open
                          • String ID:
                          • API String ID: 1933534633-0
                          • Opcode ID: a7685a553e72f2f117ecba3cda8147c53a5377e4210a729d4d48ced2123b3663
                          • Instruction ID: b98442f4cae1ea10f3b58257a6c38852b3aeface16a9f9a8f9af0c890b600fb4
                          • Opcode Fuzzy Hash: a7685a553e72f2f117ecba3cda8147c53a5377e4210a729d4d48ced2123b3663
                          • Instruction Fuzzy Hash: A6312E767006180B8718EA299C525BFB7C6DAC4614B88453EFE06C3302D97EED59C7E9
                          Function 00411720 Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?), ref: 0041174C
                          • CloseHandle.KERNEL32(?), ref: 00411759
                          • ??2@YAPAXI@Z.MSVCRT(00000110), ref: 00411787
                          • ??2@YAPAXI@Z.MSVCRT(00000110), ref: 004117BB
                            • Part of subcall function 00412170: LoadCursorA.USER32(00000000,00000000), ref: 00412233
                          • ??2@YAPAXI@Z.MSVCRT(00000110), ref: 004117E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CloseCursorHandleLoadObjectSingleWait
                          • String ID:
                          • API String ID: 1916621575-0
                          • Opcode ID: 6e1805beeea690fb569cb1a188394c71cbb45660e3a21cd3ea65264b620ac97f
                          • Instruction ID: 86f03b5bd28f3dcd59d2ef3f8ff8f734ec45d0d0c3876b73b3e448b34d83e6f4
                          • Opcode Fuzzy Hash: 6e1805beeea690fb569cb1a188394c71cbb45660e3a21cd3ea65264b620ac97f
                          • Instruction Fuzzy Hash: 9731A374644740ABE760EF34CC46BDB76D5AB48B14F100A2EF26A973D1DBB8E480C75A
                          Function 00412980 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 004129DE
                          • SelectObject.GDI32(?,00000000), ref: 004129ED
                          • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 00412A0A
                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00412A2A
                          • DeleteObject.GDI32(?), ref: 00412A52
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Object$CreateDeleteSectionSelect
                          • String ID:
                          • API String ID: 3188413882-0
                          • Opcode ID: b30e08ddbecc57bacfa5899f0fa4fdcb231fce39736bad2aeb16239f81ac161b
                          • Instruction ID: a74eeed7582fdcdc95201249c9554eb91d9fc11ed4c54c0b344870a7d2a8ee46
                          • Opcode Fuzzy Hash: b30e08ddbecc57bacfa5899f0fa4fdcb231fce39736bad2aeb16239f81ac161b
                          • Instruction Fuzzy Hash: 0E31D2B6200705AFD214CF59CC84E27F7AAFB88754F118A1DFA9987791C771F9008BA4
                          Function 0040D5F0 Relevance: 7.6, APIs: 5, Instructions: 76stringCOMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000), ref: 0040D609
                          • GetLastError.KERNEL32(00000000,00000000), ref: 0040D624
                          • strstr.MSVCRT ref: 0040D64A
                          • strstr.MSVCRT ref: 0040D67F
                          • Process32Next.KERNEL32(?,00000000), ref: 0040D692
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strstr$??2@ErrorLastNextProcess32
                          • String ID:
                          • API String ID: 853530965-0
                          • Opcode ID: 08924dfc155af567e2db85ef8a093f4d0cf2f94de13a126ec55ba45d54aec5d1
                          • Instruction ID: db446df70559ebe4b21bcbb1de179c74d15b0add3f6c854e00ee158fbc57bb9e
                          • Opcode Fuzzy Hash: 08924dfc155af567e2db85ef8a093f4d0cf2f94de13a126ec55ba45d54aec5d1
                          • Instruction Fuzzy Hash: 1011ABF1D0031527F710A775AC85E6B775CDF85759F04083AF809D2281EA39E814C6B5
                          Function 00412460 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • ReleaseDC.USER32(?,?), ref: 00412498
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 004124E2
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 004124EE
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 004124F7
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,10015BFE,000000FF,00412448), ref: 00412500
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??3@$Release
                          • String ID:
                          • API String ID: 1241932719-0
                          • Opcode ID: a66aa2d8e5073035be01082684f7b8e57a849ce099fb4165d633fc65983f8003
                          • Instruction ID: 59184cf696ce72afb8eea08478ec2fcf05009380d2f1bcb95567687726a194e0
                          • Opcode Fuzzy Hash: a66aa2d8e5073035be01082684f7b8e57a849ce099fb4165d633fc65983f8003
                          • Instruction Fuzzy Hash: 3921FAB66007509BD720EB69CC80E57F3E9FF88614F558A1EF59687750CB79E840CBA0
                          Function 0040CD10 Relevance: 7.6, APIs: 5, Instructions: 70processstringCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 0040CD44
                          • lstrcat.KERNEL32(?,1001C254), ref: 0040CD58
                          • GetStartupInfoA.KERNEL32(?), ref: 0040CD63
                          • CreateProcessA.KERNEL32 ref: 0040CDB9
                          • ShellExecuteA.SHELL32(00000000,1001C194,?,00000000,00000000,00000001), ref: 0040CDDC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateDirectoryExecuteInfoProcessShellStartupWindowslstrcat
                          • String ID:
                          • API String ID: 1806785504-0
                          • Opcode ID: fc8f08f321523226f919dad51342401b4cef31ac004c93dcbf61f3f67eddbfd9
                          • Instruction ID: 0f85814cbf80eec896de69cf1c9aac290585154c3c99fc3aba623e4ce04f90c2
                          • Opcode Fuzzy Hash: fc8f08f321523226f919dad51342401b4cef31ac004c93dcbf61f3f67eddbfd9
                          • Instruction Fuzzy Hash: 4521EAB1108345AFE7008FA5CCC49ABBBE8FBC9348F40992DF69587251D679D948CB62
                          Function 00416350 Relevance: 7.6, APIs: 5, Instructions: 66threadstringCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00416362
                          • GetThreadDesktop.USER32(00000000), ref: 00416369
                          • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 004163A1
                          • lstrcmpiA.KERNEL32(?,?), ref: 004163DD
                          • SetThreadDesktop.USER32(00000000), ref: 004163E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: DesktopThread$CurrentInputOpenlstrcmpi
                          • String ID:
                          • API String ID: 3295788048-0
                          • Opcode ID: e2f1359ec74e7637643335682f16b410956bcd25b26e94e843136324aea5ea35
                          • Instruction ID: a01118d8dfd34b2ae1cb212d4e670a5ad0c348b8adf86359707c0d59620d5997
                          • Opcode Fuzzy Hash: e2f1359ec74e7637643335682f16b410956bcd25b26e94e843136324aea5ea35
                          • Instruction Fuzzy Hash: 0211EB711043196BF350DB60CC4AFDB77E8EB88700F00482DFB5592191EBB4E54987A2
                          Function 0040B740 Relevance: 7.6, APIs: 5, Instructions: 54libraryprocessloaderCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0040B785
                          • system.MSVCRT ref: 0040B793
                          • LoadLibraryA.KERNEL32(1001C16C), ref: 0040B7A1
                          • GetProcAddress.KERNEL32(00000000,1001C15C), ref: 0040B7AF
                          • FreeLibrary.KERNEL32(00000000), ref: 0040B7DF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressFreeLoadProcsystemwsprintf
                          • String ID:
                          • API String ID: 2117950086-0
                          • Opcode ID: 5f70603bd98658306151e16cebc94d8f5b4e5b98d745c3fd8b8c8714753cde05
                          • Instruction ID: e025eb9ad210e2142b1b2da9ae75191057c43be71ae487a87415753e166120f0
                          • Opcode Fuzzy Hash: 5f70603bd98658306151e16cebc94d8f5b4e5b98d745c3fd8b8c8714753cde05
                          • Instruction Fuzzy Hash: 1A118E725012186BD735DB64CC989EB73A9FBCD310F04892EFE4693240EB75D908C6A6
                          Function 1000E420 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 1000E428
                          • GetThreadDesktop.USER32(00000000), ref: 1000E42F
                          • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1000E450
                          • SetThreadDesktop.USER32(?), ref: 1000E464
                          Memory Dump Source
                          • Source File: 00000000.00000002.2200011247.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000000.00000002.2199935873.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200091709.0000000010016000.00000002.00000800.00020000.00000000.sdmpDownload File
                          • Associated: 00000000.00000002.2200123205.000000001001C000.00000004.00000800.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10000000_file.jbxd
                          Similarity
                          • API ID: Thread$Desktop$CurrentInformationObjectUser
                          • String ID:
                          • API String ID: 3041254040-0
                          • Opcode ID: 969e2573c436461b708a1d02a2d74c38d79411909c750f494df82f2c873eed48
                          • Instruction ID: cbaf4f5c52d686bf2cc29cd8355986629b608c21f44036bfedffe0149da5b451
                          • Opcode Fuzzy Hash: 969e2573c436461b708a1d02a2d74c38d79411909c750f494df82f2c873eed48
                          • Instruction Fuzzy Hash: 38F0E97520012067F3109718DCC9FEB37A8EF88765F808029F5A0C1160E77986858592
                          Function 0040A0B0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 0040A0D7
                          • CancelIo.KERNEL32(000000FF,?,?,00409C69), ref: 0040A0E1
                          • InterlockedExchange.KERNEL32(00000000,00000000), ref: 0040A0ED
                          • closesocket.WS2_32(000000FF), ref: 0040A0F7
                          • SetEvent.KERNEL32(?,?,?,00409C69), ref: 0040A101
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                          • String ID:
                          • API String ID: 1486965892-0
                          • Opcode ID: f360210eaeec9bbc05e573393527b3c1f531c3bab387e233837b7960b1c6b6a1
                          • Instruction ID: d85b9d66e74e18fd8bdf16d6546fd835836f977d974af2f2bb32916b93e673d8
                          • Opcode Fuzzy Hash: f360210eaeec9bbc05e573393527b3c1f531c3bab387e233837b7960b1c6b6a1
                          • Instruction Fuzzy Hash: B5F01D75114721AFE2249F94CC88A5B77B8EF48711F108A1DF682876A0CA71E4448B55
                          Function 00415020 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(00000000,1001CD0C), ref: 00415029
                          • FreeLibrary.KERNEL32(00000000), ref: 00415036
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeLibraryProc
                          • String ID: Java(TM) Platform Sa 8$urq5pg==
                          • API String ID: 3013587201-3837317813
                          • Opcode ID: a8db12a0989a1d1e42d3a2ef5612ad82b2015ad1d9813c93dbde2fc710f08581
                          • Instruction ID: 1605d1345c921bdc336125294836a415a2d30f0a3281ea586762c460ecf95910
                          • Opcode Fuzzy Hash: a8db12a0989a1d1e42d3a2ef5612ad82b2015ad1d9813c93dbde2fc710f08581
                          • Instruction Fuzzy Hash: 283120B5400A54AFD324EBA4DC84AEB77A5FF8C340F018A19E95A87254E731BD44CF61
                          Function 022FFF6F Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2165801588.00000000022D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 022D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22d8000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: st$ st$@$@Bt$@Bt
                          • API String ID: 0-2384255540
                          • Opcode ID: a5d0618dd64cf7953c2bbd000a506fded3c9fac6fb43c18115470e4974131a62
                          • Instruction ID: bcc616e5214a6e5c7d20badb108e41a5eb2e57da4e821f322e385853b38bdb49
                          • Opcode Fuzzy Hash: a5d0618dd64cf7953c2bbd000a506fded3c9fac6fb43c18115470e4974131a62
                          • Instruction Fuzzy Hash: E421E4B160020CABEB249A54CC85FBBB26CDB41325F548576FE0A960C1DB74DB84CAA5
                          Function 00412540 Relevance: 6.1, APIs: 4, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cursor$CountDestroyInfoTick
                          • String ID:
                          • API String ID: 2178836890-0
                          • Opcode ID: 7b23604f37f993a2e967b0dc2bbf95e2d6b3607d4a2e14a46e47cc5ff12e0ec1
                          • Instruction ID: 4076867c38056dd0177cbcfec0075b01dd5505470204580621c9c6d787390d4d
                          • Opcode Fuzzy Hash: 7b23604f37f993a2e967b0dc2bbf95e2d6b3607d4a2e14a46e47cc5ff12e0ec1
                          • Instruction Fuzzy Hash: E2418D713047049BD728CF29C990AABB3E6FF88714B04491EE486C3791E774E995CB69
                          Function 00413B30 Relevance: 6.1, APIs: 4, Instructions: 133sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00413AD0: CreateEventA.KERNEL32(00000000,00000000,00000000,1001E300), ref: 00413ADC
                            • Part of subcall function 00413AD0: GetLastError.KERNEL32 ref: 00413AE8
                            • Part of subcall function 00413AD0: Sleep.KERNEL32(000003E8), ref: 00413AFA
                            • Part of subcall function 00413AD0: CloseHandle.KERNEL32(00000000), ref: 00413B0E
                          • exit.MSVCRT ref: 00413B60
                          • GetTickCount.KERNEL32 ref: 00413C0B
                          • Sleep.KERNEL32(000001F4), ref: 00413CBA
                          • CloseHandle.KERNEL32(00000000), ref: 00413CEB
                            • Part of subcall function 0040D710: CloseHandle.KERNEL32(?,?,?,?,?,0040D5D8), ref: 0040D73E
                            • Part of subcall function 00409C20: WaitForSingleObject.KERNEL32 ref: 00409C56
                            • Part of subcall function 00409C20: WSACleanup.WS2_32 ref: 00409C7B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$Sleep$CleanupCountCreateErrorEventLastObjectSingleTickWaitexit
                          • String ID:
                          • API String ID: 889320971-0
                          • Opcode ID: c5edddcb37ae3880f968f09902ac3fdbba142f01094a305327bf1b1c2d6d43f4
                          • Instruction ID: 531a6ffd66035e0c5f6bb71559179f7d6fc6a9d10bccd349c3d7432745183bfd
                          • Opcode Fuzzy Hash: c5edddcb37ae3880f968f09902ac3fdbba142f01094a305327bf1b1c2d6d43f4
                          • Instruction Fuzzy Hash: E45180715043909BE320DF64CC80FAF77A8FB98344F04892EF945932A1DB39E946CB56
                          Function 00409F30 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(?,00000000,00000004,?,?,?,00000000,10016440,?), ref: 00409FF1
                          • ??2@YAPAXI@Z.MSVCRT(?,?,00000000,00000004,?,?,?,00000000,10016440,?), ref: 00409FFD
                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,10016440,?,?,?,?,?,?,?,?,00409ED5,?), ref: 0040A07A
                            • Part of subcall function 0040A0B0: setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 0040A0D7
                            • Part of subcall function 0040A0B0: CancelIo.KERNEL32(000000FF,?,?,00409C69), ref: 0040A0E1
                            • Part of subcall function 0040A0B0: InterlockedExchange.KERNEL32(00000000,00000000), ref: 0040A0ED
                            • Part of subcall function 0040A0B0: closesocket.WS2_32(000000FF), ref: 0040A0F7
                            • Part of subcall function 0040A0B0: SetEvent.KERNEL32(?,?,?,00409C69), ref: 0040A101
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$??3@CancelEventExchangeInterlockedclosesocketsetsockopt
                          • String ID:
                          • API String ID: 3098261992-0
                          • Opcode ID: 2cb47f865ab7ffa3a074f4b72ccc6c9a4ce6b81dc74826f651f0d8fe5ba6fbf6
                          • Instruction ID: 25c7a7a79da1b9a37dd7698a188d8e4883c8ab5016d6b53c448e21cc6eec331c
                          • Opcode Fuzzy Hash: 2cb47f865ab7ffa3a074f4b72ccc6c9a4ce6b81dc74826f651f0d8fe5ba6fbf6
                          • Instruction Fuzzy Hash: D94164717043055BC614FE66D881A6FB7A9EBC9704F00483EF645A7383DA39DC49C7A6
                          Function 00410970 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 004109B6
                            • Part of subcall function 00410CC0: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,00410719,?,00410719,00000000), ref: 00410CDB
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00410A10
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 00410A20
                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?), ref: 00410A7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@??3@$Open
                          • String ID:
                          • API String ID: 2374869923-0
                          • Opcode ID: 153a31f053ade2873cdbca9e124092a4948526aae959589e6c132be92f6bce5a
                          • Instruction ID: 6f3a57c00a3003fac2448bf3e2533d80a5259a84d0751246b0b00942a1e3a2b3
                          • Opcode Fuzzy Hash: 153a31f053ade2873cdbca9e124092a4948526aae959589e6c132be92f6bce5a
                          • Instruction Fuzzy Hash: CA310B767007180B8708EE2998515BFB2C6AFD8654B44443EFE16C3301DA7ADE49C7D6
                          Function 004107A0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 004107E6
                            • Part of subcall function 00410CC0: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,00410719,?,00410719,00000000), ref: 00410CDB
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00410840
                          • ??2@YAPAXI@Z.MSVCRT(?), ref: 00410850
                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?), ref: 004108AA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@??3@$Open
                          • String ID:
                          • API String ID: 2374869923-0
                          • Opcode ID: 153a31f053ade2873cdbca9e124092a4948526aae959589e6c132be92f6bce5a
                          • Instruction ID: 74bef0dcbb26397b44e7551e06904d7eb4f38254a99bb661f25dec99c74aae77
                          • Opcode Fuzzy Hash: 153a31f053ade2873cdbca9e124092a4948526aae959589e6c132be92f6bce5a
                          • Instruction Fuzzy Hash: 6031F976704614075708EE2998511BFB2C6ABC8614B84443EFE16C3301DA6AED49C6EA
                          Function 0040FB20 Relevance: 6.1, APIs: 4, Instructions: 75timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 0040FB29
                          • GetLocalTime.KERNEL32(?), ref: 0040FB79
                          • wsprintfA.USER32 ref: 0040FBCE
                            • Part of subcall function 0040FA40: printf.MSVCRT ref: 0040FA52
                            • Part of subcall function 0040FA40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040FA65
                            • Part of subcall function 0040FA40: lstrcat.KERNEL32(?,\Sougou.key), ref: 0040FA75
                            • Part of subcall function 0040FA40: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0040FA92
                            • Part of subcall function 0040FA40: GetFileSize.KERNEL32 ref: 0040FAA5
                            • Part of subcall function 0040FA40: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040FAB9
                            • Part of subcall function 0040FA40: lstrlen.KERNEL32(?), ref: 0040FAC0
                            • Part of subcall function 0040FA40: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040FAC9
                            • Part of subcall function 0040FA40: lstrlen.KERNEL32(?,?,00000000,00000000), ref: 0040FAEF
                            • Part of subcall function 0040FA40: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040FAF8
                            • Part of subcall function 0040FA40: CloseHandle.KERNEL32(00000000), ref: 0040FAFF
                            • Part of subcall function 0040FA40: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040FB06
                          • SendMessageA.USER32(00000000,0000000D,00000400,1001DEF8), ref: 0040FC12
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$lstrlen$??2@??3@CloseCreateDirectoryForegroundHandleLocalMessagePointerSendSizeSystemTimeWindowWritelstrcatprintfwsprintf
                          • String ID:
                          • API String ID: 2020810914-0
                          • Opcode ID: d78d648c74bcf48eb7405490c158214a305973f56c5a983c7fb1b8daad83f429
                          • Instruction ID: 57824f4258ead22737274b09b95227b5f4c8a104df3c6aff2eda71bfec3a53f6
                          • Opcode Fuzzy Hash: d78d648c74bcf48eb7405490c158214a305973f56c5a983c7fb1b8daad83f429
                          • Instruction Fuzzy Hash: F421B6B22042136BE310EB54CC81EB777E5EFD8301F04853AF6119B690CA39E9494B62
                          Function 0040BDB0 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 0040BDDF
                          • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 0040BDF0
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040BE0A
                          • CloseHandle.KERNEL32(00000000), ref: 0040BE11
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandlePointerWrite
                          • String ID:
                          • API String ID: 3604237281-0
                          • Opcode ID: 7a119737f0e32009b5acc9f2438bee820bbd85f0650ecb8f646268bffea4f53e
                          • Instruction ID: dff88502e92d996412cfcc0031c657c215c988c0855d6e1079fd78de5f73f001
                          • Opcode Fuzzy Hash: 7a119737f0e32009b5acc9f2438bee820bbd85f0650ecb8f646268bffea4f53e
                          • Instruction Fuzzy Hash: 6B110E71284311ABE300DF58CC85F5BB7E8EB8D714F048A1DF6419B2D1D771EA098BA2
                          Function 00415910 Relevance: 6.0, APIs: 4, Instructions: 40sleepserviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0041591E
                          • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00415931
                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 0041593F
                          • Sleep.KERNEL32(00000064), ref: 004159AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: OpenService$ManagerQuerySleepStatus
                          • String ID:
                          • API String ID: 3649141778-0
                          • Opcode ID: 4cfddbda69b0c16129717d592071846bca296a741277767ac1de997fc6a04884
                          • Instruction ID: bf3e15c6dcc1f4ba8fd13d1d0e78304a0478ff1d45378faf1489fc4e68766380
                          • Opcode Fuzzy Hash: 4cfddbda69b0c16129717d592071846bca296a741277767ac1de997fc6a04884
                          • Instruction Fuzzy Hash: 28F06235640224AFE200BB64CCC9FAF7B68EB8D761F40802AFD0587291C6759C05CAB2
                          Function 00416230 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416254
                          • _beginthreadex.MSVCRT ref: 0041627C
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041628E
                          • CloseHandle.KERNEL32(?), ref: 00416299
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                          • String ID:
                          • API String ID: 92035984-0
                          • Opcode ID: 2dc7f395cca6a93a7298d3fef628ebf9ad2ca4e4609caff0f94c10926d1a4db3
                          • Instruction ID: 526df46c5e5e0ffbfde43bdd44a538e4d9314d104869588bcdab187e1bdf80fc
                          • Opcode Fuzzy Hash: 2dc7f395cca6a93a7298d3fef628ebf9ad2ca4e4609caff0f94c10926d1a4db3
                          • Instruction Fuzzy Hash: C601C474608351AFE300DF288C84B6BBBE4BB8C754F448A0DF998A7391D675DA048B92
                          Function 00413AD0 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,1001E300), ref: 00413ADC
                          • GetLastError.KERNEL32 ref: 00413AE8
                          • Sleep.KERNEL32(000003E8), ref: 00413AFA
                          • CloseHandle.KERNEL32(00000000), ref: 00413B0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateErrorEventHandleLastSleep
                          • String ID:
                          • API String ID: 2373103748-0
                          • Opcode ID: c2d4540c113d3795318df31d236e63345014fe02b53cd5dd085cc198a870059e
                          • Instruction ID: 012cec61f72e9733b92b7ccb9f064ba25b2608cae299a8d64c256c9f5b4e6757
                          • Opcode Fuzzy Hash: c2d4540c113d3795318df31d236e63345014fe02b53cd5dd085cc198a870059e
                          • Instruction Fuzzy Hash: 69E09231705160A7E3211B1AAC8CFCF6A68DBC5722F094427FC08D2382D739DD8285A1
                          Function 00414F80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00415008
                          Strings
                          • Java(TM) Platform Sa 8, xrefs: 00414FCA
                          • SYSTEM\CurrentControlSet\Services\, xrefs: 00414FA2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Open
                          • String ID: Java(TM) Platform Sa 8$SYSTEM\CurrentControlSet\Services\
                          • API String ID: 71445658-2416497211
                          • Opcode ID: ef868d58029e290182990cca147c7f94bb053a7cd75b841a1b5adb16d4a290ad
                          • Instruction ID: 183490b8d36bb0b74e24f1780fa65f619e01ecab0f16349bc410bb8053a11042
                          • Opcode Fuzzy Hash: ef868d58029e290182990cca147c7f94bb053a7cd75b841a1b5adb16d4a290ad
                          • Instruction Fuzzy Hash: F101C4326186041BD718C97CDC556AB7AC6FBC4330F940B3DB667C71C0DEE49D088151
                          Function 0040E1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FE70: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,0040949A,?), ref: 0040FE8E
                            • Part of subcall function 0040FF60: WaitForSingleObject.KERNEL32(?,000000FF,00411C10,?,?,?,?,?,10015BC0,000000FF), ref: 0040FF66
                            • Part of subcall function 0040FF60: Sleep.KERNEL32(0000012C,?,?,?,?,?,10015BC0,000000FF), ref: 0040FF71
                            • Part of subcall function 0040E3E0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0040E20D,00000000,?), ref: 0040E403
                            • Part of subcall function 0040E3E0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68,000000FF,0040CAF3), ref: 0040E413
                            • Part of subcall function 0040E3E0: SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68), ref: 0040E42F
                            • Part of subcall function 0040E3E0: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68,000000FF,0040CAF3), ref: 0040E438
                            • Part of subcall function 0040E3E0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,1001C1F8), ref: 0040E44C
                            • Part of subcall function 0040E3E0: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 0040E472
                            • Part of subcall function 0040E3E0: CloseHandle.KERNEL32(00000000,?,?,?,0040E20D,00000000,?,?,?,?,00000000,10015A68,000000FF,0040CAF3), ref: 0040E47C
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E219
                          • lstrcat.KERNEL32(?,1001C370), ref: 0040E225
                            • Part of subcall function 00416230: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416254
                            • Part of subcall function 00416230: _beginthreadex.MSVCRT ref: 0041627C
                            • Part of subcall function 00416230: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041628E
                            • Part of subcall function 00416230: CloseHandle.KERNEL32(?), ref: 00416299
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Create$CloseEventHandleObjectSingleWait$??2@??3@DirectoryPointerReadSizeSleepSystem_beginthreadexlstrcat
                          • String ID: \Sougou.key
                          • API String ID: 2905802444-2681673768
                          • Opcode ID: ec89a2d26f4a6e78cc40c9c42374f5defe563a796d01fc83261a8cffa6020947
                          • Instruction ID: 30c99c0b8572a0295226ab4dfbc1fc3df082422be50045ba736542f27c461143
                          • Opcode Fuzzy Hash: ec89a2d26f4a6e78cc40c9c42374f5defe563a796d01fc83261a8cffa6020947
                          • Instruction Fuzzy Hash: 5E11A071240710BBE324EB258C06F9B7A94EB49F14F10482EF3596A2C1C7BDA4008BAA
                          Function 00416B6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,?,?,00000020,00000000,?,?,00000104), ref: 00416B18
                          • lstrcat.KERNEL32(?,?), ref: 00416BDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumValuelstrcat
                          • String ID:
                          • API String ID: 4141993428-3916222277
                          • Opcode ID: 2217825174ddb155f50b2dec02bd66b9b0c195fef1d335e868a73a0a43f8f974
                          • Instruction ID: b0e15b9b6075a0c97aaeb549807cdaa5531b713578cac2978a38f1030234bbab
                          • Opcode Fuzzy Hash: 2217825174ddb155f50b2dec02bd66b9b0c195fef1d335e868a73a0a43f8f974
                          • Instruction Fuzzy Hash: 60114FB29001689FDF14CF94CC94FEE7379EB49300F008599E20AA6190D775EA99CF95
                          Function 00416AAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,?,?,00000020,00000000,?,?,00000104), ref: 00416B18
                          • lstrcat.KERNEL32(?,?), ref: 00416BDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumValuelstrcat
                          • String ID:
                          • API String ID: 4141993428-3916222277
                          • Opcode ID: a1cb08dc8ce9cf3e21b73c5e2e02266ff02f38549a284f65fba5d54c513186c4
                          • Instruction ID: c08b18463071f390c777f6495db2c9bce83eafdf24fb251581b845cc1a716d16
                          • Opcode Fuzzy Hash: a1cb08dc8ce9cf3e21b73c5e2e02266ff02f38549a284f65fba5d54c513186c4
                          • Instruction Fuzzy Hash: 9A1163B29001689FDF14CF94CC94BDEB3B5FB48300F008599E61AB7290D779AA85CF55
                          Function 00416B3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,?,?,00000020,00000000,?,?,00000104), ref: 00416B18
                          • lstrcat.KERNEL32(?,?), ref: 00416BDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumValuelstrcat
                          • String ID:
                          • API String ID: 4141993428-3916222277
                          • Opcode ID: d340bc5ebf95402a78bd56ca69fe66ce7c967b35ccc345f2fd642f80d6a3a11e
                          • Instruction ID: df4c66babcd3fa548822051a2b32b60b5cfc42337d6cf9c02166e114788bfd59
                          • Opcode Fuzzy Hash: d340bc5ebf95402a78bd56ca69fe66ce7c967b35ccc345f2fd642f80d6a3a11e
                          • Instruction Fuzzy Hash: EE112EB29001689BDF54CF94CC94BEE7379EB89300F008599E20AB7150D779EA99CF95
                          Function 00416B48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,?,?,00000020,00000000,?,?,00000104), ref: 00416B18
                          • lstrcat.KERNEL32(?,?), ref: 00416BDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumValuelstrcat
                          • String ID:
                          • API String ID: 4141993428-3916222277
                          • Opcode ID: b4be92960484f27f0a1610b7ce6646c6244c852e39d53fb2e6fa9feab9cdc6a4
                          • Instruction ID: 3881386114235e6f06a63d2bf5ef29713c25dcf829bfec39dcd0155caffb3b11
                          • Opcode Fuzzy Hash: b4be92960484f27f0a1610b7ce6646c6244c852e39d53fb2e6fa9feab9cdc6a4
                          • Instruction Fuzzy Hash: D7112EB29001689BDF54CF94CC94BEE7379EB89300F008599E20AB6150D7B9EA99CF95
                          Function 00416B9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,?,?,00000020,00000000,?,?,00000104), ref: 00416B18
                          • lstrcat.KERNEL32(?,?), ref: 00416BDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumValuelstrcat
                          • String ID:
                          • API String ID: 4141993428-3916222277
                          • Opcode ID: a2d6a4ac6805362eb66b566ded5af22085d6d2a2c1bb9cb544d2c53ebe365cca
                          • Instruction ID: 37740e37c044e430ca37356fee566cb143ae034b7b04982f33c9c29a2968b316
                          • Opcode Fuzzy Hash: a2d6a4ac6805362eb66b566ded5af22085d6d2a2c1bb9cb544d2c53ebe365cca
                          • Instruction Fuzzy Hash: 1E114FB29001689FDF54CF84CC94BEE7379EB88300F008599E20AB7150D779EA89CFA5
                          Function 00416BB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,?,?,00000020,00000000,?,?,00000104), ref: 00416B18
                          • lstrcat.KERNEL32(?,?), ref: 00416BDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumValuelstrcat
                          • String ID:
                          • API String ID: 4141993428-3916222277
                          • Opcode ID: 036c1fde0faa6f272cc2cdd9ed9c03b90b99756f420df0312c4f60d6e5b54188
                          • Instruction ID: 66cd92faa7cadc72fb8f08886545e9c268efb167c494b21d26abbed3b925b630
                          • Opcode Fuzzy Hash: 036c1fde0faa6f272cc2cdd9ed9c03b90b99756f420df0312c4f60d6e5b54188
                          • Instruction Fuzzy Hash: 33114FB29001689FDF54CF94CC94BEE7379EB88300F008599E20AB7150D7B9AA89CF95
                          Function 00416080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(1001CBC8,1001CE68), ref: 0041608E
                          • GetProcAddress.KERNEL32(00000000), ref: 00416095
                            • Part of subcall function 0040FF80: SetEvent.KERNEL32(?,0040E312), ref: 0040FF84
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressEventLibraryLoadProc
                          • String ID: /
                          • API String ID: 3618500942-2043925204
                          • Opcode ID: f534b1a7b34bae6fa3e6c78342b9ea550248040f422f7e613bb61caa02a5c062
                          • Instruction ID: 684a0c9c0bc81efd63632622cd9083aa7e2e463cd4453efd06e92e9a6c8a533b
                          • Opcode Fuzzy Hash: f534b1a7b34bae6fa3e6c78342b9ea550248040f422f7e613bb61caa02a5c062
                          • Instruction Fuzzy Hash: DDF0A7772042112BD238E7549C49DEBAB6DEBDD721F50852EF64696280CB34D884C365
                          Function 0040C6A0 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • free.MSVCRT ref: 0040C6FF
                          • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,0040C2A7,00000000), ref: 0040C718
                          • GetProcessHeap.KERNEL32(00000000,0040C2A7,?,0040C2A7,00000000), ref: 0040C721
                          • HeapFree.KERNEL32(00000000), ref: 0040C728
                          Memory Dump Source
                          • Source File: 00000000.00000002.2091491242.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2089809538.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.000000000042B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2091491242.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2098465499.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102214644.000000000044C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2108557917.000000000044D000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2110180468.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2111742546.0000000000458000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2113460038.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2115333257.000000000045B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2119109777.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2120500317.00000000004FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2121746630.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2122906094.00000000004FC000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2124607689.00000000004FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2125866896.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2126740237.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap$ProcessVirtualfree
                          • String ID:
                          • API String ID: 4282497734-0
                          • Opcode ID: fe57a58c9b63e32c50595947e2a62e58c29ec4fe3591c1b6c54def7cfc19d9f7
                          • Instruction ID: 184ee86e23f98c94a0c598a0ab1da95637b7adb76efa546d04cd11815c3901cc
                          • Opcode Fuzzy Hash: fe57a58c9b63e32c50595947e2a62e58c29ec4fe3591c1b6c54def7cfc19d9f7
                          • Instruction Fuzzy Hash: 94112A71300712EBD6308B69CCC4F17B3E8AF48750F148A2AF59AE7291CB75E8418B64