Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Analysis ID:1430960
MD5:2a5f4c6d957f37ecea115fffe6d28467
SHA1:9fe8436f8e1f6198b883404f0b59256b4f08bbed
SHA256:5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
Tags:exe
Infos:

Detection

GhostRat, Mimikatz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
C2 URLs / IPs found in malware configuration
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use NTFS Short Name in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe (PID: 408 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe" MD5: 2A5F4C6D957F37ECEA115FFFE6D28467)
    • cmd.exe (PID: 3292 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3116 cmdline: ping -n 2 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • Dtldt.exe (PID: 5708 cmdline: C:\Windows\SysWOW64\Dtldt.exe -auto MD5: 2A5F4C6D957F37ECEA115FFFE6D28467)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Malware Configuration

Threatname: GhostRat

{"C2 url": "206.238.196.240"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
      00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Gh0st_ee6de6bcIdentifies a variant of Gh0st Ratunknown
      • 0xe0e:$a1: :]%d-%d-%d %d:%d:%d
      • 0xbd4:$a2: [Pause Break]
      • 0x24bc4:$a3: f-secure.exe
      • 0x1214:$a4: Accept-Language: zh-cn
      • 0x12ad:$a4: Accept-Language: zh-cn
      • 0x13e8:$a4: Accept-Language: zh-cn
      • 0x152b:$a4: Accept-Language: zh-cn
      • 0x1780:$a4: Accept-Language: zh-cn
      00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
          • 0x7b12:$h1: Hid_State
          • 0x7b26:$h2: Hid_StealthMode
          • 0x7b46:$h3: Hid_HideFsDirs
          • 0x7b64:$h4: Hid_HideFsFiles
          • 0x7b84:$h5: Hid_HideRegKeys
          • 0x7ba4:$h6: Hid_HideRegValues
          • 0x7bc8:$h7: Hid_IgnoredImages
          • 0x7bec:$h8: Hid_ProtectedImages
          • 0xc42e:$s1: FLTMGR.SYS
          • 0xc9aa:$s2: HAL.dll
          • 0x954e:$s3: \SystemRoot\System32\csrss.exe
          • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
          • 0x258:$s5: INIT
          • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
          0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpackJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpackGhostDragon_Gh0stRATDetects Gh0st RAT mentioned in Cylance\' Ghost Dragon ReportFlorian Roth
            • 0x11248:$x4: Http/1.1 403 Forbidden
            • 0x11248:$s5: Http/1.1 403 Forbidden
            0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpackMimikatz_StringsDetects Mimikatz stringsFlorian Roth
            • 0x111ff:$x1: sekurlsa::logonpasswords
            0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
            • 0xaa30:$h1: Hid_State
            • 0xaa50:$h2: Hid_StealthMode
            • 0xaa70:$h3: Hid_HideFsDirs
            • 0xaa90:$h4: Hid_HideFsFiles
            • 0xaab0:$h5: Hid_HideRegKeys
            • 0xaad0:$h6: Hid_HideRegValues
            • 0xab00:$h7: Hid_IgnoredImages
            • 0xab30:$h8: Hid_ProtectedImages
            • 0xfb5a:$s1: FLTMGR.SYS
            • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
            • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
            Click to see the 33 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Use NTFS Short Name in Command Line
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul, CommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, ParentProcessId: 408, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul, ProcessId: 3292, ProcessName: cmd.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpackMalware Configuration Extractor: GhostRat {"C2 url": "206.238.196.240"}
            Multi AV Scanner detection for dropped file
            Source: C:\Windows\SysWOW64\Dtldt.exeReversingLabs: Detection: 57%
            Source: C:\Windows\SysWOW64\Dtldt.exeVirustotal: Detection: 57%Perma Link
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeReversingLabs: Detection: 57%
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeVirustotal: Detection: 57%Perma Link
            Machine Learning detection for dropped file
            Source: C:\Windows\SysWOW64\Dtldt.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
            Source: Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_100090A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_10026300
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10008570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10008740
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008340 GetLogicalDriveStringsA,GetUserNameA,_stricmp,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 4x nop then mov al, byte ptr [esp+04h]0_2_00401130
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 4x nop then sub esp, 34h0_2_00408690
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 4x nop then mov eax, 00431900h0_2_00401750
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_10029700
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 4x nop then mov al, byte ptr [esp+04h]3_2_00401130
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 4x nop then sub esp, 34h3_2_00408690
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 4x nop then mov eax, 00431900h3_2_00401750

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 206.238.196.240
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001F010 recv,0_2_1001F010
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://ptlogin2.qun.qq.com%s
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://qun.qq.com%s
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.appspeed.com/
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.appspeed.com/support
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://ssl.ptlogin2.qq.com%s
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_5fb39f51-4
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_98995968-a
            Source: Yara matchFile source: 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dtldt.exe PID: 5708, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: Detects PCRat / Gh0st Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: Detects PCRat / Gh0st Author: ditekSHen
            Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
            Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTRMatched rule: Identifies a variant of Gh0st Rat Author: unknown
            PE file has a writeable .text section
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Dtldt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014961E5 NtQueryVirtualMemory,3_2_014961E5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1000C570: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000C570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1000E010 ExitWindowsEx,0_2_1000E010
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1000C570 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000C570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeFile created: C:\Windows\SysWOW64\Dtldt.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeFile created: C:\Windows\SysWOW64\Dtldt.exe:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100930800_2_10093080
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100240A00_2_100240A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100170E00_2_100170E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1007A1800_2_1007A180
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100571900_2_10057190
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1008F1A00_2_1008F1A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100372600_2_10037260
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1007A4300_2_1007A430
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100924700_2_10092470
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100554900_2_10055490
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1008F4D00_2_1008F4D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100904D00_2_100904D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100334E00_2_100334E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100565800_2_10056580
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100137200_2_10013720
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100537400_2_10053740
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1007C7B00_2_1007C7B0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012190133_2_01219013
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121E4573_2_0121E457
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120677E3_2_0120677E
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121A7863_2_0121A786
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121DDB83_2_0121DDB8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D51633_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D83_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE33_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0147D16F3_2_0147D16F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014561FB3_2_014561FB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148518C3_2_0148518C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148D1833_2_0148D183
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014681BB3_2_014681BB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0144D0433_2_0144D043
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D00353_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148E0543_2_0148E054
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013920783_2_01392078
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013920753_2_01392075
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013DB0833_2_013DB083
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014130803_2_01413080
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014600A33_2_014600A3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0147F3D03_2_0147F3D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146F3903_2_0146F390
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148E24D3_2_0148E24D
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014822453_2_01482245
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014902513_2_01490251
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148626F3_2_0148626F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013BD2153_2_013BD215
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0149920E3_2_0149920E
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0140320F3_2_0140320F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0147C5993_2_0147C599
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012081193_2_01208119
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01209A3F3_2_01209A3F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: String function: 005E4080 appears 243 times
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: String function: 011F111A appears 50 times
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: String function: 0042E744 appears 37 times
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: String function: 005E62BC appears 202 times
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: String function: 005E50A1 appears 38 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: String function: 005E4080 appears 243 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: String function: 0042E744 appears 38 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: String function: 005E62BC appears 202 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: String function: 005E50A1 appears 38 times
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: Dtldt.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000DBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000266B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002D0A000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002DF7000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.00000000026B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.0000000002876000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
            Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
            Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTRMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Dtldt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100174F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_100174F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100240A0 GetVersionExA,sprintf,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,FindWindowA,GetWindowTextA,GetWindow,GetClassNameA,GetTickCount,sprintf,atol,atol,#825,atol,#825,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,atoi,strstr,GetSystemDirectoryA,lstrcatA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,wsprintfA,0_2_100240A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10025030 CreateToolhelp32Snapshot,LocalAlloc,Process32First,lstrlenA,OpenProcess,GetPriorityClass,sprintf,sprintf,OpenProcessToken,GetTokenInformation,GetTokenInformation,malloc,GetTokenInformation,LookupAccountSidA,free,CloseHandle,GetProcessMemoryInfo,sprintf,GetModuleFileNameExA,GetWindowsDirectoryA,_strnicmp,_strnicmp,_strnicmp,_strnicmp,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,Process32Next,LocalReAlloc,CloseHandle,0_2_10025030
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10016340 CoInitialize,CoCreateInstance,SysFreeString,SysFreeString,CoUninitialize,0_2_10016340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001B930 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001B930
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeReversingLabs: Detection: 57%
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeVirustotal: Detection: 57%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe"
            Source: unknownProcess created: C:\Windows\SysWOW64\Dtldt.exe C:\Windows\SysWOW64\Dtldt.exe -auto
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nulJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: msvcp60.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeSection loaded: msvcp60.dllJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic file information: File size 2138112 > 1048576
            Source: Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
            Source: Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
            Source: C:\Windows\SysWOW64\Dtldt.exeUnpacked PE file: 3.2.Dtldt.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10012640 sprintf,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegDeleteKeyA,RegDeleteValueA,0_2_10012640
            Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: section name: .sedata
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: section name: .sedata
            Source: Dtldt.exe.0.drStatic PE information: section name: .sedata
            Source: Dtldt.exe.0.drStatic PE information: section name: .sedata
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_00691046 pushfd ; mov dword ptr [esp], edi0_2_00691063
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_00694059 pushfd ; mov dword ptr [esp], esp0_2_0069405A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_00401000 pushad ; retn 0008h0_2_0040101D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A2012 push eax; retf 0_2_006A2001
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0069F10A push edx; mov dword ptr [esp], ebp0_2_0069F5A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0069320C pushfd ; mov dword ptr [esp], ebx0_2_006936F3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006992BF push esp; mov dword ptr [esp], ecx0_2_00699299
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F73F0 pushad ; mov dword ptr [esp], edx0_2_005F74F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F7451 pushad ; mov dword ptr [esp], edx0_2_005F74F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A7441 push ss; retf 0_2_006A748A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0069F405 push ss; retf 0_2_0069F41D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F7424 pushad ; mov dword ptr [esp], edx0_2_005F74F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A44EF pushfd ; mov dword ptr [esp], edx0_2_006A45A3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F74C5 pushad ; mov dword ptr [esp], edx0_2_005F74F4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006094D7 push dword ptr [esp+18h]; retn 001Ch0_2_0060950E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A856B push 294E1ACBh; ret 0_2_006A853E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A455C pushfd ; mov dword ptr [esp], edx0_2_006A45A3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_00609528 push dword ptr [esp+18h]; retn 001Ch0_2_0060950E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0069953E push word ptr [esp]; mov dword ptr [esp], ebp0_2_00699564
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A9586 push word ptr [esp+02h]; mov dword ptr [esp], edi0_2_006A958B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0042E5B0 push eax; ret 0_2_0042E5DE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F062D push dword ptr [esp+24h]; retn 0028h0_2_005F063A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A2613 push ss; retf 0_2_006A25E6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006AB693 push word ptr [esp]; mov dword ptr [esp], ecx0_2_006AB799
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0042E744 push eax; ret 0_2_0042E762
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006A9763 push ss; retf 0_2_006A97C9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F0731 push dword ptr [esp+04h]; retn 0008h0_2_005F0750
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006B37D1 push word ptr [esp+01h]; mov dword ptr [esp], eax0_2_006B38C5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_0064D829 push dword ptr [esp+24h]; retn 0028h0_2_0064D82E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006C781D push esp; mov dword ptr [esp], edx0_2_006C781E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_005F4955 push dword ptr [esp+28h]; retn 002Ch0_2_005F48F6
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: section name: .text entropy: 7.998061242856676
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeStatic PE information: section name: .sedata entropy: 7.487891420444405
            Source: Dtldt.exe.0.drStatic PE information: section name: .text entropy: 7.998061242856676
            Source: Dtldt.exe.0.drStatic PE information: section name: .sedata entropy: 7.487891420444405

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000C570
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: unknownExecutable created and started: C:\Windows\SysWOW64\Dtldt.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10021440 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,0_2_10021440
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeFile created: C:\Windows\SysWOW64\Dtldt.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeFile created: C:\Windows\SysWOW64\Dtldt.exeJump to dropped file

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000C570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001B930 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001B930
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1000C4C0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000C4C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,0_2_10001140
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001A4A00_2_1001A4A0
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-31824
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0454 second address: 6D0456 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D05C8 second address: 6D0B63 instructions: 0x00000000 rdtsc 0x00000002 neg dx 0x00000005 mov cx, 4EA1h 0x00000009 pop ax 0x0000000b jmp 00007F44817E1657h 0x0000000d bsf ax, dx 0x00000011 mov di, 6F97h 0x00000015 call 00007F44817E1C2Dh 0x0000001a pop dword ptr [esp+1Bh] 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0B63 second address: 6D0735 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, cx 0x00000006 sub esp, 1Ah 0x00000009 jmp 00007F4481241A6Ch 0x0000000e lea esp, dword ptr [esp+48h] 0x00000012 inc dh 0x00000014 cpuid 0x00000016 mov cx, 6D02h 0x0000001a rol ax, cl 0x0000001d xchg bh, dl 0x0000001f jmp 00007F4481241C87h 0x00000024 stc 0x00000025 not bh 0x00000027 not ecx 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0735 second address: 6D0695 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov edx, ecx 0x00000008 jmp 00007F44817E154Eh 0x0000000d stc 0x0000000e call 00007F44817E1664h 0x00000013 bsf ax, si 0x00000017 xchg word ptr [esp], bx 0x0000001b xchg word ptr [esp], cx 0x0000001f mov byte ptr [esp+02h], ch 0x00000023 bswap ebx 0x00000025 jmp 00007F44817E170Dh 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e xchg ch, bl 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D09D3 second address: 6D0A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pop ecx 0x00000004 xchg esi, ebp 0x00000006 mov di, 7728h 0x0000000a jmp 00007F4481241D7Ch 0x0000000c bts edx, esp 0x0000000f xchg word ptr [esp+1Ch], si 0x00000014 xchg bx, dx 0x00000017 push dword ptr [esp+02h] 0x0000001b jmp 00007F4481241DDCh 0x0000001d sub esp, 05h 0x00000020 call 00007F4481241E44h 0x00000025 neg cx 0x00000028 pop dword ptr [esp+20h] 0x0000002c bsf bp, bp 0x00000030 pop ebp 0x00000031 lea eax, dword ptr [esp+0000EEACh] 0x00000038 jmp 00007F4481241CEEh 0x0000003d mov dword ptr [esp+18h], edi 0x00000041 call 00007F4481241DFBh 0x00000046 clc 0x00000047 bsf ecx, ebx 0x0000004a call 00007F4481241D84h 0x0000004f std 0x00000050 xchg ah, ch 0x00000052 popad 0x00000053 jmp 00007F4481241D86h 0x00000055 pop dword ptr [esp+03h] 0x00000059 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0A41 second address: 6D0AE9 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [esp+eax] 0x00000005 push word ptr [esp+01h] 0x0000000a jmp 00007F44817E16BFh 0x0000000c xchg bp, bx 0x0000000f pop dword ptr [esp] 0x00000012 add esp, 03h 0x00000015 cld 0x00000016 mov word ptr [esp], sp 0x0000001a lea eax, dword ptr [00000000h+edi*4] 0x00000021 jmp 00007F44817E1655h 0x00000023 mov byte ptr [esp], cl 0x00000026 mov ebx, dword ptr [esp] 0x00000029 btc si, cx 0x0000002d xchg ch, bh 0x0000002f sub esp, 01h 0x00000032 jmp 00007F44817E1715h 0x00000037 sub esp, 1Eh 0x0000003a call 00007F44817E163Eh 0x0000003f sub esp, 1Ah 0x00000042 popad 0x00000043 neg esi 0x00000045 std 0x00000046 bts dx, sp 0x0000004a jmp 00007F44817E165Fh 0x0000004c lea edi, dword ptr [00000000h+esi*4] 0x00000053 xchg word ptr [esp+07h], cx 0x00000058 setl ah 0x0000005b jmp 00007F44817E16AAh 0x0000005d push dx 0x0000005f mov dx, 63C0h 0x00000063 mov ebp, dword ptr [esp+17h] 0x00000067 not dl 0x00000069 sub esp, 05h 0x0000006c xchg word ptr [esp+16h], si 0x00000071 jmp 00007F44817E1656h 0x00000073 btc eax, esi 0x00000076 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0BB7 second address: 6D0BB9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0BB9 second address: 6D0BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E165Fh 0x00000004 mov dword ptr [esp], eax 0x00000007 cmc 0x00000008 pushad 0x00000009 push word ptr [esp+03h] 0x0000000e mov bp, word ptr [esp+1Fh] 0x00000013 jmp 00007F44817E16D4h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0CE6 second address: 6D0D0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241E23h 0x00000007 lea edx, dword ptr [00000000h+edx*4] 0x0000000e mov ecx, esp 0x00000010 jmp 00007F4481241D50h 0x00000012 pop edx 0x00000013 xchg word ptr [esp+04h], cx 0x00000018 cpuid 0x0000001a xchg word ptr [esp], bx 0x0000001e push word ptr [esp+13h] 0x00000023 add esp, 0Fh 0x00000026 jmp 00007F4481241D76h 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D0D0E second address: 6D0D93 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 sub esp, 06h 0x00000007 push word ptr [esp+06h] 0x0000000c jmp 00007F44817E16B6h 0x0000000e sbb edx, 4C9FCF64h 0x00000014 mov bh, dh 0x00000016 mov eax, dword ptr [esp+03h] 0x0000001a lea eax, dword ptr [esp+edx] 0x0000001d xchg byte ptr [esp+07h], dh 0x00000021 jmp 00007F44817E1657h 0x00000023 lea esp, dword ptr [esp] 0x00000026 pop ax 0x00000028 pop si 0x0000002a mov bx, CC7Ch 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007F44817E16E9h 0x00000034 lea esp, dword ptr [esp] 0x00000037 mov di, bp 0x0000003a rcl ebx, 17h 0x0000003d neg al 0x0000003f lea edi, dword ptr [00000000h+esi*4] 0x00000046 ror ebx, cl 0x00000048 jmp 00007F44817E1646h 0x0000004a add esi, esp 0x0000004c cld 0x0000004d mov dh, byte ptr [esp+07h] 0x00000051 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D102C second address: 6D1047 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 2Eh 0x00000004 pop edx 0x00000005 pushad 0x00000006 pop cx 0x00000008 push dword ptr [esp+10h] 0x0000000c jmp 00007F4481241D6Fh 0x0000000e lea edx, dword ptr [edx+ebp] 0x00000011 and ch, FFFFFFCCh 0x00000014 mov eax, esi 0x00000016 xchg ecx, esi 0x00000018 dec di 0x0000001a sbb ax, 0000B5A1h 0x0000001e jmp 00007F4481241D7Ah 0x00000020 mov byte ptr [esp+14h], dh 0x00000024 add esp, 26h 0x00000027 not ebp 0x00000029 pop word ptr [esp] 0x0000002d mov bl, 13h 0x0000002f jmp 00007F4481241DDAh 0x00000031 mov ebp, 9AAF724Ch 0x00000036 btr bp, si 0x0000003a pop bp 0x0000003c bswap ebp 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6D12E9 second address: 6D11B5 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+0Bh], cx 0x00000007 setbe dl 0x0000000a xchg byte ptr [esp+04h], dl 0x0000000e jmp 00007F44817E1627h 0x00000010 pop dword ptr [esp] 0x00000013 dec edx 0x00000014 add esp, 05h 0x00000017 mov bp, ax 0x0000001a mov cl, 88h 0x0000001c mov edx, dword ptr [esp+03h] 0x00000020 jmp 00007F44817E1603h 0x00000022 push word ptr [esp+01h] 0x00000027 dec cl 0x00000029 lea esp, dword ptr [esp+04h] 0x0000002d bsf edi, ebx 0x00000030 push word ptr [esp+02h] 0x00000035 pop ebx 0x00000036 jmp 00007F44817E1606h 0x00000038 lea edi, dword ptr [00000000h+ebx*4] 0x0000003f not ebp 0x00000041 xchg bh, cl 0x00000043 pop bp 0x00000045 mov bx, BEE2h 0x00000049 mov ax, 565Ah 0x0000004d jmp 00007F44817E1655h 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5EFC12 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 jmp 00007F4481241E09h 0x00000008 mov esi, dword ptr [esp+34h] 0x0000000c mov ch, dl 0x0000000e call 00007F4481241D7Dh 0x00000013 mov ah, bh 0x00000015 mov ch, dl 0x00000017 jmp 00007F4481241DDAh 0x00000019 lea ebp, dword ptr [esp+0Ch] 0x0000001d lea edi, dword ptr [ecx+esi] 0x00000020 mov bl, DCh 0x00000022 not ax 0x00000025 sub esp, 000000B4h 0x0000002b jmp 00007F4481241D56h 0x0000002d mov edi, esp 0x0000002f call 00007F4481241DC0h 0x00000034 mov word ptr [esp], bx 0x00000038 lea edx, dword ptr [00000000h+ebx*4] 0x0000003f mov ecx, esi 0x00000041 jmp 00007F4481241DBDh 0x00000043 mov dx, F2EDh 0x00000047 neg ebx 0x00000049 jc 00007F4481241E1Dh 0x0000004b lea ebx, dword ptr [00000000h+ebp*4] 0x00000052 mov ax, 8AE6h 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5EFD44 second address: 5EFD82 instructions: 0x00000000 rdtsc 0x00000002 mov bl, byte ptr [esp] 0x00000005 push sp 0x00000007 mov word ptr [esp], bp 0x0000000b mov ah, dh 0x0000000d push word ptr [esp] 0x00000011 jc 00007F44817E1646h 0x00000013 jmp 00007F44817E166Ah 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 add esi, 565B2E4Fh 0x0000001f mov bx, ax 0x00000022 inc eax 0x00000023 jmp 00007F44817E16DCh 0x00000025 jp 00007F44817E162Eh 0x00000027 bsf edx, ebx 0x0000002a lea eax, dword ptr [ebp-0000FDAEh] 0x00000030 jmp 00007F44817E165Fh 0x00000032 pushad 0x00000033 jmp 00007F44817E16A2h 0x00000035 lea esp, dword ptr [esp+20h] 0x00000039 not esi 0x0000003b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5EFD82 second address: 5EFE06 instructions: 0x00000000 rdtsc 0x00000002 mov bl, CBh 0x00000004 xchg ebx, edx 0x00000006 jmp 00007F4481241E10h 0x00000008 mov eax, ecx 0x0000000a mov ax, word ptr [esp] 0x0000000e bt bx, ax 0x00000012 jc 00007F4481241D28h 0x00000014 mov eax, ecx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F0912 second address: 5F0EEB instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+50h] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c jmp 00007F44817E16A8h 0x0000000e mov dx, cx 0x00000011 setnl dh 0x00000014 setnp bl 0x00000017 jmp 00007F44817E1661h 0x00000019 cmp ebp, eax 0x0000001b call 00007F44817E1C37h 0x00000020 not dl 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 603B99 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push dword ptr [esp+38h] 0x00000007 retn 003Ch 0x0000000a lea eax, dword ptr [eax+edx] 0x0000000d add ebx, 2AEE4402h 0x00000013 jmp 00007F448122DF54h 0x00000018 mov ecx, esi 0x0000001a jmp 00007F4481241DBDh 0x0000001c mov dx, F2EDh 0x00000020 neg ebx 0x00000022 jc 00007F4481241E1Dh 0x00000024 lea ebx, dword ptr [00000000h+ebp*4] 0x0000002b mov ax, 8AE6h 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 603E4D second address: 5F76B3 instructions: 0x00000000 rdtsc 0x00000002 bsf ax, bx 0x00000006 jmp 00007F44817E16CBh 0x00000008 adc ax, ax 0x0000000b push dword ptr [esp+14h] 0x0000000f retn 0018h 0x00000012 pop esi 0x00000013 jmp 00007F44817D4E76h 0x00000018 mov ecx, edi 0x0000001a jmp 00007F44817E16BAh 0x0000001c mov edx, dword ptr [esp] 0x0000001f lea ebx, dword ptr [esp+000076EAh] 0x00000026 lea eax, dword ptr [esp+edx] 0x00000029 call 00007F44817E165Dh 0x0000002e mov dx, word ptr [esp+02h] 0x00000033 add esp, 00000000h 0x00000036 jl 00007F44817E2AFAh 0x0000003c jnl 00007F44817E1778h 0x00000042 push word ptr [esp+02h] 0x00000047 mov bh, cl 0x00000049 lea edx, dword ptr [00000000h+esi*4] 0x00000050 jmp 00007F44817E15F2h 0x00000055 bsr ebx, ebp 0x00000058 bts ax, dx 0x0000005c jmp 00007F44817E17F1h 0x00000061 neg ah 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 jmp 00007F44817E14DAh 0x0000006c rol edi, 00000000h 0x0000006f stc 0x00000070 jnl 00007F44817E1666h 0x00000072 pushad 0x00000073 jmp 00007F44817E1686h 0x00000075 sub esp, 06h 0x00000078 lea ebx, dword ptr [00000000h+edi*4] 0x0000007f lea esp, dword ptr [esp+02h] 0x00000083 jmp 00007F44817E16C4h 0x00000085 lea esp, dword ptr [esp+28h] 0x00000089 dec edi 0x0000008a lea eax, dword ptr [00000000h+ebx*4] 0x00000091 push eax 0x00000092 mov dx, cx 0x00000095 jmp 00007F44817E1645h 0x00000097 mov word ptr [esp+01h], dx 0x0000009c not al 0x0000009e lea esp, dword ptr [esp+04h] 0x000000a2 add edi, 507E8820h 0x000000a8 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F76B3 second address: 5F7759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE0h 0x00000004 mov edx, dword ptr [esp] 0x00000007 setnb al 0x0000000a bswap edx 0x0000000c rcl dl, cl 0x0000000e jp 00007F4481241D58h 0x00000010 not dl 0x00000012 sub esp, 10h 0x00000015 jmp 00007F4481241E25h 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e xor edi, 77D48258h 0x00000024 bsf ax, si 0x00000028 jnl 00007F4481241D7Ah 0x0000002a sub esp, 03h 0x0000002d mov ebx, edx 0x0000002f setne bh 0x00000032 xchg bh, dl 0x00000034 lea esp, dword ptr [esp+03h] 0x00000038 jmp 00007F4481241DBCh 0x0000003a xor edi, 60BA760Eh 0x00000040 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F7759 second address: 5F7785 instructions: 0x00000000 rdtsc 0x00000002 btc ax, bx 0x00000006 jmp 00007F44817E16BCh 0x00000008 jno 00007F44817E164Ah 0x0000000a rcl al, cl 0x0000000c add edi, dword ptr [ebp+00h] 0x0000000f mov ax, word ptr [esp] 0x00000013 jmp 00007F44817E1697h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 601B40 second address: 601B44 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B2h 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 604FB2 second address: 5F4C8A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 mov ecx, 84CCED5Ah 0x0000000b jmp 00007F44817E163Fh 0x0000000d mov edx, ebp 0x0000000f pop ebx 0x00000010 jmp 00007F44817D1318h 0x00000015 mov ebx, edi 0x00000017 mov ax, word ptr [esp] 0x0000001b xchg eax, edx 0x0000001c mov dl, 3Ah 0x0000001e jmp 00007F44817E165Dh 0x00000020 lea eax, dword ptr [edx+edx] 0x00000023 lea edx, dword ptr [ebx-6DA261F9h] 0x00000029 mov dx, bx 0x0000002c sub esp, 14h 0x0000002f jmp 00007F44817E1696h 0x00000031 jo 00007F44817E1696h 0x00000033 mov edx, dword ptr [esp+05h] 0x00000037 pop dx 0x00000039 jmp 00007F44817E1792h 0x0000003e mov dh, 8Ch 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 jmp 00007F44817E1582h 0x00000049 lea esp, dword ptr [esp+10h] 0x0000004d sub edi, 128A0F11h 0x00000053 jmp 00007F44817E1709h 0x00000058 rcr cx, 0005h 0x0000005c jp 00007F44817E162Dh 0x0000005e shl al, 1 0x00000060 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F4C8A second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D86h 0x00000004 mov cx, EB63h 0x00000008 jmp 00007F4481241DCEh 0x0000000a ror edi, 00000000h 0x0000000d stc 0x0000000e jle 00007F4481241D86h 0x00000010 lea edx, dword ptr [eax+ecx] 0x00000013 jmp 00007F4481241DF0h 0x00000015 xchg edx, ecx 0x00000017 mov al, byte ptr [esp] 0x0000001a mov dx, word ptr [esp] 0x0000001e jmp 00007F4481241D81h 0x00000020 mov edx, 96F70AFFh 0x00000025 jmp 00007F4481241D75h 0x00000027 add edi, 4B2345C8h 0x0000002d mov ecx, dword ptr [esp] 0x00000030 mov ecx, edx 0x00000032 lea edx, dword ptr [ecx+ebp] 0x00000035 jmp 00007F4481241DEFh 0x00000037 xchg dl, dh 0x00000039 xchg ecx, edx 0x0000003b ror edi, 00000000h 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F6D40 second address: 5F6D45 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+ebp] 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60139C second address: 6014E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D5Eh 0x00000004 sub ebp, 04h 0x00000007 mov dx, sp 0x0000000a add al, C5h 0x0000000c jnle 00007F4481241DF2h 0x0000000e mov eax, esp 0x00000010 mov ax, di 0x00000013 jmp 00007F4481241DEFh 0x00000015 mov edx, edi 0x00000017 mov ecx, dword ptr [edx] 0x00000019 mov dh, cl 0x0000001b rcr edx, cl 0x0000001d jmp 00007F44812420C7h 0x00000022 jp 00007F4481241F86h 0x00000028 mov edx, F267AC06h 0x0000002d setnp dl 0x00000030 jmp 00007F4481241B8Ah 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 601682 second address: 6017C4 instructions: 0x00000000 rdtsc 0x00000002 bt dx, di 0x00000006 jmp 00007F44817E1698h 0x00000008 jne 00007F44817E1696h 0x0000000a bswap eax 0x0000000c inc al 0x0000000e mov ax, word ptr [esp] 0x00000012 jmp 00007F44817E173Eh 0x00000017 cmc 0x00000018 mov eax, esi 0x0000001a mov dx, 4C11h 0x0000001e jmp 00007F44817E15CDh 0x00000023 rol ecx, 00000000h 0x00000026 jnc 00007F44817E16DBh 0x00000028 mov ah, al 0x0000002a mov dh, byte ptr [esp] 0x0000002d mov edx, dword ptr [esp] 0x00000030 rcl eax, 09h 0x00000033 lea edx, dword ptr [ebx+esi] 0x00000036 call 00007F44817E1725h 0x0000003b jmp 00007F44817E16BAh 0x0000003d not eax 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6023D2 second address: 601A3F instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 jmp 00007F44812414D0h 0x00000009 add ebp, 04h 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 not ax 0x00000016 push esi 0x00000017 jmp 00007F4481241CE1h 0x0000001c not ah 0x0000001e bsr cx, bx 0x00000022 jnl 00007F4481241D79h 0x00000024 mov si, bx 0x00000027 jmp 00007F4481241D87h 0x00000029 push ebx 0x0000002a mov cx, A66Fh 0x0000002e mov edx, 7C18FE6Fh 0x00000033 mov ah, 72h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F4481241DAEh 0x00000038 push edi 0x00000039 not bh 0x0000003b sets dh 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 603DFC second address: 603EE8 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [eax+ebx] 0x00000005 jmp 00007F44817E1705h 0x0000000a bsr edx, edx 0x0000000d jo 00007F44817E16CBh 0x0000000f jno 00007F44817E16C9h 0x00000011 mov edi, dword ptr [ebp+00h] 0x00000014 clc 0x00000015 jnc 00007F44817E1650h 0x00000017 jmp 00007F44817E1696h 0x00000019 xchg ax, dx 0x0000001b jmp 00007F44817E16A2h 0x0000001d add ebp, 04h 0x00000020 mov ah, byte ptr [esp] 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 604FCA second address: 6050CF instructions: 0x00000000 rdtsc 0x00000002 not edx 0x00000004 jmp 00007F4481241DCFh 0x00000006 push esi 0x00000007 bsr eax, esp 0x0000000a jo 00007F4481241DF5h 0x0000000c mov cl, D6h 0x0000000e mov ecx, dword ptr [esp] 0x00000011 dec esi 0x00000012 jmp 00007F4481241DC7h 0x00000014 push ebx 0x00000015 call 00007F4481241E34h 0x0000001a mov ax, 7417h 0x0000001e bswap edx 0x00000020 bt ecx, edx 0x00000023 pushfd 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6050CF second address: 60503E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A7h 0x00000004 xchg dword ptr [esp+04h], ecx 0x00000008 mov dx, si 0x0000000b mov ebx, esp 0x0000000d not bh 0x0000000f call 00007F44817E165Fh 0x00000014 lea ecx, dword ptr [ecx+01h] 0x00000017 mov ah, byte ptr [esp] 0x0000001a jmp 00007F44817E16B9h 0x0000001c lea esi, dword ptr [00000000h+esi*4] 0x00000023 lea esi, dword ptr [eax+ebp] 0x00000026 btr ax, sp 0x0000002a mov bx, 430Fh 0x0000002e xchg dword ptr [esp+08h], ecx 0x00000032 neg dl 0x00000034 jmp 00007F44817E164Fh 0x00000036 sub esp, 1Ah 0x00000039 lea esp, dword ptr [esp+11h] 0x0000003d pop dword ptr [esp] 0x00000040 xor ebx, 69AE8573h 0x00000046 jmp 00007F44817E1710h 0x0000004b lea esp, dword ptr [esp+01h] 0x0000004f push dword ptr [esp+0Ch] 0x00000053 retn 0010h 0x00000056 stc 0x00000057 ja 00007F44817E17C0h 0x0000005d rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60503E second address: 60518E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241EC2h 0x00000007 mov cx, 032Ah 0x0000000b sub cx, bx 0x0000000e jmp 00007F4481241DB8h 0x00000010 push ebp 0x00000011 lea eax, dword ptr [ecx+edx] 0x00000014 jmp 00007F4481241DA6h 0x00000016 mov eax, dword ptr [esp] 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60518E second address: 6051B3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E701h 0x00000006 mov cx, dx 0x00000009 xchg ebx, ebp 0x0000000b xchg dl, ah 0x0000000d jmp 00007F44817E1698h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F4CDF second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB63h 0x00000006 jmp 00007F4481241D5Fh 0x00000008 ror edi, 00000000h 0x0000000b stc 0x0000000c jle 00007F4481241D86h 0x0000000e lea edx, dword ptr [eax+ecx] 0x00000011 jmp 00007F4481241DF0h 0x00000013 xchg edx, ecx 0x00000015 mov al, byte ptr [esp] 0x00000018 mov dx, word ptr [esp] 0x0000001c jmp 00007F4481241D81h 0x0000001e mov edx, 96F70AFFh 0x00000023 jmp 00007F4481241D75h 0x00000025 add edi, 4B2345C8h 0x0000002b mov ecx, dword ptr [esp] 0x0000002e mov ecx, edx 0x00000030 lea edx, dword ptr [ecx+ebp] 0x00000033 jmp 00007F4481241DEFh 0x00000035 xchg dl, dh 0x00000037 xchg ecx, edx 0x00000039 ror edi, 00000000h 0x0000003c rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 604854 second address: 604865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16DDh 0x00000004 mov ecx, dword ptr [ebp+00h] 0x00000007 mov edx, esp 0x00000009 seto al 0x0000000c setb dh 0x0000000f jmp 00007F44817E161Ah 0x00000011 add dword ptr [ebp+04h], ecx 0x00000014 xchg ah, dh 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov eax, DB213984h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6047C6 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esi-000000EAh] 0x00000008 jmp 00007F4481241D6Bh 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F4481241E45h 0x00000015 jns 00007F4481241D2Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F4481241DBCh 0x00000027 jp 00007F4481241DBAh 0x00000029 pop ebx 0x0000002a jmp 00007F4481241DBDh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F4481241DECh 0x00000039 jbe 00007F4481241D5Ah 0x0000003b pop esi 0x0000003c jmp 00007F448123218Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F4481241D7Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F4481241DB6h 0x0000005d jo 00007F4481241DB6h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F4481241EB2h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F4481241CA2h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F4481241E29h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F4481241D4Dh 0x0000008a shl al, 1 0x0000008c rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60C3F9 second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 pushfd 0x00000006 pop dx 0x00000008 jmp 00007F44817E1650h 0x0000000a mov eax, dword ptr [esp] 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 mov dword ptr [ebp+00h], ebx 0x00000014 lea eax, dword ptr [00000000h+eax*4] 0x0000001b inc dh 0x0000001d jmp 00007F44817E16B5h 0x0000001f jo 00007F44817E1622h 0x00000021 mov ah, byte ptr [esp] 0x00000024 call 00007F44817E1665h 0x00000029 xor ax, sp 0x0000002c lea eax, dword ptr [esi-000000F8h] 0x00000032 push ax 0x00000034 jmp 00007F44817E1696h 0x00000036 mov edx, B2EBA21Ah 0x0000003b dec edx 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 xchg dword ptr [esp], ecx 0x00000043 mov dl, BBh 0x00000045 rcl dl, 1 0x00000047 jmp 00007F44817E16B3h 0x00000049 lea edx, dword ptr [00000000h+ebp*4] 0x00000050 push esp 0x00000051 xchg dh, dl 0x00000053 lea ecx, dword ptr [ecx-0000104Ah] 0x00000059 mov ax, word ptr [esp] 0x0000005d bt dx, ax 0x00000061 jmp 00007F44817E1652h 0x00000063 rcr ax, cl 0x00000066 rcr ah, cl 0x00000068 xchg dword ptr [esp+04h], ecx 0x0000006c inc dx 0x0000006e jmp 00007F44817E1B33h 0x00000073 lea edx, dword ptr [edi+0000008Eh] 0x00000079 push ax 0x0000007b lea esp, dword ptr [esp] 0x0000007e mov word ptr [esp], ax 0x00000082 lea esp, dword ptr [esp+02h] 0x00000086 push dword ptr [esp+04h] 0x0000008a retn 0008h 0x0000008d mov ax, word ptr [esp] 0x00000091 bsr ebx, edx 0x00000094 jp 00007F44817E1663h 0x00000096 btc ax, cx 0x0000009a jmp 00007F44817E16B2h 0x0000009c rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60B12B second address: 60B154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE4h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 xchg dword ptr [esp+04h], ebp 0x0000000c mov ah, byte ptr [esp] 0x0000000f mov dh, 8Eh 0x00000011 xchg edx, eax 0x00000013 lea ebp, dword ptr [ebp+5Dh] 0x00000016 jmp 00007F4481241D71h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60B154 second address: 60B187 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 call 00007F44817E16C2h 0x0000000a sub esp, 11h 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 xchg dword ptr [esp+18h], ebp 0x00000015 add al, 3Ah 0x00000017 jmp 00007F44817E165Dh 0x00000019 neg edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60B187 second address: 60B244 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 call 00007F4481241DC0h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f bts edx, ebp 0x00000012 sub esp, 1Bh 0x00000015 jmp 00007F4481241EE5h 0x0000001a xchg byte ptr [esp+0Bh], dh 0x0000001e xchg dl, al 0x00000020 ror bl, 00000000h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60B244 second address: 60B1DE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ebx+edi] 0x00000005 jmp 00007F44817E163Dh 0x00000007 clc 0x00000008 jnbe 00007F44817E1662h 0x0000000a lea eax, dword ptr [00000000h+edi*4] 0x00000011 rol bl, 00000000h 0x00000014 jmp 00007F44817E1660h 0x00000016 sub dh, ah 0x00000018 js 00007F44817E16BDh 0x0000001a btr ax, si 0x0000001e mov dl, byte ptr [esp] 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 603F07 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 bts dx, dx 0x00000006 xchg dword ptr [esp], edi 0x00000009 mov eax, esp 0x0000000b mov eax, edx 0x0000000d btc dx, di 0x00000011 jmp 00007F4481241B5Fh 0x00000016 mov ax, E5E4h 0x0000001a push dword ptr [esp] 0x0000001d retn 0004h 0x00000020 mov ebx, edi 0x00000022 mov ax, word ptr [esp] 0x00000026 xchg eax, edx 0x00000027 mov dl, 3Ah 0x00000029 jmp 00007F4481241D7Dh 0x0000002b lea eax, dword ptr [edx+edx] 0x0000002e lea edx, dword ptr [ebx-6DA261F9h] 0x00000034 mov dx, bx 0x00000037 sub esp, 14h 0x0000003a jmp 00007F4481241DB6h 0x0000003c jo 00007F4481241DB6h 0x0000003e mov edx, dword ptr [esp+05h] 0x00000042 pop dx 0x00000044 jmp 00007F4481241EB2h 0x00000049 mov dh, 8Ch 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f jmp 00007F4481241CA2h 0x00000054 lea esp, dword ptr [esp+10h] 0x00000058 sub edi, 128A0F11h 0x0000005e jmp 00007F4481241E29h 0x00000063 rcr cx, 0005h 0x00000067 jp 00007F4481241D4Dh 0x00000069 shl al, 1 0x0000006b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 607D80 second address: 607B82 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 call 00007F44817E148Dh 0x0000000a setne dh 0x0000000d mov ecx, ebp 0x0000000f mov dh, 9Bh 0x00000011 mov dl, 24h 0x00000013 bswap edx 0x00000015 jmp 00007F44817E165Fh 0x00000017 xchg dword ptr [esp], ebx 0x0000001a lea ecx, dword ptr [edi+41h] 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 607B82 second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 mov edx, F46DAA9Dh 0x00000007 inc ch 0x00000009 jmp 00007F4481241DB4h 0x0000000b lea ebx, dword ptr [ebx-000001C5h] 0x00000011 mov dx, 50EEh 0x00000015 bsr cx, di 0x00000019 call 00007F4481241E16h 0x0000001e stc 0x0000001f pop word ptr [esp] 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F4481241D65h 0x00000029 xchg dword ptr [esp], ebx 0x0000002c xchg cl, dh 0x0000002e xchg cx, dx 0x00000031 mov cx, word ptr [esp] 0x00000035 push dword ptr [esp] 0x00000038 retn 0004h 0x0000003b sub ebp, 02h 0x0000003e jmp 00007F4481241DA6h 0x00000040 neg dl 0x00000042 jo 00007F4481241DD3h 0x00000044 mov eax, ecx 0x00000046 xchg edx, eax 0x00000048 mov dh, 4Fh 0x0000004a jmp 00007F4481241F01h 0x0000004f mov cl, byte ptr [edi] 0x00000051 not dl 0x00000053 bswap edx 0x00000055 setb dl 0x00000058 neg ah 0x0000005a jmp 00007F4481241CA0h 0x0000005f jng 00007F4481241E3Bh 0x00000065 pushfd 0x00000066 mov al, byte ptr [esp+03h] 0x0000006a xchg word ptr [esp], ax 0x0000006e btc ax, dx 0x00000072 pop eax 0x00000073 sub esp, 0Bh 0x00000076 jmp 00007F4481241D24h 0x00000078 push dword ptr [esp+06h] 0x0000007c jnp 00007F4481241D79h 0x0000007e dec dx 0x00000080 lea esp, dword ptr [esp+03h] 0x00000084 jmp 00007F4481241D7Dh 0x00000086 sub cl, bl 0x00000088 xchg eax, edx 0x00000089 mov al, 17h 0x0000008b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60476F second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A2h 0x00000004 lea esi, dword ptr [esi-000000EAh] 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F44817E1725h 0x00000015 jns 00007F44817E160Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F44817E169Ch 0x00000027 jp 00007F44817E169Ah 0x00000029 pop ebx 0x0000002a jmp 00007F44817E169Dh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F44817E16CCh 0x00000039 jbe 00007F44817E163Ah 0x0000003b pop esi 0x0000003c jmp 00007F44817D1A6Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F44817E165Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F44817E1696h 0x0000005d jo 00007F44817E1696h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F44817E1792h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F44817E1582h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F44817E1709h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F44817E162Dh 0x0000008a shl al, 1 0x0000008c rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 610C59 second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DFAh 0x00000004 mov dh, dl 0x00000006 jmp 00007F448123A8A9h 0x0000000b mov eax, 0B0F4634h 0x00000010 jmp 00007F4481241D36h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 607B5F second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 jmp 00007F44817E16E1h 0x00000007 sub ebp, 02h 0x0000000a jmp 00007F44817E1686h 0x0000000c neg dl 0x0000000e jo 00007F44817E16B3h 0x00000010 mov eax, ecx 0x00000012 xchg edx, eax 0x00000014 mov dh, 4Fh 0x00000016 jmp 00007F44817E17E1h 0x0000001b mov cl, byte ptr [edi] 0x0000001d not dl 0x0000001f bswap edx 0x00000021 setb dl 0x00000024 neg ah 0x00000026 jmp 00007F44817E1580h 0x0000002b jng 00007F44817E171Bh 0x00000031 pushfd 0x00000032 mov al, byte ptr [esp+03h] 0x00000036 xchg word ptr [esp], ax 0x0000003a btc ax, dx 0x0000003e pop eax 0x0000003f sub esp, 0Bh 0x00000042 jmp 00007F44817E1604h 0x00000044 push dword ptr [esp+06h] 0x00000048 jnp 00007F44817E1659h 0x0000004a dec dx 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F44817E165Dh 0x00000052 sub cl, bl 0x00000054 xchg eax, edx 0x00000055 mov al, 17h 0x00000057 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5F4B9A second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea ebp, dword ptr [esp] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c mov bx, B92Bh 0x00000010 setnl dh 0x00000013 jmp 00007F4481241D77h 0x00000015 mov si, ax 0x00000018 jmp 00007F4481241DC8h 0x0000001a sub esp, 000000C0h 0x00000020 jmp 00007F4481241DD7h 0x00000022 mov esi, esp 0x00000024 sub eax, 56CA30D9h 0x00000029 jne 00007F4481241D83h 0x0000002b mov bx, di 0x0000002e jmp 00007F4481241DDBh 0x00000030 lea ebx, dword ptr [ebx-3Bh] 0x00000033 mov ebx, edi 0x00000035 mov ax, word ptr [esp] 0x00000039 xchg eax, edx 0x0000003a mov dl, 3Ah 0x0000003c jmp 00007F4481241D7Dh 0x0000003e lea eax, dword ptr [edx+edx] 0x00000041 lea edx, dword ptr [ebx-6DA261F9h] 0x00000047 mov dx, bx 0x0000004a sub esp, 14h 0x0000004d jmp 00007F4481241DB6h 0x0000004f jo 00007F4481241DB6h 0x00000051 mov edx, dword ptr [esp+05h] 0x00000055 pop dx 0x00000057 jmp 00007F4481241EB2h 0x0000005c mov dh, 8Ch 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 jmp 00007F4481241CA2h 0x00000067 lea esp, dword ptr [esp+10h] 0x0000006b sub edi, 128A0F11h 0x00000071 jmp 00007F4481241E29h 0x00000076 rcr cx, 0005h 0x0000007a jp 00007F4481241D4Dh 0x0000007c shl al, 1 0x0000007e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6068A9 second address: 60687C instructions: 0x00000000 rdtsc 0x00000002 sub cx, bx 0x00000005 jmp 00007F44817E164Ah 0x00000007 mov dx, word ptr [esp] 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 606B01 second address: 606B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB2h 0x00000004 lea esp, dword ptr [esp+03h] 0x00000008 jmp 00007F4481241DB8h 0x0000000a rol cx, 0000h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 606B35 second address: 606C59 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [00000000h+ebp*4] 0x00000009 mov eax, edx 0x0000000b jmp 00007F44817E16BDh 0x0000000d mov eax, edx 0x0000000f lea esp, dword ptr [esp+04h] 0x00000013 not cx 0x00000016 rcl ah, cl 0x00000018 jnp 00007F44817E163Ah 0x0000001a jmp 00007F44817E16A5h 0x0000001c mov dl, cl 0x0000001e cmc 0x0000001f sub edx, ebx 0x00000021 jmp 00007F44817E1658h 0x00000023 add cx, 46A5h 0x00000028 mov dl, byte ptr [esp] 0x0000002b xor edx, AB5782EBh 0x00000031 jmp 00007F44817E16FCh 0x00000033 jne 00007F44817E1643h 0x00000035 mov dh, 44h 0x00000037 mov dx, BF5Ch 0x0000003b call 00007F44817E16A1h 0x00000040 lea eax, dword ptr [ebx+ebp] 0x00000043 jmp 00007F44817E1661h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 xor cx, EF15h 0x0000004e lea eax, dword ptr [esi-0000C2B9h] 0x00000054 mov al, ah 0x00000056 jmp 00007F44817E16ABh 0x00000058 pushfd 0x00000059 mov dl, bh 0x0000005b xchg byte ptr [esp], al 0x0000005e bsf edx, esp 0x00000061 jne 00007F44817E16B6h 0x00000063 mov dword ptr [esp], ecx 0x00000066 jmp 00007F44817E16B9h 0x00000068 lea esp, dword ptr [esp+04h] 0x0000006c inc cx 0x0000006e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 606C59 second address: 606C5B instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 64C1E3 second address: 64C2CE instructions: 0x00000000 rdtsc 0x00000002 btr ebx, ebx 0x00000005 jno 00007F44817E16AFh 0x00000007 cmc 0x00000008 jmp 00007F44817E1669h 0x0000000a mov ebx, 1F08C55Dh 0x0000000f jmp 00007F44817E1694h 0x00000011 sub ebp, 08h 0x00000014 setns bl 0x00000017 sub esp, 1Ch 0x0000001a jmp 00007F44817E16CCh 0x0000001c jns 00007F44817E163Ah 0x0000001e pop dword ptr [esp+11h] 0x00000022 mov bh, byte ptr [esp+14h] 0x00000026 jmp 00007F44817E16A8h 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, E17Ah 0x0000002f mov edx, 6E64272Bh 0x00000034 sub esp, 18h 0x00000037 jmp 00007F44817E1734h 0x0000003c ja 00007F44817E1712h 0x00000042 mov edx, dword ptr [esp+0Eh] 0x00000046 mov dword ptr [ebp+04h], eax 0x00000049 mov eax, ebp 0x0000004b jmp 00007F44817E1597h 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5E4613 second address: 5E47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+0Fh], ah 0x00000007 jmp 00007F4481241DEBh 0x00000009 sub ebp, 08h 0x0000000c call 00007F4481241D87h 0x00000011 push word ptr [esp+02h] 0x00000016 jnl 00007F4481241DD7h 0x00000018 lea esp, dword ptr [esp+02h] 0x0000001c jmp 00007F4481241D7Eh 0x0000001e mov dword ptr [ebp+00h], edx 0x00000021 lea edx, dword ptr [00000000h+ebx*4] 0x00000028 clc 0x00000029 js 00007F4481241DCDh 0x0000002b xchg dl, dh 0x0000002d jmp 00007F4481241E1Eh 0x0000002f xchg eax, ecx 0x00000030 mov dx, 7D53h 0x00000034 bswap edx 0x00000036 mov dh, dl 0x00000038 jmp 00007F4481241D7Ch 0x0000003a mov dword ptr [ebp+04h], ecx 0x0000003d lea edx, dword ptr [eax+ecx] 0x00000040 dec ecx 0x00000041 jno 00007F4481241D83h 0x00000043 mov cl, 71h 0x00000045 jmp 00007F4481241DEEh 0x00000047 jmp 00007F4481241E2Ah 0x0000004c mov ecx, dword ptr [esp] 0x0000004f bswap eax 0x00000051 lea ecx, dword ptr [esi+50h] 0x00000054 bt ax, di 0x00000058 jnp 00007F4481241D65h 0x0000005a mov ax, 5EB0h 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 606615 second address: 6065B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E161Fh 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60DA0E second address: 60DADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D73h 0x00000004 lea eax, dword ptr [00000000h+eax*4] 0x0000000b lea eax, dword ptr [00000000h+eax*4] 0x00000012 jmp 00007F4481241DC1h 0x00000014 ror bx, 0000h 0x00000018 mov dh, byte ptr [esp] 0x0000001b mov ax, word ptr [esp] 0x0000001f neg ax 0x00000022 jl 00007F4481242C6Fh 0x00000028 mov ax, 9EF1h 0x0000002c xchg dx, ax 0x0000002f mov dh, 93h 0x00000031 jmp 00007F4481241DEBh 0x00000033 mov dx, DA80h 0x00000037 jmp 00007F4481241E2Dh 0x0000003c inc bx 0x0000003e btc edx, edx 0x00000041 jnc 00007F4481241D63h 0x00000043 setb al 0x00000046 not dh 0x00000048 bt edx, eax 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 655636 second address: 655647 instructions: 0x00000000 rdtsc 0x00000002 shr cx, cl 0x00000005 jl 00007F44817E1665h 0x00000007 jnl 00007F44817E168Ah 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 60F361 second address: 60F346 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov dx, 0278h 0x00000009 jmp 00007F4481241D79h 0x0000000b neg ax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 659584 second address: 62E2AD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+18h], ebx 0x00000006 jmp 00007F44817E1686h 0x00000008 lea esp, dword ptr [esp+04h] 0x0000000c popad 0x0000000d lea ecx, dword ptr [ecx-56ECA26Eh] 0x00000013 mov ecx, 9F0203F6h 0x00000018 lea ecx, dword ptr [esp+edi] 0x0000001b call 00007F44817E16A8h 0x00000020 jmp 00007F44817E166Ah 0x00000022 lea esp, dword ptr [esp+04h] 0x00000026 lea ecx, dword ptr [esp+74h] 0x0000002a jmp 00007F44817E1690h 0x0000002c call 00007F448178778Ch 0x00000031 jmp 00007F44817C5DEEh 0x00000036 jmp 00007F44817E1654h 0x0000003b jmp 00007F44817FE1C9h 0x00000040 push esi 0x00000041 jmp 00007F448180EFBFh 0x00000046 pushad 0x00000047 lea ebp, dword ptr [ebp+25A1C75Dh] 0x0000004d not ebx 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 656379 second address: 65661E instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebx+000000B6h] 0x00000008 call 00007F4481241E3Bh 0x0000000d mov edx, dword ptr [ebp+00h] 0x00000010 neg ebx 0x00000012 jnc 00007F4481241E25h 0x00000018 lea eax, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F4481241EB7h 0x00000024 lea ebx, dword ptr [00000000h+edi*4] 0x0000002b xchg ah, al 0x0000002d jmp 00007F4481241D81h 0x0000002f add ebp, 02h 0x00000032 shl bx, cl 0x00000035 jo 00007F4481241E7Ah 0x0000003b bsf ax, si 0x0000003f jmp 00007F4481241DCEh 0x00000041 sub esp, 05h 0x00000044 cmc 0x00000045 lea esp, dword ptr [esp+01h] 0x00000049 jmp 00007F4481241DCAh 0x0000004b jmp 00007F4481241D78h 0x0000004d mov al, byte ptr [edx] 0x00000050 mov dx, cx 0x00000053 xchg dh, dl 0x00000055 bsr edx, edi 0x00000058 jns 00007F4481241DD5h 0x0000005a mov bh, byte ptr [esp] 0x0000005d mov word ptr [ebp+00h], ax 0x00000061 dec dx 0x00000063 jnbe 00007F4481241DBCh 0x00000065 rol dx, 0007h 0x00000069 call 00007F4481241DD5h 0x0000006e mov edx, dword ptr [esp] 0x00000071 shl edx, 1 0x00000073 mov bx, 859Dh 0x00000077 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 65661E second address: 656620 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 637B15 second address: 637B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB4h 0x00000004 pushfd 0x00000005 pop dword ptr [ebp+00h] 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 607F6E second address: 608024 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1665h 0x00000007 mov dh, ah 0x00000009 mov edx, dword ptr [esp+01h] 0x0000000d push dword ptr [esp+24h] 0x00000011 retn 0028h 0x00000014 bt edx, ecx 0x00000017 btr ax, si 0x0000001b setl dh 0x0000001e jmp 00007F44817E16F6h 0x00000020 not cl 0x00000022 not dx 0x00000025 lea edx, dword ptr [00000000h+edx*4] 0x0000002c push bx 0x0000002e bsr dx, si 0x00000032 jbe 00007F44817E15FAh 0x00000038 pop dx 0x0000003a jmp 00007F44817E169Ah 0x0000003c add cl, FFFFFFA5h 0x0000003f bts dx, sp 0x00000043 jmp 00007F44817E16A8h 0x00000045 jc 00007F44817E165Eh 0x00000047 inc dl 0x00000049 xchg dx, ax 0x0000004c mov al, byte ptr [esp] 0x0000004f clc 0x00000050 not dx 0x00000053 mov ax, si 0x00000056 jmp 00007F44817E16A9h 0x00000058 xor cl, 00000015h 0x0000005b bswap edx 0x0000005d adc ax, dx 0x00000060 jns 00007F44817E16B4h 0x00000062 js 00007F44817E169Ch 0x00000064 pushfd 0x00000065 mov dword ptr [esp], ebx 0x00000068 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 657A01 second address: 658F1B instructions: 0x00000000 rdtsc 0x00000002 rcr bh, cl 0x00000004 mov bh, byte ptr [esp] 0x00000007 xchg dword ptr [esp], edi 0x0000000a jmp 00007F44812432ADh 0x0000000f mov dl, byte ptr [esp] 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 5E245C second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4BB0h 0x00000006 mov bx, si 0x00000009 btr bx, dx 0x0000000d jmp 00007F4481817380h 0x00000012 jnl 00007F44817AB99Fh 0x00000018 lea ebx, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F448181738Dh 0x00000024 sub ebp, 08h 0x00000027 push esp 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, word ptr [esp] 0x0000002f jmp 00007F44817E165Fh 0x00000031 or edx, esi 0x00000033 jbe 00007F44817E16CBh 0x00000035 mov edx, eax 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007F44817E16ADh 0x0000003c mov dword ptr [ebp+04h], eax 0x0000003f and dl, ah 0x00000041 jnl 00007F44817E16AFh 0x00000043 bswap ebx 0x00000045 jmp 00007F44817E1668h 0x00000047 mov al, 8Eh 0x00000049 jmp 00007F44817D487Dh 0x0000004e mov ax, word ptr [esp] 0x00000052 bsr ebx, edx 0x00000055 jp 00007F44817E1663h 0x00000057 btc ax, cx 0x0000005b jmp 00007F44817E16B2h 0x0000005d rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 618AF6 second address: 618B68 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp] 0x00000005 retn 0004h 0x00000008 mov ecx, dword ptr [ebp+00h] 0x0000000b lea eax, dword ptr [ebx+ebp] 0x0000000e bts dx, di 0x00000012 jmp 00007F4481241E42h 0x00000017 jle 00007F4481241DFDh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 640208 second address: 64036F instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1771h 0x00000007 mov dx, word ptr [esp] 0x0000000b call 00007F44817E1666h 0x00000010 mov dl, ah 0x00000012 mov dword ptr [esp], ebx 0x00000015 xchg dword ptr [esp+04h], ebx 0x00000019 sub esp, 14h 0x0000001c jmp 00007F44817E176Fh 0x00000021 push ebx 0x00000022 mov ah, 64h 0x00000024 lea ebx, dword ptr [ebx+4Fh] 0x00000027 mov dx, ax 0x0000002a stc 0x0000002b stc 0x0000002c jmp 00007F44817E15FDh 0x00000031 pushad 0x00000032 xchg ax, dx 0x00000034 xchg dword ptr [esp+3Ch], ebx 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 64075D second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241D75h 0x00000007 jmp 00007F4481241E06h 0x00000009 mov al, F0h 0x0000000b mov word ptr [ebp+00h], bx 0x0000000f not eax 0x00000011 rcr bx, 000Ah 0x00000015 jns 00007F4481241D7Eh 0x00000017 jmp 00007F4481241E37h 0x0000001c bsr eax, ebx 0x0000001f sub esp, 0Fh 0x00000022 lea esp, dword ptr [esp+03h] 0x00000026 jmp 00007F448120AD3Bh 0x0000002b mov eax, 0B0F4634h 0x00000030 jmp 00007F4481241D36h 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 64023B second address: 640256 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov eax, 1BA171EFh 0x0000000a mov ax, A249h 0x0000000e jmp 00007F44817E16DDh 0x00000010 lea eax, dword ptr [ebx-0000BE75h] 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub esp, 01h 0x0000001c setle dh 0x0000001f mov dl, 2Dh 0x00000021 mov dx, bx 0x00000024 jmp 00007F44817E1656h 0x00000026 sub esp, 0Ah 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d lea eax, dword ptr [eax+25h] 0x00000030 mov edx, esi 0x00000032 xchg dh, dl 0x00000034 xchg dh, dl 0x00000036 jmp 00007F44817E189Ah 0x0000003b lea edx, dword ptr [00000000h+eax*4] 0x00000042 mov dh, byte ptr [esp] 0x00000045 xchg dword ptr [esp+08h], eax 0x00000049 mov eax, dword ptr [esp] 0x0000004c setbe dl 0x0000004f dec dx 0x00000051 jmp 00007F44817E15C9h 0x00000056 clc 0x00000057 push dword ptr [esp+08h] 0x0000005b retn 000Ch 0x0000005e setnle al 0x00000061 xchg al, dh 0x00000063 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 641F54 second address: 641F54 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], ecx 0x00000006 jmp 00007F4481241CB1h 0x0000000b cmc 0x0000000c popad 0x0000000d cmc 0x0000000e cmc 0x0000000f shr eax, 10h 0x00000012 call 00007F4481241D83h 0x00000017 jmp 00007F4481241DF7h 0x00000019 lea esp, dword ptr [esp+14h] 0x0000001d test ax, ax 0x00000020 pushad 0x00000021 lea esp, dword ptr [esp+20h] 0x00000025 jmp 00007F4481241D75h 0x00000027 je 00007F4481241C98h 0x0000002d push sp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F4481241F24h 0x00000038 inc edx 0x00000039 inc edx 0x0000003a dec esi 0x0000003b jmp 00007F4481241D87h 0x0000003d jne 00007F4481241C58h 0x00000043 setb ah 0x00000046 jmp 00007F4481241DE7h 0x00000048 setnle al 0x0000004b mov ax, word ptr [esp] 0x0000004f movzx eax, word ptr [edx] 0x00000052 push ecx 0x00000053 stc 0x00000054 jmp 00007F4481241DCFh 0x00000056 mov byte ptr [esp+02h], cl 0x0000005a jmp 00007F4481241D86h 0x0000005c add ecx, eax 0x0000005e sub esp, 0Eh 0x00000061 mov eax, AE848F68h 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a jmp 00007F4481241EBDh 0x0000006f pushad 0x00000070 mov ebp, E723975Fh 0x00000075 lea ebp, dword ptr [ecx+edi] 0x00000078 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 6575F5 second address: 63E5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E15EBh 0x00000007 inc edi 0x00000008 setnle al 0x0000000b lea edx, dword ptr [eax+ecx] 0x0000000e mov dx, bp 0x00000011 jmp 00007F44817E16BAh 0x00000013 mov dx, word ptr [ebx+esi] 0x00000017 mov bx, word ptr [esp] 0x0000001b cmc 0x0000001c js 00007F44817E1661h 0x0000001e jns 00007F44817E16A0h 0x00000020 lea ebx, dword ptr [ebx+0000E1EEh] 0x00000026 sub ah, ah 0x00000028 jmp 00007F44817E165Ah 0x0000002a mov word ptr [ebp+00h], dx 0x0000002e mov dx, word ptr [esp] 0x00000032 call 00007F44817E1707h 0x00000037 ror edx, 02h 0x0000003a jnbe 00007F44817E164Dh 0x0000003c jbe 00007F44817E1635h 0x0000003e mov bh, al 0x00000040 jmp 00007F44817C866Dh 0x00000045 jmp 00007F44817E1669h 0x00000047 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 63DD4F second address: 63DD85 instructions: 0x00000000 rdtsc 0x00000002 btr ax, cx 0x00000006 xchg edx, eax 0x00000008 bsr dx, dx 0x0000000c lea edx, dword ptr [edx+edi] 0x0000000f push dword ptr [esp+44h] 0x00000013 retn 0048h 0x00000016 movzx ebx, byte ptr [edi] 0x00000019 jmp 00007F4481241E96h 0x0000001e lea eax, dword ptr [edx+6Ch] 0x00000021 sub esp, 06h 0x00000024 jl 00007F4481241CA9h 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e call 00007F4481241E13h 0x00000033 mov edx, dword ptr [esp] 0x00000036 mov eax, E9CADE55h 0x0000003b bt edx, edi 0x0000003e mov edx, ecx 0x00000040 inc ah 0x00000042 jmp 00007F4481241D3Ah 0x00000044 xchg dword ptr [esp], ebx 0x00000047 lea edx, dword ptr [00000000h+ebx*4] 0x0000004e not dx 0x00000051 bswap edx 0x00000053 lea eax, dword ptr [00000000h+esi*4] 0x0000005a pushad 0x0000005b jmp 00007F4481241D73h 0x0000005d lea ebx, dword ptr [ebx-0000003Dh] 0x00000063 sub esp, 1Ch 0x00000066 mov ax, 7715h 0x0000006a jmp 00007F4481241DD8h 0x0000006c pop word ptr [esp+06h] 0x00000071 lea esp, dword ptr [esp+02h] 0x00000075 xchg byte ptr [esp+0Ch], ah 0x00000079 xchg dword ptr [esp+38h], ebx 0x0000007d not ax 0x00000080 mov dx, si 0x00000083 jmp 00007F4481241D73h 0x00000085 sets dl 0x00000088 xchg ax, dx 0x0000008a push dword ptr [esp+38h] 0x0000008e retn 003Ch 0x00000091 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeRDTSC instruction interceptor: First address: 63E26B second address: 63E3C3 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1701h 0x00000007 lea eax, dword ptr [ecx-00006757h] 0x0000000d mov eax, 1C262CCAh 0x00000012 mov ax, word ptr [esp] 0x00000016 call 00007F44817E16B6h 0x0000001b xchg dword ptr [esp+04h], esi 0x0000001f bswap eax 0x00000021 jmp 00007F44817E1686h 0x00000023 bsr eax, ecx 0x00000026 inc ax 0x00000028 mov dx, di 0x0000002b lea esi, dword ptr [esi+00000092h] 0x00000031 shr dh, cl 0x00000033 bswap edx 0x00000035 jmp 00007F44817E16B2h 0x00000037 bswap eax 0x00000039 xchg dword ptr [esp+04h], esi 0x0000003d xchg dl, dh 0x0000003f mov dx, 17B9h 0x00000043 mov ax, cx 0x00000046 mov ah, byte ptr [esp] 0x00000049 jmp 00007F44817E1658h 0x0000004b not eax 0x0000004d push dword ptr [esp+04h] 0x00000051 retn 0008h 0x00000054 shr eax, cl 0x00000056 mov edx, dword ptr [esp] 0x00000059 xchg al, ah 0x0000005b rcr eax, cl 0x0000005d bswap edx 0x0000005f mov dx, F0D0h 0x00000063 xchg ax, dx 0x00000065 jmp 00007F44817E175Eh 0x0000006a ror bl, 00000000h 0x0000006d js 00007F44817E165Dh 0x0000006f lea edx, dword ptr [esi-7Fh] 0x00000072 jmp 00007F44817E1642h 0x00000074 lea edx, dword ptr [24CC2BE0h] 0x0000007a rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0454 second address: 6D0456 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D05C8 second address: 6D0B63 instructions: 0x00000000 rdtsc 0x00000002 neg dx 0x00000005 mov cx, 4EA1h 0x00000009 pop ax 0x0000000b jmp 00007F44817E1657h 0x0000000d bsf ax, dx 0x00000011 mov di, 6F97h 0x00000015 call 00007F44817E1C2Dh 0x0000001a pop dword ptr [esp+1Bh] 0x0000001e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0B63 second address: 6D0735 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, cx 0x00000006 sub esp, 1Ah 0x00000009 jmp 00007F4481241A6Ch 0x0000000e lea esp, dword ptr [esp+48h] 0x00000012 inc dh 0x00000014 cpuid 0x00000016 mov cx, 6D02h 0x0000001a rol ax, cl 0x0000001d xchg bh, dl 0x0000001f jmp 00007F4481241C87h 0x00000024 stc 0x00000025 not bh 0x00000027 not ecx 0x00000029 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0735 second address: 6D0695 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov edx, ecx 0x00000008 jmp 00007F44817E154Eh 0x0000000d stc 0x0000000e call 00007F44817E1664h 0x00000013 bsf ax, si 0x00000017 xchg word ptr [esp], bx 0x0000001b xchg word ptr [esp], cx 0x0000001f mov byte ptr [esp+02h], ch 0x00000023 bswap ebx 0x00000025 jmp 00007F44817E170Dh 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e xchg ch, bl 0x00000030 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D09D3 second address: 6D0A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pop ecx 0x00000004 xchg esi, ebp 0x00000006 mov di, 7728h 0x0000000a jmp 00007F4481241D7Ch 0x0000000c bts edx, esp 0x0000000f xchg word ptr [esp+1Ch], si 0x00000014 xchg bx, dx 0x00000017 push dword ptr [esp+02h] 0x0000001b jmp 00007F4481241DDCh 0x0000001d sub esp, 05h 0x00000020 call 00007F4481241E44h 0x00000025 neg cx 0x00000028 pop dword ptr [esp+20h] 0x0000002c bsf bp, bp 0x00000030 pop ebp 0x00000031 lea eax, dword ptr [esp+0000EEACh] 0x00000038 jmp 00007F4481241CEEh 0x0000003d mov dword ptr [esp+18h], edi 0x00000041 call 00007F4481241DFBh 0x00000046 clc 0x00000047 bsf ecx, ebx 0x0000004a call 00007F4481241D84h 0x0000004f std 0x00000050 xchg ah, ch 0x00000052 popad 0x00000053 jmp 00007F4481241D86h 0x00000055 pop dword ptr [esp+03h] 0x00000059 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0A41 second address: 6D0AE9 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [esp+eax] 0x00000005 push word ptr [esp+01h] 0x0000000a jmp 00007F44817E16BFh 0x0000000c xchg bp, bx 0x0000000f pop dword ptr [esp] 0x00000012 add esp, 03h 0x00000015 cld 0x00000016 mov word ptr [esp], sp 0x0000001a lea eax, dword ptr [00000000h+edi*4] 0x00000021 jmp 00007F44817E1655h 0x00000023 mov byte ptr [esp], cl 0x00000026 mov ebx, dword ptr [esp] 0x00000029 btc si, cx 0x0000002d xchg ch, bh 0x0000002f sub esp, 01h 0x00000032 jmp 00007F44817E1715h 0x00000037 sub esp, 1Eh 0x0000003a call 00007F44817E163Eh 0x0000003f sub esp, 1Ah 0x00000042 popad 0x00000043 neg esi 0x00000045 std 0x00000046 bts dx, sp 0x0000004a jmp 00007F44817E165Fh 0x0000004c lea edi, dword ptr [00000000h+esi*4] 0x00000053 xchg word ptr [esp+07h], cx 0x00000058 setl ah 0x0000005b jmp 00007F44817E16AAh 0x0000005d push dx 0x0000005f mov dx, 63C0h 0x00000063 mov ebp, dword ptr [esp+17h] 0x00000067 not dl 0x00000069 sub esp, 05h 0x0000006c xchg word ptr [esp+16h], si 0x00000071 jmp 00007F44817E1656h 0x00000073 btc eax, esi 0x00000076 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0BB7 second address: 6D0BB9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0BB9 second address: 6D0BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E165Fh 0x00000004 mov dword ptr [esp], eax 0x00000007 cmc 0x00000008 pushad 0x00000009 push word ptr [esp+03h] 0x0000000e mov bp, word ptr [esp+1Fh] 0x00000013 jmp 00007F44817E16D4h 0x00000015 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0CE6 second address: 6D0D0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241E23h 0x00000007 lea edx, dword ptr [00000000h+edx*4] 0x0000000e mov ecx, esp 0x00000010 jmp 00007F4481241D50h 0x00000012 pop edx 0x00000013 xchg word ptr [esp+04h], cx 0x00000018 cpuid 0x0000001a xchg word ptr [esp], bx 0x0000001e push word ptr [esp+13h] 0x00000023 add esp, 0Fh 0x00000026 jmp 00007F4481241D76h 0x00000028 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D0D0E second address: 6D0D93 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 sub esp, 06h 0x00000007 push word ptr [esp+06h] 0x0000000c jmp 00007F44817E16B6h 0x0000000e sbb edx, 4C9FCF64h 0x00000014 mov bh, dh 0x00000016 mov eax, dword ptr [esp+03h] 0x0000001a lea eax, dword ptr [esp+edx] 0x0000001d xchg byte ptr [esp+07h], dh 0x00000021 jmp 00007F44817E1657h 0x00000023 lea esp, dword ptr [esp] 0x00000026 pop ax 0x00000028 pop si 0x0000002a mov bx, CC7Ch 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007F44817E16E9h 0x00000034 lea esp, dword ptr [esp] 0x00000037 mov di, bp 0x0000003a rcl ebx, 17h 0x0000003d neg al 0x0000003f lea edi, dword ptr [00000000h+esi*4] 0x00000046 ror ebx, cl 0x00000048 jmp 00007F44817E1646h 0x0000004a add esi, esp 0x0000004c cld 0x0000004d mov dh, byte ptr [esp+07h] 0x00000051 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D102C second address: 6D1047 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 2Eh 0x00000004 pop edx 0x00000005 pushad 0x00000006 pop cx 0x00000008 push dword ptr [esp+10h] 0x0000000c jmp 00007F4481241D6Fh 0x0000000e lea edx, dword ptr [edx+ebp] 0x00000011 and ch, FFFFFFCCh 0x00000014 mov eax, esi 0x00000016 xchg ecx, esi 0x00000018 dec di 0x0000001a sbb ax, 0000B5A1h 0x0000001e jmp 00007F4481241D7Ah 0x00000020 mov byte ptr [esp+14h], dh 0x00000024 add esp, 26h 0x00000027 not ebp 0x00000029 pop word ptr [esp] 0x0000002d mov bl, 13h 0x0000002f jmp 00007F4481241DDAh 0x00000031 mov ebp, 9AAF724Ch 0x00000036 btr bp, si 0x0000003a pop bp 0x0000003c bswap ebp 0x0000003e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6D12E9 second address: 6D11B5 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+0Bh], cx 0x00000007 setbe dl 0x0000000a xchg byte ptr [esp+04h], dl 0x0000000e jmp 00007F44817E1627h 0x00000010 pop dword ptr [esp] 0x00000013 dec edx 0x00000014 add esp, 05h 0x00000017 mov bp, ax 0x0000001a mov cl, 88h 0x0000001c mov edx, dword ptr [esp+03h] 0x00000020 jmp 00007F44817E1603h 0x00000022 push word ptr [esp+01h] 0x00000027 dec cl 0x00000029 lea esp, dword ptr [esp+04h] 0x0000002d bsf edi, ebx 0x00000030 push word ptr [esp+02h] 0x00000035 pop ebx 0x00000036 jmp 00007F44817E1606h 0x00000038 lea edi, dword ptr [00000000h+ebx*4] 0x0000003f not ebp 0x00000041 xchg bh, cl 0x00000043 pop bp 0x00000045 mov bx, BEE2h 0x00000049 mov ax, 565Ah 0x0000004d jmp 00007F44817E1655h 0x0000004f rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5EFC12 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 jmp 00007F4481241E09h 0x00000008 mov esi, dword ptr [esp+34h] 0x0000000c mov ch, dl 0x0000000e call 00007F4481241D7Dh 0x00000013 mov ah, bh 0x00000015 mov ch, dl 0x00000017 jmp 00007F4481241DDAh 0x00000019 lea ebp, dword ptr [esp+0Ch] 0x0000001d lea edi, dword ptr [ecx+esi] 0x00000020 mov bl, DCh 0x00000022 not ax 0x00000025 sub esp, 000000B4h 0x0000002b jmp 00007F4481241D56h 0x0000002d mov edi, esp 0x0000002f call 00007F4481241DC0h 0x00000034 mov word ptr [esp], bx 0x00000038 lea edx, dword ptr [00000000h+ebx*4] 0x0000003f mov ecx, esi 0x00000041 jmp 00007F4481241DBDh 0x00000043 mov dx, F2EDh 0x00000047 neg ebx 0x00000049 jc 00007F4481241E1Dh 0x0000004b lea ebx, dword ptr [00000000h+ebp*4] 0x00000052 mov ax, 8AE6h 0x00000056 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5EFD44 second address: 5EFD82 instructions: 0x00000000 rdtsc 0x00000002 mov bl, byte ptr [esp] 0x00000005 push sp 0x00000007 mov word ptr [esp], bp 0x0000000b mov ah, dh 0x0000000d push word ptr [esp] 0x00000011 jc 00007F44817E1646h 0x00000013 jmp 00007F44817E166Ah 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 add esi, 565B2E4Fh 0x0000001f mov bx, ax 0x00000022 inc eax 0x00000023 jmp 00007F44817E16DCh 0x00000025 jp 00007F44817E162Eh 0x00000027 bsf edx, ebx 0x0000002a lea eax, dword ptr [ebp-0000FDAEh] 0x00000030 pushad 0x00000031 jmp 00007F44817E16D5h 0x00000033 lea esp, dword ptr [esp+20h] 0x00000037 not esi 0x00000039 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5EFD82 second address: 5EFE06 instructions: 0x00000000 rdtsc 0x00000002 mov bl, CBh 0x00000004 xchg ebx, edx 0x00000006 jmp 00007F4481241E10h 0x00000008 mov eax, ecx 0x0000000a mov ax, word ptr [esp] 0x0000000e bt bx, ax 0x00000012 jc 00007F4481241D28h 0x00000014 mov eax, ecx 0x00000016 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F0912 second address: 5F0EEB instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+50h] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c jmp 00007F44817E16A8h 0x0000000e mov dx, cx 0x00000011 setnl dh 0x00000014 setnp bl 0x00000017 jmp 00007F44817E1661h 0x00000019 cmp ebp, eax 0x0000001b call 00007F44817E1C37h 0x00000020 not dl 0x00000022 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 603B99 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push dword ptr [esp+38h] 0x00000007 retn 003Ch 0x0000000a lea eax, dword ptr [eax+edx] 0x0000000d add ebx, 2AEE4402h 0x00000013 jmp 00007F448122DF54h 0x00000018 mov ecx, esi 0x0000001a jmp 00007F4481241DBDh 0x0000001c mov dx, F2EDh 0x00000020 neg ebx 0x00000022 jc 00007F4481241E1Dh 0x00000024 lea ebx, dword ptr [00000000h+ebp*4] 0x0000002b mov ax, 8AE6h 0x0000002f rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 603E4D second address: 5F76B3 instructions: 0x00000000 rdtsc 0x00000002 bsf ax, bx 0x00000006 jmp 00007F44817E16CBh 0x00000008 adc ax, ax 0x0000000b push dword ptr [esp+14h] 0x0000000f retn 0018h 0x00000012 pop esi 0x00000013 jmp 00007F44817D4E76h 0x00000018 mov ecx, edi 0x0000001a jmp 00007F44817E16BAh 0x0000001c mov edx, dword ptr [esp] 0x0000001f lea ebx, dword ptr [esp+000076EAh] 0x00000026 lea eax, dword ptr [esp+edx] 0x00000029 call 00007F44817E165Dh 0x0000002e mov dx, word ptr [esp+02h] 0x00000033 add esp, 00000000h 0x00000036 jl 00007F44817E2AFAh 0x0000003c jnl 00007F44817E1778h 0x00000042 push word ptr [esp+02h] 0x00000047 mov bh, cl 0x00000049 lea edx, dword ptr [00000000h+esi*4] 0x00000050 jmp 00007F44817E15F2h 0x00000055 bsr ebx, ebp 0x00000058 bts ax, dx 0x0000005c jmp 00007F44817E17F1h 0x00000061 neg ah 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 jmp 00007F44817E14DAh 0x0000006c rol edi, 00000000h 0x0000006f stc 0x00000070 jnl 00007F44817E1666h 0x00000072 pushad 0x00000073 jmp 00007F44817E1686h 0x00000075 sub esp, 06h 0x00000078 lea ebx, dword ptr [00000000h+edi*4] 0x0000007f lea esp, dword ptr [esp+02h] 0x00000083 jmp 00007F44817E16C4h 0x00000085 lea esp, dword ptr [esp+28h] 0x00000089 dec edi 0x0000008a lea eax, dword ptr [00000000h+ebx*4] 0x00000091 push eax 0x00000092 mov dx, cx 0x00000095 jmp 00007F44817E1645h 0x00000097 mov word ptr [esp+01h], dx 0x0000009c not al 0x0000009e lea esp, dword ptr [esp+04h] 0x000000a2 add edi, 507E8820h 0x000000a8 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F76B3 second address: 5F7759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE0h 0x00000004 mov edx, dword ptr [esp] 0x00000007 setnb al 0x0000000a bswap edx 0x0000000c rcl dl, cl 0x0000000e jp 00007F4481241D58h 0x00000010 not dl 0x00000012 sub esp, 10h 0x00000015 jmp 00007F4481241E25h 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e xor edi, 77D48258h 0x00000024 bsf ax, si 0x00000028 jnl 00007F4481241D7Ah 0x0000002a sub esp, 03h 0x0000002d mov ebx, edx 0x0000002f setne bh 0x00000032 xchg bh, dl 0x00000034 lea esp, dword ptr [esp+03h] 0x00000038 jmp 00007F4481241DBCh 0x0000003a xor edi, 60BA760Eh 0x00000040 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F7759 second address: 5F7785 instructions: 0x00000000 rdtsc 0x00000002 btc ax, bx 0x00000006 jmp 00007F44817E16BCh 0x00000008 jno 00007F44817E164Ah 0x0000000a rcl al, cl 0x0000000c add edi, dword ptr [ebp+00h] 0x0000000f mov ax, word ptr [esp] 0x00000013 jmp 00007F44817E1697h 0x00000015 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 601B40 second address: 601B44 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B2h 0x00000004 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 604FB2 second address: 5F4C8A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 mov ecx, 84CCED5Ah 0x0000000b jmp 00007F44817E163Fh 0x0000000d mov edx, ebp 0x0000000f pop ebx 0x00000010 jmp 00007F44817D1318h 0x00000015 mov ebx, edi 0x00000017 mov ax, word ptr [esp] 0x0000001b xchg eax, edx 0x0000001c mov dl, 3Ah 0x0000001e jmp 00007F44817E165Dh 0x00000020 lea eax, dword ptr [edx+edx] 0x00000023 lea edx, dword ptr [ebx-6DA261F9h] 0x00000029 mov dx, bx 0x0000002c sub esp, 14h 0x0000002f jmp 00007F44817E1696h 0x00000031 jo 00007F44817E1696h 0x00000033 mov edx, dword ptr [esp+05h] 0x00000037 pop dx 0x00000039 jmp 00007F44817E1792h 0x0000003e mov dh, 8Ch 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 jmp 00007F44817E1582h 0x00000049 lea esp, dword ptr [esp+10h] 0x0000004d sub edi, 128A0F11h 0x00000053 jmp 00007F44817E1709h 0x00000058 rcr cx, 0005h 0x0000005c jp 00007F44817E162Dh 0x0000005e shl al, 1 0x00000060 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F4C8A second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D86h 0x00000004 mov cx, EB63h 0x00000008 jmp 00007F4481241DCEh 0x0000000a ror edi, 00000000h 0x0000000d stc 0x0000000e jle 00007F4481241D86h 0x00000010 lea edx, dword ptr [eax+ecx] 0x00000013 jmp 00007F4481241DF0h 0x00000015 xchg edx, ecx 0x00000017 mov al, byte ptr [esp] 0x0000001a mov dx, word ptr [esp] 0x0000001e jmp 00007F4481241D81h 0x00000020 mov edx, 96F70AFFh 0x00000025 jmp 00007F4481241D75h 0x00000027 add edi, 4B2345C8h 0x0000002d mov ecx, dword ptr [esp] 0x00000030 mov ecx, edx 0x00000032 lea edx, dword ptr [ecx+ebp] 0x00000035 jmp 00007F4481241DEFh 0x00000037 xchg dl, dh 0x00000039 xchg ecx, edx 0x0000003b ror edi, 00000000h 0x0000003e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F6D40 second address: 5F6D45 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+ebp] 0x00000005 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60139C second address: 6014E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D5Eh 0x00000004 sub ebp, 04h 0x00000007 mov dx, sp 0x0000000a add al, C5h 0x0000000c jnle 00007F4481241DF2h 0x0000000e mov eax, esp 0x00000010 jmp 00007F4481241D88h 0x00000012 mov ax, di 0x00000015 jmp 00007F4481241DB7h 0x00000017 mov edx, edi 0x00000019 mov ecx, dword ptr [edx] 0x0000001b mov dh, cl 0x0000001d rcr edx, cl 0x0000001f jmp 00007F44812420C7h 0x00000024 jp 00007F4481241F86h 0x0000002a mov edx, F267AC06h 0x0000002f setnp dl 0x00000032 jmp 00007F4481241B8Ah 0x00000037 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6023D2 second address: 601A3F instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 jmp 00007F44817E0DB0h 0x00000009 add ebp, 04h 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 not ax 0x00000016 push esi 0x00000017 jmp 00007F44817E15C1h 0x0000001c not ah 0x0000001e bsr cx, bx 0x00000022 jnl 00007F44817E1659h 0x00000024 mov si, bx 0x00000027 jmp 00007F44817E1667h 0x00000029 push ebx 0x0000002a mov cx, A66Fh 0x0000002e mov edx, 7C18FE6Fh 0x00000033 mov ah, 72h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F44817E168Eh 0x00000038 push edi 0x00000039 not bh 0x0000003b sets dh 0x0000003e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 603DFC second address: 603EE8 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [eax+ebx] 0x00000005 jmp 00007F4481241E25h 0x0000000a bsr edx, edx 0x0000000d jo 00007F4481241DEBh 0x0000000f jno 00007F4481241DE9h 0x00000011 mov edi, dword ptr [ebp+00h] 0x00000014 clc 0x00000015 jnc 00007F4481241D70h 0x00000017 jmp 00007F4481241DB6h 0x00000019 xchg ax, dx 0x0000001b jmp 00007F4481241DC2h 0x0000001d add ebp, 04h 0x00000020 mov ah, byte ptr [esp] 0x00000023 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60571F second address: 60581E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, byte ptr [esp+17h] 0x00000007 jmp 00007F44817E169Dh 0x00000009 not eax 0x0000000b jmp 00007F44817E1663h 0x0000000d push edi 0x0000000e xchg ebp, edi 0x00000010 mov bx, F68Fh 0x00000014 neg al 0x00000016 jp 00007F44817E16ADh 0x00000018 jnp 00007F44817E16EBh 0x0000001a jmp 00007F44817E1645h 0x0000001c push esi 0x0000001d mov ecx, esi 0x0000001f mov dh, byte ptr [esp] 0x00000022 pushfd 0x00000023 lea ecx, dword ptr [00000000h+ebp*4] 0x0000002a xchg dl, dh 0x0000002c jmp 00007F44817E16ADh 0x0000002e bsf bp, sp 0x00000032 jnp 00007F44817E16A6h 0x00000034 add esp, 04h 0x00000037 jns 00007F44817E17DAh 0x0000003d jmp 00007F44817E1648h 0x0000003f pop ebp 0x00000040 mov di, word ptr [esp] 0x00000044 pushad 0x00000045 cpuid 0x00000047 mov word ptr [esp+0Eh], bp 0x0000004c jmp 00007F44817E1606h 0x0000004e add esp, 20h 0x00000051 jnp 00007F44817E163Fh 0x00000053 pop esi 0x00000054 mov ebx, esi 0x00000056 xchg edi, eax 0x00000058 jmp 00007F44817E164Fh 0x0000005a bsr ax, cx 0x0000005e jo 00007F44817E1692h 0x00000060 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 604FCA second address: 6050CF instructions: 0x00000000 rdtsc 0x00000002 not edx 0x00000004 jmp 00007F4481241DCFh 0x00000006 push esi 0x00000007 bsr eax, esp 0x0000000a jo 00007F4481241DF5h 0x0000000c mov cl, D6h 0x0000000e mov ecx, dword ptr [esp] 0x00000011 dec esi 0x00000012 jmp 00007F4481241DC7h 0x00000014 push ebx 0x00000015 call 00007F4481241E34h 0x0000001a mov ax, 7417h 0x0000001e bswap edx 0x00000020 bt ecx, edx 0x00000023 pushfd 0x00000024 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6050CF second address: 60503E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A7h 0x00000004 xchg dword ptr [esp+04h], ecx 0x00000008 mov dx, si 0x0000000b mov ebx, esp 0x0000000d not bh 0x0000000f call 00007F44817E165Fh 0x00000014 lea ecx, dword ptr [ecx+01h] 0x00000017 mov ah, byte ptr [esp] 0x0000001a jmp 00007F44817E16B9h 0x0000001c lea esi, dword ptr [00000000h+esi*4] 0x00000023 lea esi, dword ptr [eax+ebp] 0x00000026 btr ax, sp 0x0000002a mov bx, 430Fh 0x0000002e xchg dword ptr [esp+08h], ecx 0x00000032 neg dl 0x00000034 jmp 00007F44817E164Fh 0x00000036 sub esp, 1Ah 0x00000039 lea esp, dword ptr [esp+11h] 0x0000003d pop dword ptr [esp] 0x00000040 xor ebx, 69AE8573h 0x00000046 jmp 00007F44817E1710h 0x0000004b lea esp, dword ptr [esp+01h] 0x0000004f push dword ptr [esp+0Ch] 0x00000053 retn 0010h 0x00000056 stc 0x00000057 ja 00007F44817E17C0h 0x0000005d rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60503E second address: 60518E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241EC2h 0x00000007 mov cx, 032Ah 0x0000000b sub cx, bx 0x0000000e jmp 00007F4481241DB8h 0x00000010 push ebp 0x00000011 lea eax, dword ptr [ecx+edx] 0x00000014 jmp 00007F4481241DA6h 0x00000016 mov eax, dword ptr [esp] 0x00000019 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60518E second address: 6051B3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E701h 0x00000006 mov cx, dx 0x00000009 xchg ebx, ebp 0x0000000b xchg dl, ah 0x0000000d jmp 00007F44817E1698h 0x0000000f rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F4CDF second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB63h 0x00000006 jmp 00007F4481241D5Fh 0x00000008 ror edi, 00000000h 0x0000000b stc 0x0000000c jle 00007F4481241D86h 0x0000000e lea edx, dword ptr [eax+ecx] 0x00000011 jmp 00007F4481241DF0h 0x00000013 xchg edx, ecx 0x00000015 mov al, byte ptr [esp] 0x00000018 mov dx, word ptr [esp] 0x0000001c jmp 00007F4481241D81h 0x0000001e mov edx, 96F70AFFh 0x00000023 jmp 00007F4481241D75h 0x00000025 add edi, 4B2345C8h 0x0000002b mov ecx, dword ptr [esp] 0x0000002e mov ecx, edx 0x00000030 lea edx, dword ptr [ecx+ebp] 0x00000033 jmp 00007F4481241DEFh 0x00000035 xchg dl, dh 0x00000037 xchg ecx, edx 0x00000039 ror edi, 00000000h 0x0000003c rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 604854 second address: 604865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16DDh 0x00000004 mov ecx, dword ptr [ebp+00h] 0x00000007 mov edx, esp 0x00000009 seto al 0x0000000c setb dh 0x0000000f jmp 00007F44817E161Ah 0x00000011 add dword ptr [ebp+04h], ecx 0x00000014 xchg ah, dh 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov eax, DB213984h 0x0000001e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6047C6 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esi-000000EAh] 0x00000008 jmp 00007F4481241D6Bh 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F4481241E45h 0x00000015 jns 00007F4481241D2Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F4481241DBCh 0x00000027 jp 00007F4481241DBAh 0x00000029 pop ebx 0x0000002a jmp 00007F4481241DBDh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F4481241DECh 0x00000039 jbe 00007F4481241D5Ah 0x0000003b pop esi 0x0000003c jmp 00007F448123218Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F4481241D7Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F4481241DB6h 0x0000005d jo 00007F4481241DB6h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F4481241EB2h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F4481241CA2h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F4481241E29h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F4481241D4Dh 0x0000008a shl al, 1 0x0000008c rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60C3F9 second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 pushfd 0x00000006 pop dx 0x00000008 jmp 00007F44817E1650h 0x0000000a mov eax, dword ptr [esp] 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 mov dword ptr [ebp+00h], ebx 0x00000014 lea eax, dword ptr [00000000h+eax*4] 0x0000001b inc dh 0x0000001d jmp 00007F44817E16B5h 0x0000001f jo 00007F44817E1622h 0x00000021 mov ah, byte ptr [esp] 0x00000024 call 00007F44817E1665h 0x00000029 xor ax, sp 0x0000002c lea eax, dword ptr [esi-000000F8h] 0x00000032 push ax 0x00000034 jmp 00007F44817E1696h 0x00000036 mov edx, B2EBA21Ah 0x0000003b dec edx 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 xchg dword ptr [esp], ecx 0x00000043 mov dl, BBh 0x00000045 rcl dl, 1 0x00000047 jmp 00007F44817E16B3h 0x00000049 lea edx, dword ptr [00000000h+ebp*4] 0x00000050 push esp 0x00000051 xchg dh, dl 0x00000053 lea ecx, dword ptr [ecx-0000104Ah] 0x00000059 mov ax, word ptr [esp] 0x0000005d bt dx, ax 0x00000061 jmp 00007F44817E1652h 0x00000063 rcr ax, cl 0x00000066 rcr ah, cl 0x00000068 xchg dword ptr [esp+04h], ecx 0x0000006c inc dx 0x0000006e jmp 00007F44817E1B33h 0x00000073 lea edx, dword ptr [edi+0000008Eh] 0x00000079 push ax 0x0000007b lea esp, dword ptr [esp] 0x0000007e mov word ptr [esp], ax 0x00000082 lea esp, dword ptr [esp+02h] 0x00000086 push dword ptr [esp+04h] 0x0000008a retn 0008h 0x0000008d mov ax, word ptr [esp] 0x00000091 bsr ebx, edx 0x00000094 jp 00007F44817E1663h 0x00000096 btc ax, cx 0x0000009a jmp 00007F44817E16B2h 0x0000009c rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60B12B second address: 60B154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE4h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 xchg dword ptr [esp+04h], ebp 0x0000000c mov ah, byte ptr [esp] 0x0000000f mov dh, 8Eh 0x00000011 xchg edx, eax 0x00000013 lea ebp, dword ptr [ebp+5Dh] 0x00000016 jmp 00007F4481241D71h 0x00000018 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60B154 second address: 60B187 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 call 00007F44817E16C2h 0x0000000a sub esp, 11h 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 xchg dword ptr [esp+18h], ebp 0x00000015 add al, 3Ah 0x00000017 jmp 00007F44817E165Dh 0x00000019 neg edx 0x0000001b rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60B187 second address: 60B244 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 call 00007F4481241DC0h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f bts edx, ebp 0x00000012 sub esp, 1Bh 0x00000015 jmp 00007F4481241EE5h 0x0000001a xchg byte ptr [esp+0Bh], dh 0x0000001e xchg dl, al 0x00000020 ror bl, 00000000h 0x00000023 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60B244 second address: 60B1DE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ebx+edi] 0x00000005 jmp 00007F44817E163Dh 0x00000007 clc 0x00000008 jnbe 00007F44817E1662h 0x0000000a lea eax, dword ptr [00000000h+edi*4] 0x00000011 rol bl, 00000000h 0x00000014 jmp 00007F44817E1660h 0x00000016 sub dh, ah 0x00000018 js 00007F44817E16BDh 0x0000001a btr ax, si 0x0000001e mov dl, byte ptr [esp] 0x00000021 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 603F07 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 bts dx, dx 0x00000006 xchg dword ptr [esp], edi 0x00000009 mov eax, esp 0x0000000b mov eax, edx 0x0000000d btc dx, di 0x00000011 jmp 00007F4481241B5Fh 0x00000016 mov ax, E5E4h 0x0000001a push dword ptr [esp] 0x0000001d retn 0004h 0x00000020 mov ebx, edi 0x00000022 mov ax, word ptr [esp] 0x00000026 xchg eax, edx 0x00000027 mov dl, 3Ah 0x00000029 jmp 00007F4481241D7Dh 0x0000002b lea eax, dword ptr [edx+edx] 0x0000002e lea edx, dword ptr [ebx-6DA261F9h] 0x00000034 mov dx, bx 0x00000037 sub esp, 14h 0x0000003a jmp 00007F4481241DB6h 0x0000003c jo 00007F4481241DB6h 0x0000003e mov edx, dword ptr [esp+05h] 0x00000042 pop dx 0x00000044 jmp 00007F4481241EB2h 0x00000049 mov dh, 8Ch 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f jmp 00007F4481241CA2h 0x00000054 lea esp, dword ptr [esp+10h] 0x00000058 sub edi, 128A0F11h 0x0000005e jmp 00007F4481241E29h 0x00000063 rcr cx, 0005h 0x00000067 jp 00007F4481241D4Dh 0x00000069 shl al, 1 0x0000006b rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 607D80 second address: 607B82 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 call 00007F44817E148Dh 0x0000000a setne dh 0x0000000d mov ecx, ebp 0x0000000f mov dh, 9Bh 0x00000011 mov dl, 24h 0x00000013 bswap edx 0x00000015 jmp 00007F44817E165Fh 0x00000017 xchg dword ptr [esp], ebx 0x0000001a lea ecx, dword ptr [edi+41h] 0x0000001d rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 607B82 second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 mov edx, F46DAA9Dh 0x00000007 inc ch 0x00000009 jmp 00007F4481241DB4h 0x0000000b lea ebx, dword ptr [ebx-000001C5h] 0x00000011 mov dx, 50EEh 0x00000015 bsr cx, di 0x00000019 call 00007F4481241E16h 0x0000001e stc 0x0000001f pop word ptr [esp] 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F4481241D65h 0x00000029 xchg dword ptr [esp], ebx 0x0000002c xchg cl, dh 0x0000002e xchg cx, dx 0x00000031 mov cx, word ptr [esp] 0x00000035 push dword ptr [esp] 0x00000038 retn 0004h 0x0000003b sub ebp, 02h 0x0000003e jmp 00007F4481241DA6h 0x00000040 neg dl 0x00000042 jo 00007F4481241DD3h 0x00000044 mov eax, ecx 0x00000046 xchg edx, eax 0x00000048 mov dh, 4Fh 0x0000004a jmp 00007F4481241F01h 0x0000004f mov cl, byte ptr [edi] 0x00000051 not dl 0x00000053 bswap edx 0x00000055 setb dl 0x00000058 neg ah 0x0000005a jmp 00007F4481241CA0h 0x0000005f jng 00007F4481241E3Bh 0x00000065 pushfd 0x00000066 mov al, byte ptr [esp+03h] 0x0000006a xchg word ptr [esp], ax 0x0000006e btc ax, dx 0x00000072 pop eax 0x00000073 sub esp, 0Bh 0x00000076 jmp 00007F4481241D24h 0x00000078 push dword ptr [esp+06h] 0x0000007c jnp 00007F4481241D79h 0x0000007e dec dx 0x00000080 lea esp, dword ptr [esp+03h] 0x00000084 jmp 00007F4481241D7Dh 0x00000086 sub cl, bl 0x00000088 xchg eax, edx 0x00000089 mov al, 17h 0x0000008b rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60476F second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A2h 0x00000004 lea esi, dword ptr [esi-000000EAh] 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F44817E1725h 0x00000015 jns 00007F44817E160Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F44817E169Ch 0x00000027 jp 00007F44817E169Ah 0x00000029 pop ebx 0x0000002a jmp 00007F44817E169Dh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F44817E16CCh 0x00000039 jbe 00007F44817E163Ah 0x0000003b pop esi 0x0000003c jmp 00007F44817D1A6Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F44817E165Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F44817E1696h 0x0000005d jo 00007F44817E1696h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F44817E1792h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F44817E1582h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F44817E1709h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F44817E162Dh 0x0000008a shl al, 1 0x0000008c rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 610C59 second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DFAh 0x00000004 mov dh, dl 0x00000006 jmp 00007F448123A8A9h 0x0000000b mov eax, 0B0F4634h 0x00000010 jmp 00007F4481241D36h 0x00000012 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 607B5F second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 jmp 00007F44817E16E1h 0x00000007 sub ebp, 02h 0x0000000a jmp 00007F44817E1686h 0x0000000c neg dl 0x0000000e jo 00007F44817E16B3h 0x00000010 mov eax, ecx 0x00000012 xchg edx, eax 0x00000014 mov dh, 4Fh 0x00000016 jmp 00007F44817E17E1h 0x0000001b mov cl, byte ptr [edi] 0x0000001d not dl 0x0000001f bswap edx 0x00000021 setb dl 0x00000024 neg ah 0x00000026 jmp 00007F44817E1580h 0x0000002b jng 00007F44817E171Bh 0x00000031 pushfd 0x00000032 mov al, byte ptr [esp+03h] 0x00000036 xchg word ptr [esp], ax 0x0000003a btc ax, dx 0x0000003e pop eax 0x0000003f sub esp, 0Bh 0x00000042 jmp 00007F44817E1604h 0x00000044 push dword ptr [esp+06h] 0x00000048 jnp 00007F44817E1659h 0x0000004a dec dx 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F44817E165Dh 0x00000052 sub cl, bl 0x00000054 xchg eax, edx 0x00000055 mov al, 17h 0x00000057 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5F4B9A second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea ebp, dword ptr [esp] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c mov bx, B92Bh 0x00000010 setnl dh 0x00000013 jmp 00007F4481241D77h 0x00000015 mov si, ax 0x00000018 jmp 00007F4481241DC8h 0x0000001a sub esp, 000000C0h 0x00000020 jmp 00007F4481241DD7h 0x00000022 mov esi, esp 0x00000024 sub eax, 56CA30D9h 0x00000029 jne 00007F4481241D83h 0x0000002b mov bx, di 0x0000002e jmp 00007F4481241DDBh 0x00000030 lea ebx, dword ptr [ebx-3Bh] 0x00000033 mov ebx, edi 0x00000035 mov ax, word ptr [esp] 0x00000039 xchg eax, edx 0x0000003a mov dl, 3Ah 0x0000003c jmp 00007F4481241D7Dh 0x0000003e lea eax, dword ptr [edx+edx] 0x00000041 lea edx, dword ptr [ebx-6DA261F9h] 0x00000047 mov dx, bx 0x0000004a sub esp, 14h 0x0000004d jmp 00007F4481241DB6h 0x0000004f jo 00007F4481241DB6h 0x00000051 mov edx, dword ptr [esp+05h] 0x00000055 pop dx 0x00000057 jmp 00007F4481241EB2h 0x0000005c mov dh, 8Ch 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 jmp 00007F4481241CA2h 0x00000067 lea esp, dword ptr [esp+10h] 0x0000006b sub edi, 128A0F11h 0x00000071 jmp 00007F4481241E29h 0x00000076 rcr cx, 0005h 0x0000007a jp 00007F4481241D4Dh 0x0000007c shl al, 1 0x0000007e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6068A9 second address: 60687C instructions: 0x00000000 rdtsc 0x00000002 sub cx, bx 0x00000005 jmp 00007F44817E164Ah 0x00000007 mov dx, word ptr [esp] 0x0000000b rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 606B01 second address: 606B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB2h 0x00000004 lea esp, dword ptr [esp+03h] 0x00000008 jmp 00007F4481241DB8h 0x0000000a rol cx, 0000h 0x0000000e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 606B35 second address: 606C59 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [00000000h+ebp*4] 0x00000009 mov eax, edx 0x0000000b jmp 00007F44817E16BDh 0x0000000d mov eax, edx 0x0000000f lea esp, dword ptr [esp+04h] 0x00000013 not cx 0x00000016 rcl ah, cl 0x00000018 jnp 00007F44817E163Ah 0x0000001a jmp 00007F44817E16A5h 0x0000001c mov dl, cl 0x0000001e cmc 0x0000001f sub edx, ebx 0x00000021 jmp 00007F44817E1658h 0x00000023 add cx, 46A5h 0x00000028 mov dl, byte ptr [esp] 0x0000002b xor edx, AB5782EBh 0x00000031 jmp 00007F44817E16FCh 0x00000033 jne 00007F44817E1643h 0x00000035 mov dh, 44h 0x00000037 mov dx, BF5Ch 0x0000003b call 00007F44817E16A1h 0x00000040 lea eax, dword ptr [ebx+ebp] 0x00000043 jmp 00007F44817E1661h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 xor cx, EF15h 0x0000004e lea eax, dword ptr [esi-0000C2B9h] 0x00000054 mov al, ah 0x00000056 jmp 00007F44817E16ABh 0x00000058 pushfd 0x00000059 mov dl, bh 0x0000005b xchg byte ptr [esp], al 0x0000005e bsf edx, esp 0x00000061 jne 00007F44817E16B6h 0x00000063 mov dword ptr [esp], ecx 0x00000066 jmp 00007F44817E16B9h 0x00000068 lea esp, dword ptr [esp+04h] 0x0000006c inc cx 0x0000006e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 606C59 second address: 606C5B instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 64C1E3 second address: 64C2CE instructions: 0x00000000 rdtsc 0x00000002 btr ebx, ebx 0x00000005 jno 00007F44817E16AFh 0x00000007 cmc 0x00000008 jmp 00007F44817E1669h 0x0000000a mov ebx, 1F08C55Dh 0x0000000f jmp 00007F44817E1694h 0x00000011 sub ebp, 08h 0x00000014 setns bl 0x00000017 sub esp, 1Ch 0x0000001a jmp 00007F44817E16CCh 0x0000001c jns 00007F44817E163Ah 0x0000001e pop dword ptr [esp+11h] 0x00000022 mov bh, byte ptr [esp+14h] 0x00000026 jmp 00007F44817E16A8h 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, E17Ah 0x0000002f mov edx, 6E64272Bh 0x00000034 sub esp, 18h 0x00000037 jmp 00007F44817E1734h 0x0000003c ja 00007F44817E1712h 0x00000042 mov edx, dword ptr [esp+0Eh] 0x00000046 mov dword ptr [ebp+04h], eax 0x00000049 mov eax, ebp 0x0000004b jmp 00007F44817E1597h 0x00000050 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5E4613 second address: 5E47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+0Fh], ah 0x00000007 jmp 00007F4481241DEBh 0x00000009 sub ebp, 08h 0x0000000c call 00007F4481241D87h 0x00000011 push word ptr [esp+02h] 0x00000016 jnl 00007F4481241DD7h 0x00000018 lea esp, dword ptr [esp+02h] 0x0000001c jmp 00007F4481241D7Eh 0x0000001e mov dword ptr [ebp+00h], edx 0x00000021 lea edx, dword ptr [00000000h+ebx*4] 0x00000028 clc 0x00000029 js 00007F4481241DCDh 0x0000002b xchg dl, dh 0x0000002d jmp 00007F4481241E1Eh 0x0000002f xchg eax, ecx 0x00000030 mov dx, 7D53h 0x00000034 bswap edx 0x00000036 mov dh, dl 0x00000038 jmp 00007F4481241D7Ch 0x0000003a mov dword ptr [ebp+04h], ecx 0x0000003d lea edx, dword ptr [eax+ecx] 0x00000040 dec ecx 0x00000041 jno 00007F4481241D83h 0x00000043 mov cl, 71h 0x00000045 jmp 00007F4481241DEEh 0x00000047 jmp 00007F4481241E2Ah 0x0000004c mov ecx, dword ptr [esp] 0x0000004f bswap eax 0x00000051 lea ecx, dword ptr [esi+50h] 0x00000054 bt ax, di 0x00000058 jnp 00007F4481241D65h 0x0000005a mov ax, 5EB0h 0x0000005e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 606615 second address: 6065B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E161Fh 0x00000004 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60DA0E second address: 60DADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D73h 0x00000004 lea eax, dword ptr [00000000h+eax*4] 0x0000000b lea eax, dword ptr [00000000h+eax*4] 0x00000012 jmp 00007F4481241DC1h 0x00000014 ror bx, 0000h 0x00000018 mov dh, byte ptr [esp] 0x0000001b mov ax, word ptr [esp] 0x0000001f neg ax 0x00000022 jl 00007F4481242C6Fh 0x00000028 mov ax, 9EF1h 0x0000002c xchg dx, ax 0x0000002f mov dh, 93h 0x00000031 jmp 00007F4481241DEBh 0x00000033 mov dx, DA80h 0x00000037 jmp 00007F4481241E2Dh 0x0000003c inc bx 0x0000003e btc edx, edx 0x00000041 jnc 00007F4481241D63h 0x00000043 setb al 0x00000046 not dh 0x00000048 bt edx, eax 0x0000004b rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 655636 second address: 655647 instructions: 0x00000000 rdtsc 0x00000002 shr cx, cl 0x00000005 jl 00007F44817E1665h 0x00000007 jnl 00007F44817E168Ah 0x00000009 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 60F361 second address: 60F346 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov dx, 0278h 0x00000009 jmp 00007F4481241D79h 0x0000000b neg ax 0x0000000e rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 659584 second address: 62E2AD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+18h], ebx 0x00000006 jmp 00007F44817E1686h 0x00000008 lea esp, dword ptr [esp+04h] 0x0000000c popad 0x0000000d lea ecx, dword ptr [ecx-56ECA26Eh] 0x00000013 mov ecx, 9F0203F6h 0x00000018 lea ecx, dword ptr [esp+edi] 0x0000001b call 00007F44817E16A8h 0x00000020 jmp 00007F44817E166Ah 0x00000022 lea esp, dword ptr [esp+04h] 0x00000026 lea ecx, dword ptr [esp+74h] 0x0000002a jmp 00007F44817E1690h 0x0000002c call 00007F448178778Ch 0x00000031 jmp 00007F44817C5DEEh 0x00000036 jmp 00007F44817E1654h 0x0000003b jmp 00007F44817FE1C9h 0x00000040 push esi 0x00000041 jmp 00007F448180EFBFh 0x00000046 pushad 0x00000047 lea ebp, dword ptr [ebp+25A1C75Dh] 0x0000004d not ebx 0x0000004f rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 656379 second address: 65661E instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebx+000000B6h] 0x00000008 call 00007F4481241E3Bh 0x0000000d mov edx, dword ptr [ebp+00h] 0x00000010 neg ebx 0x00000012 jnc 00007F4481241E25h 0x00000018 lea eax, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F4481241EB7h 0x00000024 lea ebx, dword ptr [00000000h+edi*4] 0x0000002b xchg ah, al 0x0000002d jmp 00007F4481241D81h 0x0000002f add ebp, 02h 0x00000032 shl bx, cl 0x00000035 jo 00007F4481241E7Ah 0x0000003b bsf ax, si 0x0000003f jmp 00007F4481241DCEh 0x00000041 sub esp, 05h 0x00000044 cmc 0x00000045 lea esp, dword ptr [esp+01h] 0x00000049 jmp 00007F4481241DCAh 0x0000004b jmp 00007F4481241D78h 0x0000004d mov al, byte ptr [edx] 0x00000050 mov dx, cx 0x00000053 xchg dh, dl 0x00000055 bsr edx, edi 0x00000058 jns 00007F4481241DD5h 0x0000005a mov bh, byte ptr [esp] 0x0000005d mov word ptr [ebp+00h], ax 0x00000061 dec dx 0x00000063 jnbe 00007F4481241DBCh 0x00000065 rol dx, 0007h 0x00000069 call 00007F4481241DD5h 0x0000006e mov edx, dword ptr [esp] 0x00000071 shl edx, 1 0x00000073 mov bx, 859Dh 0x00000077 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 65661E second address: 656620 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 637B15 second address: 637B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB4h 0x00000004 pushfd 0x00000005 pop dword ptr [ebp+00h] 0x00000008 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 607F6E second address: 608024 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1665h 0x00000007 mov dh, ah 0x00000009 mov edx, dword ptr [esp+01h] 0x0000000d push dword ptr [esp+24h] 0x00000011 retn 0028h 0x00000014 bt edx, ecx 0x00000017 btr ax, si 0x0000001b setl dh 0x0000001e jmp 00007F44817E16F6h 0x00000020 not cl 0x00000022 not dx 0x00000025 lea edx, dword ptr [00000000h+edx*4] 0x0000002c push bx 0x0000002e bsr dx, si 0x00000032 jbe 00007F44817E15FAh 0x00000038 pop dx 0x0000003a jmp 00007F44817E169Ah 0x0000003c add cl, FFFFFFA5h 0x0000003f bts dx, sp 0x00000043 jmp 00007F44817E16A8h 0x00000045 jc 00007F44817E165Eh 0x00000047 inc dl 0x00000049 xchg dx, ax 0x0000004c mov al, byte ptr [esp] 0x0000004f clc 0x00000050 not dx 0x00000053 mov ax, si 0x00000056 jmp 00007F44817E16A9h 0x00000058 xor cl, 00000015h 0x0000005b bswap edx 0x0000005d adc ax, dx 0x00000060 jns 00007F44817E16B4h 0x00000062 js 00007F44817E169Ch 0x00000064 pushfd 0x00000065 mov dword ptr [esp], ebx 0x00000068 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 657A01 second address: 658F1B instructions: 0x00000000 rdtsc 0x00000002 rcr bh, cl 0x00000004 mov bh, byte ptr [esp] 0x00000007 xchg dword ptr [esp], edi 0x0000000a jmp 00007F44812432ADh 0x0000000f mov dl, byte ptr [esp] 0x00000012 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 5E245C second address: 60B3EC instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4BB0h 0x00000006 mov bx, si 0x00000009 btr bx, dx 0x0000000d jmp 00007F4481817380h 0x00000012 jnl 00007F44817AB99Fh 0x00000018 lea ebx, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F448181738Dh 0x00000024 sub ebp, 08h 0x00000027 push esp 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, word ptr [esp] 0x0000002f jmp 00007F44817E165Fh 0x00000031 or edx, esi 0x00000033 jbe 00007F44817E16CBh 0x00000035 mov edx, eax 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007F44817E16ADh 0x0000003c mov dword ptr [ebp+04h], eax 0x0000003f and dl, ah 0x00000041 jnl 00007F44817E16AFh 0x00000043 bswap ebx 0x00000045 mov al, 8Eh 0x00000047 jmp 00007F44817D4892h 0x0000004c mov ax, word ptr [esp] 0x00000050 bsr ebx, edx 0x00000053 jp 00007F44817E1663h 0x00000055 btc ax, cx 0x00000059 jmp 00007F44817E16A5h 0x0000005b rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 618AF6 second address: 618B68 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp] 0x00000005 retn 0004h 0x00000008 mov ecx, dword ptr [ebp+00h] 0x0000000b lea eax, dword ptr [ebx+ebp] 0x0000000e bts dx, di 0x00000012 jmp 00007F4481241E42h 0x00000017 jle 00007F4481241DFDh 0x00000019 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 640208 second address: 64036F instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1771h 0x00000007 mov dx, word ptr [esp] 0x0000000b call 00007F44817E1666h 0x00000010 mov dl, ah 0x00000012 mov dword ptr [esp], ebx 0x00000015 xchg dword ptr [esp+04h], ebx 0x00000019 sub esp, 14h 0x0000001c jmp 00007F44817E176Fh 0x00000021 push ebx 0x00000022 mov ah, 64h 0x00000024 lea ebx, dword ptr [ebx+4Fh] 0x00000027 mov dx, ax 0x0000002a stc 0x0000002b stc 0x0000002c jmp 00007F44817E15FDh 0x00000031 pushad 0x00000032 xchg ax, dx 0x00000034 xchg dword ptr [esp+3Ch], ebx 0x00000038 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 64075D second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241D75h 0x00000007 jmp 00007F4481241E06h 0x00000009 mov al, F0h 0x0000000b mov word ptr [ebp+00h], bx 0x0000000f not eax 0x00000011 rcr bx, 000Ah 0x00000015 jns 00007F4481241D7Eh 0x00000017 jmp 00007F4481241E37h 0x0000001c bsr eax, ebx 0x0000001f sub esp, 0Fh 0x00000022 lea esp, dword ptr [esp+03h] 0x00000026 jmp 00007F448120AD3Bh 0x0000002b mov eax, 0B0F4634h 0x00000030 jmp 00007F4481241D36h 0x00000032 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 64023B second address: 640256 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov eax, 1BA171EFh 0x0000000a mov ax, A249h 0x0000000e jmp 00007F44817E16DDh 0x00000010 lea eax, dword ptr [ebx-0000BE75h] 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub esp, 01h 0x0000001c setle dh 0x0000001f mov dl, 2Dh 0x00000021 mov dx, bx 0x00000024 jmp 00007F44817E1656h 0x00000026 sub esp, 0Ah 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d lea eax, dword ptr [eax+25h] 0x00000030 mov edx, esi 0x00000032 xchg dh, dl 0x00000034 xchg dh, dl 0x00000036 jmp 00007F44817E189Ah 0x0000003b lea edx, dword ptr [00000000h+eax*4] 0x00000042 mov dh, byte ptr [esp] 0x00000045 xchg dword ptr [esp+08h], eax 0x00000049 mov eax, dword ptr [esp] 0x0000004c setbe dl 0x0000004f dec dx 0x00000051 jmp 00007F44817E15C9h 0x00000056 clc 0x00000057 push dword ptr [esp+08h] 0x0000005b retn 000Ch 0x0000005e setnle al 0x00000061 xchg al, dh 0x00000063 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 641F54 second address: 641F54 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], ecx 0x00000006 jmp 00007F4481241CB1h 0x0000000b cmc 0x0000000c popad 0x0000000d cmc 0x0000000e cmc 0x0000000f shr eax, 10h 0x00000012 call 00007F4481241D83h 0x00000017 jmp 00007F4481241DF7h 0x00000019 lea esp, dword ptr [esp+14h] 0x0000001d test ax, ax 0x00000020 pushad 0x00000021 lea esp, dword ptr [esp+20h] 0x00000025 jmp 00007F4481241D75h 0x00000027 je 00007F4481241C98h 0x0000002d push sp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F4481241F24h 0x00000038 inc edx 0x00000039 inc edx 0x0000003a dec esi 0x0000003b jmp 00007F4481241D87h 0x0000003d jne 00007F4481241C58h 0x00000043 setb ah 0x00000046 jmp 00007F4481241DE7h 0x00000048 setnle al 0x0000004b mov ax, word ptr [esp] 0x0000004f movzx eax, word ptr [edx] 0x00000052 push ecx 0x00000053 stc 0x00000054 jmp 00007F4481241DCFh 0x00000056 mov byte ptr [esp+02h], cl 0x0000005a jmp 00007F4481241D86h 0x0000005c add ecx, eax 0x0000005e sub esp, 0Eh 0x00000061 mov eax, AE848F68h 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a jmp 00007F4481241EBDh 0x0000006f pushad 0x00000070 mov ebp, E723975Fh 0x00000075 lea ebp, dword ptr [ecx+edi] 0x00000078 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 6575F5 second address: 63E5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E15EBh 0x00000007 inc edi 0x00000008 setnle al 0x0000000b lea edx, dword ptr [eax+ecx] 0x0000000e mov dx, bp 0x00000011 jmp 00007F44817E16BAh 0x00000013 mov dx, word ptr [ebx+esi] 0x00000017 mov bx, word ptr [esp] 0x0000001b cmc 0x0000001c js 00007F44817E1661h 0x0000001e jns 00007F44817E16A0h 0x00000020 lea ebx, dword ptr [ebx+0000E1EEh] 0x00000026 sub ah, ah 0x00000028 jmp 00007F44817E165Ah 0x0000002a mov word ptr [ebp+00h], dx 0x0000002e mov dx, word ptr [esp] 0x00000032 call 00007F44817E1707h 0x00000037 ror edx, 02h 0x0000003a jnbe 00007F44817E164Dh 0x0000003c jbe 00007F44817E1635h 0x0000003e mov bh, al 0x00000040 jmp 00007F44817C866Dh 0x00000045 jmp 00007F44817E1669h 0x00000047 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 63DD4F second address: 63DD85 instructions: 0x00000000 rdtsc 0x00000002 btr ax, cx 0x00000006 xchg edx, eax 0x00000008 bsr dx, dx 0x0000000c lea edx, dword ptr [edx+edi] 0x0000000f push dword ptr [esp+44h] 0x00000013 retn 0048h 0x00000016 movzx ebx, byte ptr [edi] 0x00000019 jmp 00007F4481241E96h 0x0000001e lea eax, dword ptr [edx+6Ch] 0x00000021 sub esp, 06h 0x00000024 jl 00007F4481241CA9h 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e call 00007F4481241E13h 0x00000033 mov edx, dword ptr [esp] 0x00000036 mov eax, E9CADE55h 0x0000003b bt edx, edi 0x0000003e mov edx, ecx 0x00000040 inc ah 0x00000042 jmp 00007F4481241D3Ah 0x00000044 xchg dword ptr [esp], ebx 0x00000047 lea edx, dword ptr [00000000h+ebx*4] 0x0000004e not dx 0x00000051 bswap edx 0x00000053 lea eax, dword ptr [00000000h+esi*4] 0x0000005a pushad 0x0000005b jmp 00007F4481241D73h 0x0000005d lea ebx, dword ptr [ebx-0000003Dh] 0x00000063 sub esp, 1Ch 0x00000066 mov ax, 7715h 0x0000006a jmp 00007F4481241DD8h 0x0000006c pop word ptr [esp+06h] 0x00000071 lea esp, dword ptr [esp+02h] 0x00000075 xchg byte ptr [esp+0Ch], ah 0x00000079 xchg dword ptr [esp+38h], ebx 0x0000007d not ax 0x00000080 mov dx, si 0x00000083 jmp 00007F4481241D73h 0x00000085 sets dl 0x00000088 xchg ax, dx 0x0000008a push dword ptr [esp+38h] 0x0000008e retn 003Ch 0x00000091 rdtsc
            Source: C:\Windows\SysWOW64\Dtldt.exeRDTSC instruction interceptor: First address: 63E26B second address: 63E3C3 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1701h 0x00000007 lea eax, dword ptr [ecx-00006757h] 0x0000000d mov eax, 1C262CCAh 0x00000012 mov ax, word ptr [esp] 0x00000016 call 00007F44817E16B6h 0x0000001b xchg dword ptr [esp+04h], esi 0x0000001f bswap eax 0x00000021 jmp 00007F44817E1686h 0x00000023 bsr eax, ecx 0x00000026 inc ax 0x00000028 mov dx, di 0x0000002b lea esi, dword ptr [esi+00000092h] 0x00000031 shr dh, cl 0x00000033 bswap edx 0x00000035 jmp 00007F44817E16B2h 0x00000037 bswap eax 0x00000039 xchg dword ptr [esp+04h], esi 0x0000003d xchg dl, dh 0x0000003f mov dx, 17B9h 0x00000043 mov ax, cx 0x00000046 mov ah, byte ptr [esp] 0x00000049 jmp 00007F44817E1658h 0x0000004b not eax 0x0000004d push dword ptr [esp+04h] 0x00000051 retn 0008h 0x00000054 shr eax, cl 0x00000056 mov edx, dword ptr [esp] 0x00000059 xchg al, ah 0x0000005b rcr eax, cl 0x0000005d bswap edx 0x0000005f mov dx, F0D0h 0x00000063 xchg ax, dx 0x00000065 jmp 00007F44817E175Eh 0x0000006a ror bl, 00000000h 0x0000006d js 00007F44817E165Dh 0x0000006f lea edx, dword ptr [esi-7Fh] 0x00000072 jmp 00007F44817E1642h 0x00000074 lea edx, dword ptr [24CC2BE0h] 0x0000007a rdtsc
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006C2039 rdtsc 0_2_006C2039
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-31934
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\Dtldt.exeAPI coverage: 1.9 %
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001A4A00_2_1001A4A0
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_100090A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_10026300
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10008570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_10008740
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008340 GetLogicalDriveStringsA,GetUserNameA,_stricmp,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_100170E0 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,free,free,free,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,lstrcpyA,0_2_100170E0
            Source: Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
            Source: Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\Dtldt.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006C2039 rdtsc 0_2_006C2039
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01401053 LdrInitializeThunk,3_2_01401053
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10014210 BlockInput,BlockInput,InterlockedExchange,BlockInput,InterlockedExchange,InterlockedExchange,0_2_10014210
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10012640 sprintf,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegDeleteKeyA,RegDeleteValueA,0_2_10012640
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120F122 mov eax, dword ptr fs:[00000030h]3_2_0120F122
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120F122 mov ecx, dword ptr fs:[00000030h]3_2_0120F122
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01229132 mov eax, dword ptr fs:[00000030h]3_2_01229132
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01229132 mov ecx, dword ptr fs:[00000030h]3_2_01229132
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01241133 mov eax, dword ptr fs:[00000030h]3_2_01241133
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240103 mov eax, dword ptr fs:[00000030h]3_2_01240103
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240103 mov eax, dword ptr fs:[00000030h]3_2_01240103
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C190 mov eax, dword ptr fs:[00000030h]3_2_0120C190
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C190 mov eax, dword ptr fs:[00000030h]3_2_0120C190
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]3_2_012121E5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]3_2_012121E5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]3_2_012121E5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]3_2_012121E5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ED1FE mov eax, dword ptr fs:[00000030h]3_2_011ED1FE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ED1FE mov eax, dword ptr fs:[00000030h]3_2_011ED1FE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01212019 mov eax, dword ptr fs:[00000030h]3_2_01212019
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01241066 mov eax, dword ptr fs:[00000030h]3_2_01241066
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]3_2_01211042
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]3_2_01211042
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]3_2_01211042
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]3_2_01211042
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012250B6 mov eax, dword ptr fs:[00000030h]3_2_012250B6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]3_2_01238088
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]3_2_01238088
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]3_2_01238088
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122309E mov ecx, dword ptr fs:[00000030h]3_2_0122309E
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123D0FC mov eax, dword ptr fs:[00000030h]3_2_0123D0FC
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123D0FC mov eax, dword ptr fs:[00000030h]3_2_0123D0FC
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E20C1 mov eax, dword ptr fs:[00000030h]3_2_011E20C1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012370C4 mov eax, dword ptr fs:[00000030h]3_2_012370C4
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012370C4 mov eax, dword ptr fs:[00000030h]3_2_012370C4
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]3_2_012340D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]3_2_012340D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]3_2_012340D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012340D0 mov ecx, dword ptr fs:[00000030h]3_2_012340D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]3_2_012340D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012340D0 mov ecx, dword ptr fs:[00000030h]3_2_012340D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220322 mov eax, dword ptr fs:[00000030h]3_2_01220322
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220322 mov eax, dword ptr fs:[00000030h]3_2_01220322
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]3_2_0120C312
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]3_2_0120C312
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]3_2_0120C312
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]3_2_0120C312
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120B365 mov ecx, dword ptr fs:[00000030h]3_2_0120B365
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120B365 mov eax, dword ptr fs:[00000030h]3_2_0120B365
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01225342 mov eax, dword ptr fs:[00000030h]3_2_01225342
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01225342 mov eax, dword ptr fs:[00000030h]3_2_01225342
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F350 mov eax, dword ptr fs:[00000030h]3_2_0121F350
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F350 mov eax, dword ptr fs:[00000030h]3_2_0121F350
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123D354 mov eax, dword ptr fs:[00000030h]3_2_0123D354
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123D354 mov eax, dword ptr fs:[00000030h]3_2_0123D354
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B382 mov eax, dword ptr fs:[00000030h]3_2_0122B382
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B382 mov ecx, dword ptr fs:[00000030h]3_2_0122B382
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123F391 mov eax, dword ptr fs:[00000030h]3_2_0123F391
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123F391 mov ecx, dword ptr fs:[00000030h]3_2_0123F391
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012373F2 mov eax, dword ptr fs:[00000030h]3_2_012373F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012243DE mov eax, dword ptr fs:[00000030h]3_2_012243DE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012243DE mov eax, dword ptr fs:[00000030h]3_2_012243DE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F202 mov eax, dword ptr fs:[00000030h]3_2_0121F202
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]3_2_01241200
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]3_2_01241200
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]3_2_01241200
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F262 mov eax, dword ptr fs:[00000030h]3_2_0121F262
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F262 mov eax, dword ptr fs:[00000030h]3_2_0121F262
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov ecx, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]3_2_01211282
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DD2C9 mov eax, dword ptr fs:[00000030h]3_2_011DD2C9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DD2C9 mov ecx, dword ptr fs:[00000030h]3_2_011DD2C9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012202C2 mov eax, dword ptr fs:[00000030h]3_2_012202C2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01213530 mov eax, dword ptr fs:[00000030h]3_2_01213530
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01213530 mov eax, dword ptr fs:[00000030h]3_2_01213530
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120B509 mov ecx, dword ptr fs:[00000030h]3_2_0120B509
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120B509 mov eax, dword ptr fs:[00000030h]3_2_0120B509
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01236549 mov eax, dword ptr fs:[00000030h]3_2_01236549
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]3_2_01211552
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]3_2_01211552
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]3_2_01211552
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]3_2_01211552
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]3_2_0122B596
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]3_2_0122B596
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]3_2_0122B596
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]3_2_0122B596
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B596 mov ecx, dword ptr fs:[00000030h]3_2_0122B596
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]3_2_011FD5A3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]3_2_011FD5A3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]3_2_011FD5A3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220422 mov eax, dword ptr fs:[00000030h]3_2_01220422
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01237436 mov eax, dword ptr fs:[00000030h]3_2_01237436
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01237436 mov eax, dword ptr fs:[00000030h]3_2_01237436
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E1455 mov eax, dword ptr fs:[00000030h]3_2_011E1455
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E0449 mov eax, dword ptr fs:[00000030h]3_2_011E0449
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]3_2_011FF478
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]3_2_011FF478
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]3_2_011FF478
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122144D mov eax, dword ptr fs:[00000030h]3_2_0122144D
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122B4A2 mov eax, dword ptr fs:[00000030h]3_2_0122B4A2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012214B3 mov eax, dword ptr fs:[00000030h]3_2_012214B3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]3_2_012344BC
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]3_2_012344BC
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]3_2_012344BC
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]3_2_01220482
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E54A3 mov esi, dword ptr fs:[00000030h]3_2_011E54A3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012264F2 mov ecx, dword ptr fs:[00000030h]3_2_012264F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E04C8 mov eax, dword ptr fs:[00000030h]3_2_011E04C8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E04C8 mov eax, dword ptr fs:[00000030h]3_2_011E04C8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F4D0 mov eax, dword ptr fs:[00000030h]3_2_0121F4D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F4D0 mov ecx, dword ptr fs:[00000030h]3_2_0121F4D0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]3_2_012364DB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]3_2_012364DB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]3_2_012364DB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E04E2 mov eax, dword ptr fs:[00000030h]3_2_011E04E2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E04E2 mov eax, dword ptr fs:[00000030h]3_2_011E04E2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]3_2_011E1713
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]3_2_011E1713
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]3_2_011E1713
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]3_2_011FE712
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]3_2_011FE712
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]3_2_011FE712
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E574E mov eax, dword ptr fs:[00000030h]3_2_011E574E
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E574E mov ecx, dword ptr fs:[00000030h]3_2_011E574E
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01223753 mov eax, dword ptr fs:[00000030h]3_2_01223753
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01214755 mov eax, dword ptr fs:[00000030h]3_2_01214755
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01214755 mov eax, dword ptr fs:[00000030h]3_2_01214755
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012077A2 mov eax, dword ptr fs:[00000030h]3_2_012077A2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012077A2 mov eax, dword ptr fs:[00000030h]3_2_012077A2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]3_2_0121F782
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]3_2_0121F782
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]3_2_0121F782
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F782 mov ecx, dword ptr fs:[00000030h]3_2_0121F782
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FD7B2 mov eax, dword ptr fs:[00000030h]3_2_011FD7B2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FD7B2 mov ecx, dword ptr fs:[00000030h]3_2_011FD7B2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FD7B2 mov eax, dword ptr fs:[00000030h]3_2_011FD7B2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123E7F2 mov ecx, dword ptr fs:[00000030h]3_2_0123E7F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012247D2 mov eax, dword ptr fs:[00000030h]3_2_012247D2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012247D2 mov ecx, dword ptr fs:[00000030h]3_2_012247D2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012347DB mov eax, dword ptr fs:[00000030h]3_2_012347DB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123B7DA mov eax, dword ptr fs:[00000030h]3_2_0123B7DA
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF mov ecx, dword ptr fs:[00000030h]3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]3_2_012037DF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01236623 mov eax, dword ptr fs:[00000030h]3_2_01236623
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]3_2_0120C621
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]3_2_0120C621
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]3_2_0120C621
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]3_2_0120C621
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123B671 mov eax, dword ptr fs:[00000030h]3_2_0123B671
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]3_2_0122964C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]3_2_0122964C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]3_2_0122964C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]3_2_0122964C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122964C mov ecx, dword ptr fs:[00000030h]3_2_0122964C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122D6A2 mov eax, dword ptr fs:[00000030h]3_2_0122D6A2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012076AF mov eax, dword ptr fs:[00000030h]3_2_012076AF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01224682 mov eax, dword ptr fs:[00000030h]3_2_01224682
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01224682 mov ecx, dword ptr fs:[00000030h]3_2_01224682
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C689 mov eax, dword ptr fs:[00000030h]3_2_0120C689
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C689 mov eax, dword ptr fs:[00000030h]3_2_0120C689
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123468C mov eax, dword ptr fs:[00000030h]3_2_0123468C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012116EE mov eax, dword ptr fs:[00000030h]3_2_012116EE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012116EE mov eax, dword ptr fs:[00000030h]3_2_012116EE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012366FD mov eax, dword ptr fs:[00000030h]3_2_012366FD
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012036C0 mov eax, dword ptr fs:[00000030h]3_2_012036C0
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]3_2_012236C8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]3_2_012236C8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]3_2_012236C8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011EC6F2 mov ecx, dword ptr fs:[00000030h]3_2_011EC6F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C6CF mov eax, dword ptr fs:[00000030h]3_2_0120C6CF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C6CF mov eax, dword ptr fs:[00000030h]3_2_0120C6CF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120C6CF mov ecx, dword ptr fs:[00000030h]3_2_0120C6CF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov ecx, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]3_2_012286D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F6D6 mov eax, dword ptr fs:[00000030h]3_2_0121F6D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F6D6 mov ecx, dword ptr fs:[00000030h]3_2_0121F6D6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F931 mov eax, dword ptr fs:[00000030h]3_2_0121F931
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E6902 mov eax, dword ptr fs:[00000030h]3_2_011E6902
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]3_2_0124090F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]3_2_0124090F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]3_2_0124090F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]3_2_0124090F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211912 mov eax, dword ptr fs:[00000030h]3_2_01211912
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123696C mov eax, dword ptr fs:[00000030h]3_2_0123696C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121E9AF mov eax, dword ptr fs:[00000030h]3_2_0121E9AF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121E9AF mov eax, dword ptr fs:[00000030h]3_2_0121E9AF
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121F9B6 mov eax, dword ptr fs:[00000030h]3_2_0121F9B6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FE982 mov eax, dword ptr fs:[00000030h]3_2_011FE982
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FE982 mov ecx, dword ptr fs:[00000030h]3_2_011FE982
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FE982 mov eax, dword ptr fs:[00000030h]3_2_011FE982
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121D9D8 mov eax, dword ptr fs:[00000030h]3_2_0121D9D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122D822 mov eax, dword ptr fs:[00000030h]3_2_0122D822
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240822 mov eax, dword ptr fs:[00000030h]3_2_01240822
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240822 mov eax, dword ptr fs:[00000030h]3_2_01240822
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123F82F mov eax, dword ptr fs:[00000030h]3_2_0123F82F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211862 mov eax, dword ptr fs:[00000030h]3_2_01211862
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121D862 mov eax, dword ptr fs:[00000030h]3_2_0121D862
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]3_2_01204873
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]3_2_01204873
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]3_2_01204873
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]3_2_01204873
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]3_2_01204873
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FF882 mov eax, dword ptr fs:[00000030h]3_2_011FF882
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012368BE mov eax, dword ptr fs:[00000030h]3_2_012368BE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012368BE mov eax, dword ptr fs:[00000030h]3_2_012368BE
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122D892 mov eax, dword ptr fs:[00000030h]3_2_0122D892
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121D89C mov eax, dword ptr fs:[00000030h]3_2_0121D89C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]3_2_0122A8F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]3_2_0122A8F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]3_2_0122A8F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]3_2_0122A8F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]3_2_0122A8F2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]3_2_012108C2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]3_2_012108C2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]3_2_012108C2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]3_2_012108C2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011EBB1D mov eax, dword ptr fs:[00000030h]3_2_011EBB1D
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01236B2A mov eax, dword ptr fs:[00000030h]3_2_01236B2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01236B2A mov eax, dword ptr fs:[00000030h]3_2_01236B2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DDB30 mov eax, dword ptr fs:[00000030h]3_2_011DDB30
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01207B10 mov eax, dword ptr fs:[00000030h]3_2_01207B10
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01207B10 mov eax, dword ptr fs:[00000030h]3_2_01207B10
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121DB63 mov eax, dword ptr fs:[00000030h]3_2_0121DB63
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121DB63 mov eax, dword ptr fs:[00000030h]3_2_0121DB63
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123BB6A mov eax, dword ptr fs:[00000030h]3_2_0123BB6A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123BB6A mov eax, dword ptr fs:[00000030h]3_2_0123BB6A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240B7B mov eax, dword ptr fs:[00000030h]3_2_01240B7B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240B7B mov eax, dword ptr fs:[00000030h]3_2_01240B7B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01228B42 mov ecx, dword ptr fs:[00000030h]3_2_01228B42
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210B42 mov eax, dword ptr fs:[00000030h]3_2_01210B42
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210B42 mov eax, dword ptr fs:[00000030h]3_2_01210B42
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01215B42 mov eax, dword ptr fs:[00000030h]3_2_01215B42
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01224BA2 mov eax, dword ptr fs:[00000030h]3_2_01224BA2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01224BA2 mov ecx, dword ptr fs:[00000030h]3_2_01224BA2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01238BB3 mov eax, dword ptr fs:[00000030h]3_2_01238BB3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120EBB7 mov eax, dword ptr fs:[00000030h]3_2_0120EBB7
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ECBDC mov eax, dword ptr fs:[00000030h]3_2_011ECBDC
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122ABD8 mov eax, dword ptr fs:[00000030h]3_2_0122ABD8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ECA3F mov eax, dword ptr fs:[00000030h]3_2_011ECA3F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ECA3F mov ecx, dword ptr fs:[00000030h]3_2_011ECA3F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ECA3F mov eax, dword ptr fs:[00000030h]3_2_011ECA3F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123FA11 mov eax, dword ptr fs:[00000030h]3_2_0123FA11
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123FA11 mov eax, dword ptr fs:[00000030h]3_2_0123FA11
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E4A22 mov eax, dword ptr fs:[00000030h]3_2_011E4A22
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011E4A22 mov ecx, dword ptr fs:[00000030h]3_2_011E4A22
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CA71 mov eax, dword ptr fs:[00000030h]3_2_0122CA71
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121DA77 mov eax, dword ptr fs:[00000030h]3_2_0121DA77
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121DA77 mov ecx, dword ptr fs:[00000030h]3_2_0121DA77
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01224A52 mov eax, dword ptr fs:[00000030h]3_2_01224A52
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01224A52 mov ecx, dword ptr fs:[00000030h]3_2_01224A52
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240AA5 mov eax, dword ptr fs:[00000030h]3_2_01240AA5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240AA5 mov eax, dword ptr fs:[00000030h]3_2_01240AA5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01219AB6 mov eax, dword ptr fs:[00000030h]3_2_01219AB6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01219AB6 mov ecx, dword ptr fs:[00000030h]3_2_01219AB6
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]3_2_0123CA86
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]3_2_0123CA86
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]3_2_0123CA86
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]3_2_0123CA86
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121FA94 mov eax, dword ptr fs:[00000030h]3_2_0121FA94
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121FA94 mov eax, dword ptr fs:[00000030h]3_2_0121FA94
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122DAC2 mov eax, dword ptr fs:[00000030h]3_2_0122DAC2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]3_2_0122CD2A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121ED32 mov eax, dword ptr fs:[00000030h]3_2_0121ED32
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov ecx, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]3_2_01210D12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121ED72 mov eax, dword ptr fs:[00000030h]3_2_0121ED72
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123DDB4 mov eax, dword ptr fs:[00000030h]3_2_0123DDB4
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]3_2_0120CDF9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]3_2_0120CDF9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]3_2_0120CDF9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]3_2_01240DF8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]3_2_01240DF8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]3_2_01240DF8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]3_2_01240DF8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121EC32 mov eax, dword ptr fs:[00000030h]3_2_0121EC32
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01229C02 mov ecx, dword ptr fs:[00000030h]3_2_01229C02
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122DC02 mov eax, dword ptr fs:[00000030h]3_2_0122DC02
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123EC12 mov eax, dword ptr fs:[00000030h]3_2_0123EC12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123EC12 mov ecx, dword ptr fs:[00000030h]3_2_0123EC12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120CC6F mov eax, dword ptr fs:[00000030h]3_2_0120CC6F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120CC6F mov eax, dword ptr fs:[00000030h]3_2_0120CC6F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120CC6F mov ecx, dword ptr fs:[00000030h]3_2_0120CC6F
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01229C42 mov eax, dword ptr fs:[00000030h]3_2_01229C42
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]3_2_011DDC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]3_2_011DDC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]3_2_011DDC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]3_2_011DDC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]3_2_0120DC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]3_2_0120DC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]3_2_0120DC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]3_2_0120DC82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01233CE7 mov eax, dword ptr fs:[00000030h]3_2_01233CE7
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01233CE7 mov eax, dword ptr fs:[00000030h]3_2_01233CE7
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01229CD2 mov ecx, dword ptr fs:[00000030h]3_2_01229CD2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CCD8 mov eax, dword ptr fs:[00000030h]3_2_0123CCD8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CCD8 mov eax, dword ptr fs:[00000030h]3_2_0123CCD8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121FF22 mov eax, dword ptr fs:[00000030h]3_2_0121FF22
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121FF22 mov eax, dword ptr fs:[00000030h]3_2_0121FF22
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122DF3E mov eax, dword ptr fs:[00000030h]3_2_0122DF3E
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FDF32 mov eax, dword ptr fs:[00000030h]3_2_011FDF32
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011FDF32 mov ecx, dword ptr fs:[00000030h]3_2_011FDF32
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01211F12 mov eax, dword ptr fs:[00000030h]3_2_01211F12
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01228F63 mov eax, dword ptr fs:[00000030h]3_2_01228F63
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01228F63 mov ecx, dword ptr fs:[00000030h]3_2_01228F63
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01202F62 mov eax, dword ptr fs:[00000030h]3_2_01202F62
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ECF59 mov eax, dword ptr fs:[00000030h]3_2_011ECF59
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_011ECF59 mov eax, dword ptr fs:[00000030h]3_2_011ECF59
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CF6B mov eax, dword ptr fs:[00000030h]3_2_0123CF6B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]3_2_0122BF6B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]3_2_0122BF6B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]3_2_0122BF6B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]3_2_0122BF6B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0122BF6B mov ecx, dword ptr fs:[00000030h]3_2_0122BF6B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123FF7A mov eax, dword ptr fs:[00000030h]3_2_0123FF7A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123FF7A mov eax, dword ptr fs:[00000030h]3_2_0123FF7A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]3_2_01223FB4
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]3_2_01223FB4
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]3_2_01223FB4
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]3_2_0120BFBA
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]3_2_0120BFBA
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]3_2_0120BFBA
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]3_2_0120BFBA
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204FE1 mov ecx, dword ptr fs:[00000030h]3_2_01204FE1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01204FE1 mov eax, dword ptr fs:[00000030h]3_2_01204FE1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01236FE5 mov eax, dword ptr fs:[00000030h]3_2_01236FE5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01236FE5 mov eax, dword ptr fs:[00000030h]3_2_01236FE5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121FFD2 mov eax, dword ptr fs:[00000030h]3_2_0121FFD2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0121FFD2 mov eax, dword ptr fs:[00000030h]3_2_0121FFD2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01232E79 mov eax, dword ptr fs:[00000030h]3_2_01232E79
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01232E79 mov ecx, dword ptr fs:[00000030h]3_2_01232E79
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123FE4C mov eax, dword ptr fs:[00000030h]3_2_0123FE4C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120EEA2 mov eax, dword ptr fs:[00000030h]3_2_0120EEA2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120EEA2 mov ecx, dword ptr fs:[00000030h]3_2_0120EEA2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]3_2_0120DEB2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]3_2_0120DEB2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]3_2_0120DEB2
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01227E82 mov eax, dword ptr fs:[00000030h]3_2_01227E82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01227E82 mov eax, dword ptr fs:[00000030h]3_2_01227E82
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123CE89 mov eax, dword ptr fs:[00000030h]3_2_0123CE89
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0123AE90 mov eax, dword ptr fs:[00000030h]3_2_0123AE90
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01237E96 mov eax, dword ptr fs:[00000030h]3_2_01237E96
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]3_2_013D5163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]3_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]3_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]3_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]3_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]3_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]3_2_013CE5D8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]3_2_013D1DE3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0145614B mov eax, dword ptr fs:[00000030h]3_2_0145614B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148415B mov eax, dword ptr fs:[00000030h]3_2_0148415B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0148415B mov ecx, dword ptr fs:[00000030h]3_2_0148415B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0143B163 mov eax, dword ptr fs:[00000030h]3_2_0143B163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0143B163 mov eax, dword ptr fs:[00000030h]3_2_0143B163
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013EA116 mov eax, dword ptr fs:[00000030h]3_2_013EA116
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0149317C mov eax, dword ptr fs:[00000030h]3_2_0149317C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01465101 mov ebx, dword ptr fs:[00000030h]3_2_01465101
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01465101 mov eax, dword ptr fs:[00000030h]3_2_01465101
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01493103 mov eax, dword ptr fs:[00000030h]3_2_01493103
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0143B113 mov ecx, dword ptr fs:[00000030h]3_2_0143B113
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0143F111 mov eax, dword ptr fs:[00000030h]3_2_0143F111
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0144B123 mov eax, dword ptr fs:[00000030h]3_2_0144B123
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0144B123 mov eax, dword ptr fs:[00000030h]3_2_0144B123
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014951C3 mov eax, dword ptr fs:[00000030h]3_2_014951C3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]3_2_014511E3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]3_2_014511E3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]3_2_014511E3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013BA193 mov eax, dword ptr fs:[00000030h]3_2_013BA193
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013C618C mov eax, dword ptr fs:[00000030h]3_2_013C618C
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014931F5 mov eax, dword ptr fs:[00000030h]3_2_014931F5
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013B8186 mov ecx, dword ptr fs:[00000030h]3_2_013B8186
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014561FB mov eax, dword ptr fs:[00000030h]3_2_014561FB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01440181 mov eax, dword ptr fs:[00000030h]3_2_01440181
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01444183 mov eax, dword ptr fs:[00000030h]3_2_01444183
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]3_2_013B71EB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]3_2_013B71EB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]3_2_013B71EB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]3_2_013B71EB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]3_2_0146C1B1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013EE1C7 mov eax, dword ptr fs:[00000030h]3_2_013EE1C7
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014681BB mov ecx, dword ptr fs:[00000030h]3_2_014681BB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]3_2_014681BB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]3_2_014681BB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]3_2_014681BB
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0147E1B8 mov eax, dword ptr fs:[00000030h]3_2_0147E1B8
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]3_2_013D0035
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013BE033 mov edi, dword ptr fs:[00000030h]3_2_013BE033
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0140005B mov eax, dword ptr fs:[00000030h]3_2_0140005B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01492063 mov eax, dword ptr fs:[00000030h]3_2_01492063
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0144207A mov eax, dword ptr fs:[00000030h]3_2_0144207A
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_0149300B mov eax, dword ptr fs:[00000030h]3_2_0149300B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]3_2_013F0070
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]3_2_013F0070
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]3_2_013F0070
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]3_2_013C106B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]3_2_013C106B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]3_2_013C106B
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013FA053 mov eax, dword ptr fs:[00000030h]3_2_013FA053
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01462033 mov eax, dword ptr fs:[00000030h]3_2_01462033
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_01462033 mov eax, dword ptr fs:[00000030h]3_2_01462033
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]3_2_013DC0B9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]3_2_013DC0B9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]3_2_013DC0B9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]3_2_013DC0B9
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014540D3 mov eax, dword ptr fs:[00000030h]3_2_014540D3
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]3_2_014870E1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]3_2_014870E1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]3_2_014870E1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]3_2_014870E1
            Source: C:\Windows\SysWOW64\Dtldt.exeCode function: 3_2_014440F3 mov eax, dword ptr fs:[00000030h]3_2_014440F3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10006010 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,0_2_10006010

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to automate explorer (e.g. start an application)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000C680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000C680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10014650 mouse_event,GetDeviceCaps,_ftol,GetDeviceCaps,_ftol,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,mouse_event,mouse_event,0_2_10014650
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10014650 mouse_event,GetDeviceCaps,_ftol,GetDeviceCaps,_ftol,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,mouse_event,mouse_event,0_2_10014650
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nulJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001B930 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001B930
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Progman
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWndProgman%s.exerunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255BITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_006B24D6 cpuid 0_2_006B24D6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001ADE0 sprintf,sprintf,GetLocalTime,sprintf,0_2_1001ADE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10008340 GetLogicalDriveStringsA,GetUserNameA,_stricmp,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001C850 GetModuleFileNameA,_strnicmp,CopyFileA,SetFileAttributesA,Sleep,GetVersionExA,UnlockServiceDatabase,GetLastError,0_2_1001C850

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to modify windows services which are used for security filtering and protection
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_10022310 OpenServiceA 00000000,sharedaccess,000F01FF0_2_10022310
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: acs.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vsserv.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: avcenter.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: kxetray.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: avp.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: cfp.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: KSafeTray.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: rtvscan.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 360tray.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ashDisp.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TMBMSRV.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: avgwdsvc.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: AYAgent.aye
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: QUHLPSVC.EXE
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RavMonD.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Mcshield.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: K7TSecurity.exe

            Stealing of Sensitive Information

            barindex
            Yara detected GhostRat
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR
            Yara detected Mimikatz
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected GhostRat
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001F0C0 socket,bind,getsockname,inet_addr,0_2_1001F0C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exeCode function: 0_2_1001F470 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,0_2_1001F470

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		21
            Input Capture            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Service Execution            		1
            Create Account            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol21
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt11
            Windows Service            		11
            Windows Service            		4
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Bootkit            		12
            Process Injection            		12
            Software Packing            		NTDS115
            System Information Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets451
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Masquerading            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Virtualization/Sandbox Evasion            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            System Owner/User Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
            Process Injection            		/etc/passwd and /etc/shadow1
            Remote System Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Bootkit            		Network Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Indicator Removal            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe58%ReversingLabsWin32.Backdoor.Farfli
            SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe57%VirustotalBrowse
            SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Windows\SysWOW64\Dtldt.exe100%Joe Sandbox ML
            C:\Windows\SysWOW64\Dtldt.exe58%ReversingLabsWin32.Backdoor.Farfli
            C:\Windows\SysWOW64\Dtldt.exe57%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ssl.ptlogin2.qq.com%s0%Avira URL Cloudsafe
            http://ptlogin2.qun.qq.com%s0%Avira URL Cloudsafe
            https://localhost.ptlogin2.qq.com:4301%sAccept-Language:0%Avira URL Cloudsafe
            https://ssl.ptlogin2.qq.com%sAccept-Language:0%Avira URL Cloudsafe
            http://www.appspeed.com/0%Avira URL Cloudsafe
            http://www.appspeed.com/support0%Avira URL Cloudsafe
            http://www.appspeed.com/0%VirustotalBrowse
            http://qun.qq.com%s0%Avira URL Cloudsafe
            http://ptlogin2.qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
            https://localhost.ptlogin2.qq.com:4301%s0%Avira URL Cloudsafe
            http://www.appspeed.com/support1%VirustotalBrowse
            http://qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
            206.238.196.2400%Avira URL Cloudsafe
            206.238.196.2400%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            206.238.196.240true
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ssl.ptlogin2.qq.com%sSecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.appspeed.com/SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.appspeed.com/supportSecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://localhost.ptlogin2.qq.com:4301%sAccept-Language:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exefalse
            • Avira URL Cloud: safe
            		low
            https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://ssl.ptlogin2.qq.com%sAccept-Language:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exefalse
              • Avira URL Cloud: safe
              		low
              http://ptlogin2.qun.qq.com%sSecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://ptlogin2.qun.qq.com%sAccept-Language:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exefalse
              • Avira URL Cloud: safe
              		low
              http://qun.qq.com%sSecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		low
              https://localhost.ptlogin2.qq.com:4301%sSecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://qun.qq.com%sAccept-Language:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exefalse
              • Avira URL Cloud: safe
              		low

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious

              Private

              IP
              127.0.0.1

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1430960
              Start date and time:2024-04-24 12:29:09 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 59s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@7/3@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 71%
              • Number of executed functions: 32
              • Number of non-executed functions: 363
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              12:31:06API Interceptor1x Sleep call for process: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Windows\SysWOW64\Dtldt.exe

              Download File
              Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):2138112
              Entropy (8bit):7.499623874324066
              Encrypted:false
              SSDEEP:49152:aVhyh5fVd/kOz40n4OdaVZsNz/Trp/HfaBa4kRQaddfZL17N:LY4rn4OdYiH9Qa/RLz
              MD5:2A5F4C6D957F37ECEA115FFFE6D28467
              SHA1:9FE8436F8E1F6198B883404F0B59256B4F08BBED
              SHA-256:5058D869C59BFB3480D1DC6F8F51D191ADB890039C89FF9FD668FE7B481099B8
              SHA-512:673861E0BB2C2A4A26A9AB0A34FEE45AA48E26B0677FB1815C9CC79FB1520D81C75D63D27AF69E7229D79823022C5CA78AB4B7DD0D74388E84A93EF789A04BA8
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 58%
              • Antivirus: Virustotal, Detection: 57%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..;M.R;M.R;M.R@Q.R:M.R.B.R3M.RTR.R:M.R.Q.R8M.RTR.R0M.RTR.R?M.R.k.R9M.R;M.R.L.R.k.R8M.R=n.R?M.R=n.RmM.R.R.R0M.R.K.R:M.RRich;M.R................PE..L....>b............................()-...........@.......................... 3.......!......................................P-......`-..............................................................................................................text...............................`....sedata............................. ....idata.......P-.....................@....rsrc........`-.....................@....sedata.......3....... .............@..@........................................................................................................................................................................................................................................................................................

              C:\Windows\SysWOW64\Dtldt.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]....ZoneId=0

              \Device\Null

              Download File
              Process:C:\Windows\SysWOW64\PING.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):331
              Entropy (8bit):4.92149009030101
              Encrypted:false
              SSDEEP:6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
              MD5:2E512EE24AAB186D09E9A1F9B72A0569
              SHA1:C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
              SHA-256:DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
              SHA-512:6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.499623874324066
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
              File size:2'138'112 bytes
              MD5:2a5f4c6d957f37ecea115fffe6d28467
              SHA1:9fe8436f8e1f6198b883404f0b59256b4f08bbed
              SHA256:5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
              SHA512:673861e0bb2c2a4a26a9ab0a34fee45aa48e26b0677fb1815c9cc79fb1520d81c75d63d27af69e7229d79823022c5ca78ab4b7dd0d74388e84a93ef789a04ba8
              SSDEEP:49152:aVhyh5fVd/kOz40n4OdaVZsNz/Trp/HfaBa4kRQaddfZL17N:LY4rn4OdYiH9Qa/RLz
              TLSH:18A5DF45AC9FE0BEFD3D8538D006D6485823F46AB45868ED9AC8671434E276360BFF1E
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..;M.R;M.R;M.R@Q.R:M.R.B.R3M.RTR.R:M.R.Q.R8M.RTR.R0M.RTR.R?M.R.k.R9M.R;M.R.L.R.k.R8M.R=n.R?M.R=n.RmM.R.R.R0M.R.K.R:M.RRich;M.

              File Icon

              Icon Hash:6d4d51614d0f5721

              Static PE Info

              General

              Entrypoint:0x6d2928
              Entrypoint Section:.sedata
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:
              Time Stamp:0x623EBFC3 [Sat Mar 26 07:24:51 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:703074f7e4b33aefff112f419dacba1a

              Entrypoint Preview

              Instruction
              call 00007F4480EC7E11h
              push ebx
              popad
              outsb
              imul ebp, dword ptr [bp+65h], 69685320h
              insb
              outsb
              and byte ptr [esi+32h], dh
              xor al, 2Eh
              xor byte ptr [esi], ch
              xor byte ptr [eax], al
              pushfd
              jmp 00007F4480EC7E0Ch
              adc eax, 691E3784h
              mov byte ptr [ebx+72h], al
              popad
              je 00007F4480EC7E57h
              inc esi
              outsd
              outsb
              je 00007F4480EC7E3Bh
              outsb
              imul esi, dword ptr fs:[edx+65h], 00417463h
              sub esp, 1Eh
              call 00007F4480EC7E6Eh
              scasd
              aas
              pop edx
              test eax, 56C04C55h
              xor eax, eax
              sub edi, ebp
              int3
              aas
              popad
              jnc 00007F4480EC7E65h
              imul esp, dword ptr [edi+6Eh], 62243F40h
              popad
              jnc 00007F4480EC7E5Bh
              arpl word ptr [edi+73h], bx
              je 00007F4480EC7E64h
              imul ebp, dword ptr [esi+67h], 3F554440h
              and al, 63h
              push 745F7261h
              jc 00007F4480EC7E53h
              imul esi, dword ptr [ebx+esi*2+40h], 74734044h
              inc eax
              inc eax
              push esi
              aas
              and al, 61h
              insb
              insb
              outsd
              arpl word ptr [ecx+74h], sp
              outsd
              jc 00007F4480EC7E32h
              inc esp
              inc eax
              xor al, byte ptr [eax+40h]
              jnc 00007F4480EC7E66h
              inc eax
              inc eax
              push ecx
              inc ecx
              inc ebp
              inc ecx
              inc ecx
              push esi
              xor dword ptr [edx], esi
              inc eax
              push eax
              inc edx
              inc esp
              dec ecx
              inc eax
              pop edx
              add ch, bh
              push ebx
              mov dword ptr [esp], edx
              mov dword ptr [esp], edx
              xchg dh, dl
              bsf edx, edi
              jmp 00007F4480EC7E09h
              push eax
              jecxz 00007F4480EC7E65h
              push ss
              in eax, 00h
              cmpsb
              mov dword ptr [esp+1Ah], ebx
              lea esp, dword ptr [esp+02h]

              Rich Headers

              Programming Language:
              • [C++] VS98 (6.0) SP6 build 8804
              • [C++] VS98 (6.0) build 8168
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x2d50800xf0.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d60000x5b000.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x1d80000xb0000605602ebeb432f43e074072e7d538a95False0.9970606023615057data7.998061242856676IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .sedata0x1d90000xfc0000xfc0008a2463c35ec70b1bfcda9b06aece8ac6False0.7920590355282738data7.487891420444405IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x2d50000x10000x100038ac91661c943b6e1c78a2f8b747ea10False0.100830078125data1.1539832163864985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x2d60000x5b0000x5b000b9dde77e0c01cfefab0d7b430806317bFalse0.15477979052197802data5.192702214613107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .sedata0x3310000x10000x100053392248c3f9dbda91df55da919be398False0.780517578125PGP Secret Sub-key -7.984807925719084IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x2d62200x468Device independent bitmap graphic, 16 x 32 x 32, image size 2048EnglishUnited States0.6870567375886525
              RT_ICON0x2d66880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 8192EnglishUnited States0.48334896810506567
              RT_ICON0x2d77300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 18432EnglishUnited States0.39657676348547716
              RT_ICON0x2d9cd80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 32768EnglishUnited States0.3041450165328295
              RT_ICON0x2ddf000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 131072EnglishUnited States0.19355554241097836
              RT_ICON0x2ee7280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 524288EnglishUnited States0.11795425629493742
              RT_GROUP_ICON0x3307500x5adataEnglishUnited States0.7555555555555555
              RT_VERSION0x3307ac0x2b8COM executable for DOSChineseChina0.4540229885057471
              RT_MANIFEST0x330a640x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

              Imports

              DLLImport
              MFC42.DLL
              MSVCRT.dllatoi
              KERNEL32.dllHeapFree
              USER32.dllValidateRect
              GDI32.dllSelectObject
              COMCTL32.dllImageList_AddMasked
              MSVCP60.dll?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
              IPHLPAPI.DLLGetInterfaceInfo
              PSAPI.DLLGetMappedFileNameW
              ADVAPI32.dllRegDeleteKeyA
              SHELL32.dllSHGetFolderPathW

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States
              ChineseChina

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:12:30:01
              Start date:24/04/2024
              Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe"
              Imagebase:0x400000
              File size:2'138'112 bytes
              MD5 hash:2A5F4C6D957F37ECEA115FFFE6D28467
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:12:30:38
              Start date:24/04/2024
              Path:C:\Windows\SysWOW64\Dtldt.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\Dtldt.exe -auto
              Imagebase:0x400000
              File size:2'138'112 bytes
              MD5 hash:2A5F4C6D957F37ECEA115FFFE6D28467
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 58%, ReversingLabs
              • Detection: 57%, Virustotal, Browse
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:12:31:08
              Start date:24/04/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul
              Imagebase:0x790000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:12:31:08
              Start date:24/04/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:12:31:08
              Start date:24/04/2024
              Path:C:\Windows\SysWOW64\PING.EXE
              Wow64 process (32bit):true
              Commandline:ping -n 2 127.0.0.1
              Imagebase:0x6d0000
              File size:18'944 bytes
              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:1.8%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:68.9%
                Total number of Nodes:164
                Total number of Limit Nodes:6
                execution_graph 31801 1001b930 12 API calls 31873 100174c0 GetModuleHandleA 31801->31873 31803 1001bb36 31804 100174c0 3 API calls 31803->31804 31805 1001bbb8 31804->31805 31806 100174c0 3 API calls 31805->31806 31807 1001bc29 31806->31807 31808 100174c0 3 API calls 31807->31808 31809 1001bd4d 31808->31809 31810 100174c0 3 API calls 31809->31810 31811 1001beae 31810->31811 31812 100174c0 3 API calls 31811->31812 31813 1001bfdb 31812->31813 31814 100174c0 3 API calls 31813->31814 31815 1001c089 31814->31815 31816 100174c0 3 API calls 31815->31816 31817 1001c123 31816->31817 31818 100174c0 3 API calls 31817->31818 31819 1001c16d 31818->31819 31820 100174c0 3 API calls 31819->31820 31821 1001c1f3 31820->31821 31822 100174c0 3 API calls 31821->31822 31823 1001c29e GetCurrentThreadId PostThreadMessageA 31822->31823 31824 1001c2b9 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 31823->31824 31826 1001c3a2 GetLastError 31824->31826 31828 1001c3b3 31824->31828 31827 1001c7e8 31826->31827 31826->31828 31829 1001c7c3 31828->31829 31830 1001c41c 31828->31830 31833 1001ade0 14 API calls 31829->31833 31831 1001c428 strstr 31830->31831 31832 1001c57d 31830->31832 31834 1001c455 31831->31834 31835 1001c444 31831->31835 31832->31827 31837 1001ade0 14 API calls 31832->31837 31836 1001c7d4 31833->31836 31877 1001c800 OpenSCManagerA 31834->31877 31838 1001c44a Sleep 31835->31838 31840 1001c7dd Sleep 31836->31840 31841 1001c59c 31837->31841 31838->31835 31840->31836 31841->31827 31846 1001c5d5 sprintf 31841->31846 31842 1001c45f 31843 1001c4f3 sprintf 31842->31843 31844 1001c46a 31842->31844 31882 1001ade0 sprintf GetLocalTime sprintf 31843->31882 31849 1001c4e2 31844->31849 31850 1001c48f OpenSCManagerA 31844->31850 31853 1001c63e 31846->31853 31852 1001c4e8 Sleep 31849->31852 31850->31849 31851 1001c4a2 OpenServiceA 31850->31851 31856 1001c4bc StartServiceA 31851->31856 31857 1001c4df CloseServiceHandle 31851->31857 31852->31849 31858 1001c7b2 31853->31858 31859 1001c647 GetModuleFileNameA sprintf 31853->31859 31854 1001c56e 31922 1001b3d0 31854->31922 31861 1001c4ca CloseServiceHandle CloseServiceHandle 31856->31861 31862 1001c4dd CloseServiceHandle 31856->31862 31857->31849 31863 1001c7b8 Sleep 31858->31863 31865 1001c6f9 Sleep 31859->31865 31860 1001c576 ExitProcess 31864 1001b3d0 16 API calls 31861->31864 31862->31857 31863->31858 31866 1001c4d6 ExitProcess 31864->31866 31867 1001c74f 31865->31867 31945 1001b170 31867->31945 31870 1001c7a6 31871 1001b3d0 16 API calls 31870->31871 31872 1001c7ab ExitProcess 31871->31872 31874 100174d0 LoadLibraryA 31873->31874 31875 100174db GetProcAddress 31873->31875 31874->31875 31876 100174e9 31874->31876 31875->31803 31876->31803 31878 1001c813 31877->31878 31879 1001c815 OpenServiceA 31877->31879 31878->31842 31880 1001c835 CloseServiceHandle CloseServiceHandle 31879->31880 31881 1001c82a CloseServiceHandle 31879->31881 31880->31842 31881->31842 31957 10012640 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 31882->31957 31885 1001c850 31886 100174c0 3 API calls 31885->31886 31887 1001c8e0 31886->31887 31888 100174c0 3 API calls 31887->31888 31889 1001c938 31888->31889 31890 100174c0 3 API calls 31889->31890 31891 1001c9b6 31890->31891 31892 100174c0 3 API calls 31891->31892 31893 1001c9fe 31892->31893 31894 100174c0 3 API calls 31893->31894 31895 1001ca9d 31894->31895 31896 100174c0 3 API calls 31895->31896 31897 1001cb4a 31896->31897 31898 100174c0 3 API calls 31897->31898 31899 1001cbf7 31898->31899 31900 100174c0 3 API calls 31899->31900 31901 1001cc65 31900->31901 31902 100174c0 3 API calls 31901->31902 31903 1001cd0e 31902->31903 31904 100174c0 3 API calls 31903->31904 31905 1001cd84 31904->31905 31906 100174c0 3 API calls 31905->31906 31907 1001ce1b GetModuleFileNameA _strnicmp 31906->31907 31908 1001cec7 Sleep 31907->31908 31909 1001ce76 31907->31909 31980 1000e700 31908->31980 31973 1001afb0 31909->31973 31914 1001b170 4 API calls 31915 1001ce91 31914->31915 31918 1001ceb6 SetFileAttributesA 31915->31918 31916 1001cf5a 31917 1001cfd2 31916->31917 31919 1001cfd4 GetLastError 31916->31919 31920 1001cf97 UnlockServiceDatabase 31916->31920 31917->31854 31918->31908 31919->31917 31920->31917 31923 100174c0 3 API calls 31922->31923 31924 1001b4c1 31923->31924 31925 100174c0 3 API calls 31924->31925 31926 1001b548 31925->31926 31927 100174c0 3 API calls 31926->31927 31928 1001b5ad 31927->31928 31929 100174c0 3 API calls 31928->31929 31930 1001b628 31929->31930 31931 100174c0 3 API calls 31930->31931 31932 1001b686 31931->31932 31933 100174c0 3 API calls 31932->31933 31934 1001b6da GetModuleFileNameA 31933->31934 31935 1001b8d5 31934->31935 31936 1001b6fc GetShortPathNameA 31934->31936 31935->31860 31936->31935 31937 1001b71b GetEnvironmentVariableA 31936->31937 31937->31935 31938 1001b73b SetFileAttributesA 31937->31938 31939 1001b74c 31938->31939 31939->31939 31940 1001b75e GetCurrentProcess SetPriorityClass GetCurrentThread SetThreadPriority 31939->31940 31941 1001b88d 31940->31941 31942 1001b891 SetPriorityClass SetThreadPriority ResumeThread 31941->31942 31943 1001b8c3 GetCurrentProcess 31941->31943 31942->31860 31944 1001b8ca GetCurrentThread 31943->31944 31944->31935 31946 1001b3c0 sprintf 31945->31946 31947 1001b188 31945->31947 31946->31870 31948 100174c0 3 API calls 31947->31948 31949 1001b213 31948->31949 31950 100174c0 3 API calls 31949->31950 31951 1001b26c 31950->31951 31952 100174c0 3 API calls 31951->31952 31953 1001b2b6 31952->31953 31954 100174c0 3 API calls 31953->31954 31956 1001b2f9 31954->31956 31955 1001b3b9 CloseHandle 31955->31946 31956->31946 31956->31955 31958 100126e2 31957->31958 31959 100127c9 31957->31959 31961 100127a3 31958->31961 31962 100126e9 31958->31962 31963 1001277b 31958->31963 31964 1001270c RegOpenKeyExA 31958->31964 31972 100127f4 RegCloseKey RegCloseKey 31959->31972 31961->31959 31970 100127bb RegDeleteValueA 31961->31970 31962->31959 31962->31964 31963->31959 31969 10012793 RegDeleteKeyA 31963->31969 31964->31959 31965 10012728 31964->31965 31965->31959 31967 10012759 RegSetValueExA 31965->31967 31968 10012738 31965->31968 31966 100127e0 31966->31885 31967->31959 31968->31959 31971 10012741 RegSetValueExA 31968->31971 31969->31959 31970->31959 31971->31959 31972->31966 31974 100174c0 3 API calls 31973->31974 31975 1001b054 31974->31975 31976 100174c0 3 API calls 31975->31976 31978 1001b0f8 31976->31978 31977 1001b161 CopyFileA 31977->31914 31978->31977 31979 1001b147 PathFileExistsA 31978->31979 31979->31978 31981 1000e70b GetVersionExA 31980->31981 31981->31916

                Executed Functions

                Function 1001B930 Relevance: 415.5, APIs: 40, Strings: 197, Instructions: 755stringservicesleepCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • #823.MFC42(00000849), ref: 1001B93F
                • lstrcpyA.KERNEL32(206.238.196.240,00000000), ref: 1001B966
                • lstrcpyA.KERNEL32(1011933C,0000012C), ref: 1001B974
                • lstrcpyA.KERNEL32(6gkIBfkS+qY=,00000260), ref: 1001B982
                • lstrcpyA.KERNEL32(tdC2pg==,00000292), ref: 1001B990
                • lstrcpyA.KERNEL32(Mtldtl Dumdu,000002B2), ref: 1001B99E
                • lstrcpyA.KERNEL32(Aqiyqi Arjariar Jbsjbrjb Skcs,00000316), ref: 1001B9AC
                • lstrcpyA.KERNEL32(Gwogwogw Pgxpgxpgx Phyphyp Iyqiyqiy Ria,00000396), ref: 1001B9BA
                • lstrcpyA.KERNEL32(b60d2cdeea0e88ff96434911ba63aaaf,00000496), ref: 1001B9C8
                • lstrcpyA.KERNEL32(C:\Windows\system32,000005A8), ref: 1001B9D6
                • lstrcpyA.KERNEL32(Dtldt.exe,0000060C), ref: 1001B9E4
                • lstrcpyA.KERNEL32(10119858,00000648), ref: 1001B9F2
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • GetCurrentThreadId.KERNEL32 ref: 1001C2AE
                • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001C2B5
                • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001C2D3
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001C2E7
                • GetCommandLineA.KERNEL32 ref: 1001C311
                • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001C393
                • GetLastError.KERNEL32 ref: 1001C3A2
                • strstr.MSVCRT ref: 1001C437
                • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001C44C
                • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001C496
                • OpenServiceA.ADVAPI32(00000000,Mtldtl Dumdu,00000010), ref: 1001C4AA
                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001C4BF
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4CC
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4CF
                • ExitProcess.KERNEL32 ref: 1001C4D7
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4DD
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001C4E0
                • ExitProcess.KERNEL32 ref: 1001C577
                • sprintf.MSVCRT ref: 1001C542
                  • Part of subcall function 1001ADE0: sprintf.MSVCRT ref: 1001AE64
                  • Part of subcall function 1001ADE0: GetLocalTime.KERNEL32(?,C:\Windows\system32,00000000,0000005C), ref: 1001AE6E
                  • Part of subcall function 1001ADE0: sprintf.MSVCRT ref: 1001AF37
                • Sleep.KERNEL32(00000032), ref: 1001C4EA
                  • Part of subcall function 1001B8F0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,75920F00,1001C7E6,?,?,?,?,?,?,?), ref: 1001B90F
                  • Part of subcall function 1001B8F0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,75920F00,1001C7E6,?,?,?,?,?,?,?), ref: 1001B916
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrcpy$HandleService$Close$sprintf$DescriptorExitOpenProcessSecuritySleepThread$#823AddressCommandCreateCurrentDaclErrorInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                • String ID: -acsi$%$%$%$%$%$%$.$.$2$2$2$2$206.238.196.240$3$3$6gkIBfkS+qY=$A$A$A$A$A$A$A$A$A$A$A$A$Aqiyqi Arjariar Jbsjbrjb Skcs$C$C$C:\Windows\system32$D$D$D$D$D$Dtldt.exe$E$E$E$E$F$F$F$F$G$G$G$G$Global\$Gwogwogw Pgxpgxpgx Phyphyp Iyqiyqiy Ria$I$I$K$L$L$M$Mtldtl Dumdu$N$P$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$b$b60d2cdeea0e88ff96434911ba63aaaf$c$c$c$c$c$d$d$d$f$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$o$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$tdC2pg==$u$u$u$v$v$v$x$y
                • API String ID: 3275504268-884487760
                • Opcode ID: 503f56dd72a0c8a3df4a9527f030af99ff345cade637ec78b7372c87602c9a60
                • Instruction ID: 4729a06a843d4a853779523488982e29edf389ca73e8cd5225b1597df72c3c7d
                • Opcode Fuzzy Hash: 503f56dd72a0c8a3df4a9527f030af99ff345cade637ec78b7372c87602c9a60
                • Instruction Fuzzy Hash: A982E57050C3C0DEE332C7288858BDBBFD59BA6708F48499DE5CC4A292D7BA5648C767
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001C850 Relevance: 229.7, APIs: 8, Strings: 123, Instructions: 460sleepfileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001CE4B
                • _strnicmp.MSVCRT ref: 1001CE69
                • CopyFileA.KERNEL32(00000000,?,00000000), ref: 1001CE89
                • SetFileAttributesA.KERNELBASE(?,00000007,00000000,?), ref: 1001CEC4
                • Sleep.KERNELBASE(00000032), ref: 1001CEC9
                • GetVersionExA.KERNEL32(00000094,00000000, -auto), ref: 1001CF38
                • UnlockServiceDatabase.ADVAPI32(00000000), ref: 1001CFC1
                • GetLastError.KERNEL32 ref: 1001CFD4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: File$Module$AddressAttributesCopyDatabaseErrorHandleLastLibraryLoadNameProcServiceSleepUnlockVersion_strnicmp
                • String ID: -auto$.$2$2$3$A$A$A$A$A$A$A$A$ADVAPI32.dll$C$C$C$C$Chang$Chang$Clos$CopyFil$D$D$Gwogwogw Pgxpgxpgx Phyphyp Iyqiyqiy Ria$H$K$L$LockS$M$N$O$O$R$S$S$S$S$S$S$SitbsCFAK$StartS$UnlockS$a$a$a$a$a$a$a$a$a$a$b$b$b$c$c$c$c$c$c$c$c$d$d$f$f$g$g$g$i$i$i$i$i$i$i$i$i$i$i$l$l$l$n$n$n$n$n$n$o$o$p$p$r$r$r$r$r$r$r$r$r$r$r$s$s$s$t$t$t$t$t$u$v$v$v$v$v$v$v$v
                • API String ID: 4004796254-3408586921
                • Opcode ID: 41b448118872cf4df2018b4792d5c3518493019a34d40c417a0b123badb124cb
                • Instruction ID: 4802eeb0dfbe738a5f4dcde43ed63972d96c482d6f1e9d276882437cb30f2c40
                • Opcode Fuzzy Hash: 41b448118872cf4df2018b4792d5c3518493019a34d40c417a0b123badb124cb
                • Instruction Fuzzy Hash: 2842CD61C093D8D9EB22C768C8487DDBFB55B26704F0841D9D18C7B282D7BA1B98CB76
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001ADE0 Relevance: 52.6, APIs: 3, Strings: 27, Instructions: 125timeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 174 1001ade0-1001afa0 sprintf GetLocalTime sprintf call 10012640
                APIs
                • sprintf.MSVCRT ref: 1001AE64
                • GetLocalTime.KERNEL32(?,C:\Windows\system32,00000000,0000005C), ref: 1001AE6E
                • sprintf.MSVCRT ref: 1001AF37
                  • Part of subcall function 10012640: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000052,?,76365200), ref: 100126B0
                  • Part of subcall function 10012640: GetProcAddress.KERNEL32(00000000), ref: 100126B9
                  • Part of subcall function 10012640: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 100126C7
                  • Part of subcall function 10012640: GetProcAddress.KERNEL32(00000000), ref: 100126CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProcsprintf$LocalTime
                • String ID: $-$-$.$.$.$4$:$C:\Windows\system32$E$M$M$T$T$Y$\$a$c$e$e$e$i$k$l$m$r$t
                • API String ID: 2604304044-4258467420
                • Opcode ID: 7cb713d820791786441dba3693f361c45ceaed92fbda2c82666f99e8d3bb9d2b
                • Instruction ID: d4881655038f562d2b84cdb29e23f6decd8bb3f1685fa715dee65007e2aec028
                • Opcode Fuzzy Hash: 7cb713d820791786441dba3693f361c45ceaed92fbda2c82666f99e8d3bb9d2b
                • Instruction Fuzzy Hash: A851392200D7C0EDE352C628C88479FBFE55FE6208F48199DF2D45B282C6AA964CC767
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10012640 Relevance: 40.4, APIs: 9, Strings: 14, Instructions: 159registrylibraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 177 10012640-100126dc LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 178 100126e2 177->178 179 100127d4-100127f3 call 100127f4 177->179 181 100127a3-100127b9 178->181 182 100126e9-10012706 178->182 183 1001277b-10012791 178->183 184 1001270c-10012722 RegOpenKeyExA 178->184 181->179 194 100127bb-100127c3 RegDeleteValueA 181->194 182->179 182->184 183->179 193 10012793-100127a1 RegDeleteKeyA 183->193 184->179 185 10012728-1001272d 184->185 185->179 187 10012733-10012736 185->187 191 10012759-10012779 RegSetValueExA 187->191 192 10012738-1001273b 187->192 196 100127c9-100127cb 191->196 192->179 195 10012741-10012757 RegSetValueExA 192->195 193->196 194->196 195->196 196->179 197 100127cd 196->197 197->179
                APIs
                • LoadLibraryA.KERNEL32(ADVAPI32.dll,00000052,?,76365200), ref: 100126B0
                • GetProcAddress.KERNEL32(00000000), ref: 100126B9
                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 100126C7
                • GetProcAddress.KERNEL32(00000000), ref: 100126CA
                • RegOpenKeyExA.KERNELBASE(?,?,00000000,0002001F,?), ref: 1001271E
                • RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,ExA,?), ref: 10012751
                • RegSetValueExA.KERNELBASE(?,?,00000000,?,?), ref: 10012773
                • RegDeleteKeyA.ADVAPI32(?,?), ref: 1001279B
                • RegDeleteValueA.ADVAPI32(?,?), ref: 100127C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Value$AddressDeleteLibraryLoadProc$Open
                • String ID: A$ADVAPI32.dll$C$E$ExA$K$R$RegOpenKeyExA$a$g$r$t$x$y
                • API String ID: 873986947-3011049038
                • Opcode ID: 77534a93ddec386df72c1b7c9f78f243ce87496364d24cf933bc3a61290b0745
                • Instruction ID: b96986457da0ffe49213d20747a76f6beefbe8ccc0a3bc17253899883c9551e7
                • Opcode Fuzzy Hash: 77534a93ddec386df72c1b7c9f78f243ce87496364d24cf933bc3a61290b0745
                • Instruction Fuzzy Hash: 79518FB5908289EBDB04DBA9CC44EEFBBB9EF99750F148109FA14A7281C7749D44CB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001B3D0 Relevance: 136.8, APIs: 13, Strings: 65, Instructions: 311threadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001B6EE
                • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 1001B711
                • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001B72D
                • SetFileAttributesA.KERNELBASE(?,00000080), ref: 1001B748
                • GetCurrentProcess.KERNEL32 ref: 1001B849
                • SetPriorityClass.KERNELBASE(00000000), ref: 1001B84C
                • GetCurrentThread.KERNEL32 ref: 1001B850
                • SetThreadPriority.KERNELBASE(00000000), ref: 1001B85E
                • SetPriorityClass.KERNELBASE(?,00000040), ref: 1001B89B
                • SetThreadPriority.KERNELBASE(?,000000F1), ref: 1001B8A7
                • ResumeThread.KERNELBASE(?), ref: 1001B8B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: PriorityThread$ClassCurrentFileModuleName$AddressAttributesEnvironmentHandleLibraryLoadPathProcProcessResumeShortVariable
                • String ID: > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                • API String ID: 3480704365-781074451
                • Opcode ID: 329a94c1e572e74aebc65122b7594ba6b706aed9e1d612365e75d7971ce457ce
                • Instruction ID: 77738a481cd3c4f24fd6555acfc2c99f2e744f9c495b87a6833c212d371d7524
                • Opcode Fuzzy Hash: 329a94c1e572e74aebc65122b7594ba6b706aed9e1d612365e75d7971ce457ce
                • Instruction Fuzzy Hash: A0E1192150C7C0C9E322C6788848B9BFFD56BE2748F08499DE1D88B292D7FA9548C777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001AFB0 Relevance: 73.6, APIs: 1, Strings: 41, Instructions: 121COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 160 1001afb0-1001b12d call 100174c0 * 2 call 1000e730 167 1001b161-1001b16b 160->167 168 1001b12f-1001b133 160->168 169 1001b135-1001b150 call 1000e6b0 PathFileExistsA 168->169 170 1001b15c-1001b15f 168->170 169->170 173 1001b152-1001b157 169->173 170->167 170->168 173->170
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • PathFileExistsA.KERNELBASE(00000000,?,?,00000000,?), ref: 1001B14C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressExistsFileHandleLibraryLoadModulePathProc
                • String ID: .$.$2$3$A$A$A$C$D$E$E$E$F$H$I$K$L$L$N$R$S$W$a$c$d$d$e$e$e$e$h$i$i$i$o$t$t$t$t$x$y
                • API String ID: 1765864004-1881745975
                • Opcode ID: 436c4d23455f82f41a04e37c438138b1eae2ebab51aea2d57e0ce95fb02d506e
                • Instruction ID: 046268b75d8f78fc0c96c06f073ecb20ce0c88ef1cfc24b9e7c28d8443e39428
                • Opcode Fuzzy Hash: 436c4d23455f82f41a04e37c438138b1eae2ebab51aea2d57e0ce95fb02d506e
                • Instruction Fuzzy Hash: 0F51F46100C3C0DDE342C6A8948874BFFD55BA6748F48198DF2C85A282C6FA8648C77B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001C800 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32serviceCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,1001C45F,Mtldtl Dumdu,?,?,?,?,?,?,?,?), ref: 1001C807
                • OpenServiceA.ADVAPI32(00000000,?,00020000,?,?,?,?,?,?,?,?), ref: 1001C820
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 1001C82B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: OpenService$CloseHandleManager
                • String ID: C:\Windows\system32
                • API String ID: 4136619037-2896066436
                • Opcode ID: eea1aced03f63d53cb26b01f7481a1c7ad30fdb102424cd1360a599640cb637d
                • Instruction ID: 89dad568626105033b8be56fbba20cb3873e5265ca27385a4adced4ebad23dbb
                • Opcode Fuzzy Hash: eea1aced03f63d53cb26b01f7481a1c7ad30fdb102424cd1360a599640cb637d
                • Instruction Fuzzy Hash: D3E0923625423167E2217769BCC9FCB6798DF90B51F174111FA00DA150C674D88249A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004140D7 Relevance: 6.4, Strings: 5, Instructions: 146COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: AfxControlBar42$AfxControlBar42d$AfxControlBar42s$AfxControlBar42sd$ToolbarWindow32
                • API String ID: 3519838083-2691397511
                • Opcode ID: 489563db17cf5430edf53630d8a584e706e1f02c1f5f9c67b07e66abdcfee30d
                • Instruction ID: e68c2db8f4cdcaa3f9cccb9105315fb91f874fe53f6015418d23279765929cd3
                • Opcode Fuzzy Hash: 489563db17cf5430edf53630d8a584e706e1f02c1f5f9c67b07e66abdcfee30d
                • Instruction Fuzzy Hash: 0C41B574C46198ADDB41E7B8C8559EDBFB5DF1A300F24C04EE86563282DA641E0CCF39
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402910 Relevance: 3.8, Strings: 3, Instructions: 56COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 206.238.196.240$h$x
                • API String ID: 0-1430894455
                • Opcode ID: 33e0c15770d12e1e2e4c548245f50c2a739b353d1ff23a993d48a548a4fee617
                • Instruction ID: 180aa8f9dae32540f7a3b955090983a84d0518fd34a942880bac15cc2fc459ce
                • Opcode Fuzzy Hash: 33e0c15770d12e1e2e4c548245f50c2a739b353d1ff23a993d48a548a4fee617
                • Instruction Fuzzy Hash: 4E01C26274D38166E700B2B95D4675F6BC85BA1398F08887EF888672C3D5B9851883A7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100127F4 Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 274 100127f4-10012806 RegCloseKey * 2
                APIs
                • RegCloseKey.ADVAPI32(?,100127E0), ref: 100127FE
                • RegCloseKey.ADVAPI32(?), ref: 10012804
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 5037355289842a879d909204d8e235da43b60b1652dc9f4149da4c16f053cc26
                • Instruction ID: 03969ba57757726cb8eb669cb116290a9a0a36e733efc5404f112d144901f945
                • Opcode Fuzzy Hash: 5037355289842a879d909204d8e235da43b60b1652dc9f4149da4c16f053cc26
                • Instruction Fuzzy Hash: 6CB09276D21028ABCF00EBA8EC8088E7BB9AF8C6407218142B904A3124C630AD418FD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414AD8 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: f6cae0ecf9da431ce2872c0ed8430b95d9ac70bbd2394d3344cb5546e3bbd692
                • Instruction ID: 9f7d0dbaf99680793197fc41bebcd433276ba616bd0181eea8a0e9acec2dc25b
                • Opcode Fuzzy Hash: f6cae0ecf9da431ce2872c0ed8430b95d9ac70bbd2394d3344cb5546e3bbd692
                • Instruction Fuzzy Hash: 72012B729051449FDB00EB68D862BDC7F709F56320F54036EE4A1B32C3CA648E44CBB6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004150DA Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 289 4150da-4150e4 call 691263 291 4150e9-415119 call 41535d 289->291 294 415149-415150 291->294 295 41511b-415124 291->295 296 415152-415158 294->296 297 41515a-41515c 294->297 295->294 298 415126-415137 call 6a9d4a 295->298 299 415144-415147 296->299 300 415160-415168 297->300 301 41515e 297->301 298->294 307 415139-415142 298->307 299->300 303 41521b-415231 300->303 304 41516e-415175 300->304 301->300 304->303 306 41517b-415182 304->306 308 415184-41518b 306->308 309 4151da-4151de 306->309 307->299 307->300 311 41518d-4151a6 308->311 312 4151a8-4151ab 308->312 310 4151e0-4151e2 309->310 309->311 313 4151e4-4151e9 call 415278 310->313 314 4151ee-41520a call 415234 310->314 315 41520f-415215 311->315 316 4151b7-4151d8 call 415278 312->316 317 4151ad-4151b2 call 415234 312->317 313->314 314->315 315->303 315->304 316->315 317->316
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: &KA
                • API String ID: 3519838083-3520529544
                • Opcode ID: 3cebdb13356ca6b6c525245d1b59a194fe7e6d6a61eab2a6df83cca9b9799753
                • Instruction ID: 209db185c96f08d145f64c0d5da2a4367ee3a45f59546463728e010568301247
                • Opcode Fuzzy Hash: 3cebdb13356ca6b6c525245d1b59a194fe7e6d6a61eab2a6df83cca9b9799753
                • Instruction Fuzzy Hash: A051E772600A10DFCB11DF49C684A96BBE1FF98315F16829AE8599F362C374FC81CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E20 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 323 401e20-401e7f call 691af7 * 2 327 401e84-401e8d 323->327 328 401eae-401ebd call 6922fc 327->328 329 401e8f-401e94 327->329
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: ?
                • API String ID: 0-1684325040
                • Opcode ID: fe3a43bacb4f70c5c983b1b079f56f17ccae3a476e432277e1d30aa6ab3544dd
                • Instruction ID: 94cb6bfbcf3c4c16ab7117c19e4bc7bec2fb60f48ec2866ebf993503fba6cb34
                • Opcode Fuzzy Hash: fe3a43bacb4f70c5c983b1b079f56f17ccae3a476e432277e1d30aa6ab3544dd
                • Instruction Fuzzy Hash: 8D015EB0900249AFDB40DF88CC46FAE7BB9EB49B10F604259F5106B7C1C3BC5A00CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040208F Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 331 40208f-4020b7 call 691af7 call 402200 335 4020bc-4020c4 331->335
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: H
                • API String ID: 0-2852464175
                • Opcode ID: acc7ed66f446338f88c347b28f33db72230b8899bdc0ea4a7e691ae50defcf2d
                • Instruction ID: 9e829eb7f74def77e2138f39e4eb5196d2721310b201a115e7d05fe8fb0cf3ce
                • Opcode Fuzzy Hash: acc7ed66f446338f88c347b28f33db72230b8899bdc0ea4a7e691ae50defcf2d
                • Instruction Fuzzy Hash: A1D012F8D00109ABDB00DFC4C886E9EBB78AF88304F508019F504A7381D7BC69459768
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414CC0 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 336 414cc0-414cd1 337 414cd3-414cd9 336->337 338 414cf9-414cfd 337->338 339 414cdb-414cf2 call 6a9d4a 337->339 341 414d09-414d0e 338->341 342 414cff-414d07 338->342 339->337 345 414d10-414d15 341->345 346 414d29-414d46 call 6a9d4a 341->346 344 414d47-414d4a call 4150da 342->344 352 414d4f-414d6c 344->352 349 414d21-414d24 call 4152eb 345->349 350 414d17-414d1f 345->350 346->344 349->346 350->344
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d43e2909baa3c95ba5555207328eab7029c2ab4908b61d42a50c65cddffe2cd6
                • Instruction ID: dae641060c00ff69798859faf04187e02f9e9a18098443802e68643447daedeb
                • Opcode Fuzzy Hash: d43e2909baa3c95ba5555207328eab7029c2ab4908b61d42a50c65cddffe2cd6
                • Instruction Fuzzy Hash: 07219075100148BFCF01DF54D880EDABFA8EF89328B15C09AF4295B211C375ED85DB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040212B Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c959068f5f4fcd4ce01d7b4ac8fdaf192c00700922baa2cf1a1b6e21835cd59
                • Instruction ID: 683185bbc5e706950e051bcfc2670654b8ad923933d481907a81e389300d4fe3
                • Opcode Fuzzy Hash: 2c959068f5f4fcd4ce01d7b4ac8fdaf192c00700922baa2cf1a1b6e21835cd59
                • Instruction Fuzzy Hash: E6E086F4C00205A7DB00EFE0D94AA9E77345B01318F608129A511773C5D77D9B08D795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041538A Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a8cf67ae3a7599d9982e40aab7375efbb0200f357a3c62734c9b4e3a7cb14fa1
                • Instruction ID: 9bf836ea1142d28141691fc973b231669679abafebd2fca03c01946a5b84e011
                • Opcode Fuzzy Hash: a8cf67ae3a7599d9982e40aab7375efbb0200f357a3c62734c9b4e3a7cb14fa1
                • Instruction Fuzzy Hash: FDA001A2655A1DE4140421A666427D9050115C8799371009BB82A9A8A659CE01E2A42F
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 100240A0 Relevance: 147.5, APIs: 33, Strings: 51, Instructions: 538registryserviceCOMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32(?), ref: 100240D3
                • sprintf.MSVCRT ref: 1002418D
                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,00000000), ref: 100241D2
                • RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,?,?,?), ref: 1002421A
                • RegCloseKey.ADVAPI32(?), ref: 10024248
                • FindWindowA.USER32(?,00000000), ref: 100242AE
                • GetWindowTextA.USER32(00000000,?,00000104), ref: 100242E7
                • GetWindow.USER32(00000000,00000002), ref: 100243A3
                • GetClassNameA.USER32(00000000,?,00000104), ref: 100243B9
                • GetTickCount.KERNEL32 ref: 100243C7
                • sprintf.MSVCRT ref: 100243FE
                  • Part of subcall function 100259E0: WTSQuerySessionInformationA.WTSAPI32 ref: 10025A04
                  • Part of subcall function 100259E0: WTSFreeMemory.WTSAPI32(?,?), ref: 10025A28
                  • Part of subcall function 10020B60: #823.MFC42(00000014,?,00000000), ref: 10020B67
                  • Part of subcall function 10020B60: GlobalMemoryStatusEx.KERNEL32(?), ref: 10020B8B
                  • Part of subcall function 10020B60: wsprintfA.USER32 ref: 10020BAE
                • atol.MSVCRT(00000000,?,?,?,?,00000000), ref: 1002441E
                • #825.MFC42(00000000,?,?,?,00000000), ref: 10024427
                  • Part of subcall function 100216F0: #823.MFC42(00000014,76320450,00000000), ref: 100216F7
                  • Part of subcall function 100216F0: GlobalMemoryStatusEx.KERNEL32(?), ref: 1002171B
                  • Part of subcall function 100216F0: wsprintfA.USER32 ref: 1002173E
                • atol.MSVCRT(00000000,00000000,?,?,?,00000000), ref: 10024434
                • #825.MFC42(00000000,?,?,?,00000000), ref: 1002443D
                • GetDriveTypeA.KERNEL32 ref: 10024472
                • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 1002448D
                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?), ref: 100244F1
                • OpenServiceA.ADVAPI32(00000000,TermService,000F01FF,?,?,?), ref: 10024512
                • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?), ref: 10024531
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 10024542
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 10024545
                • wsprintfA.USER32 ref: 1002480B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseMemoryOpenQueryStatusWindowwsprintf$#823#825FreeGlobalHandleatolsprintf$ClassCountDiskDriveFindInformationManagerNameSessionSpaceTextTickTypeValueVersion
                • String ID: 2000$2003$2008$2008R2$2012$C$C$CTXOPConntion_Class$E$HARDWARE\DESCRIPTION\System\CentralProcessor\0$M$OpenSCManager Error!$OpenService Error!$P$ProcessorNameString$QueryServiceStatus Error!$RDP-Tcp$SYSTEM\CurrentControlSet\Control\Terminal Server$SeDebugPrivilege$ServiceDll$T$T$TermService$Vista$Win XP$Windows %s SP%d$Y$\$\$\$\$\$\termsrv_t.dll$c$c$fDenyTSConnections$i$i$l$m$m$n$n$o$o$s$s$termsrv_t$u$v$v
                • API String ID: 3552166250-473206856
                • Opcode ID: 5a14d067872a67fd92b694e55db92e67272a86a625e3d2023d32f7fac927fa6c
                • Instruction ID: 755189534b6c207bdf3233148af058f0a0cd25c3fe8b8245a38e4b9e8ef9bf03
                • Opcode Fuzzy Hash: 5a14d067872a67fd92b694e55db92e67272a86a625e3d2023d32f7fac927fa6c
                • Instruction Fuzzy Hash: F212E23110C7C09BE325CB649C84BEBBBE5EBD1304F85496DF9849B282DBB59948C763
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10025030 Relevance: 89.8, APIs: 44, Strings: 7, Instructions: 536processmemoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                  • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100250DE
                • LocalAlloc.KERNEL32 ref: 1002510B
                • Process32First.KERNEL32(00000000,?), ref: 1002512B
                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000,?), ref: 1002514F
                • GetPriorityClass.KERNEL32(00000000,?,?,00000000,?), ref: 10025169
                • sprintf.MSVCRT ref: 1002521D
                • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 10025232
                • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 10025281
                • malloc.MSVCRT ref: 10025288
                • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,00000400,00000002,00000000), ref: 100252A5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: ProcessToken$Open$Information$AllocClassCreateCurrentFirstLocalPriorityProcess32SnapshotToolhelp32mallocsprintf
                • String ID: %5u$%7u K$@$SeDebugPrivilege$\??\$\SystemRoot$\\?\
                • API String ID: 1766900824-4188095215
                • Opcode ID: bbda699dbf4278d788207b71c11d36741e64359bb8ffcf76b45d27869d40c5ad
                • Instruction ID: 11bca454d58fcf04605f604b218e84eb443354cdf05c8b4c74d3f5efa516ad40
                • Opcode Fuzzy Hash: bbda699dbf4278d788207b71c11d36741e64359bb8ffcf76b45d27869d40c5ad
                • Instruction Fuzzy Hash: 791204312083869FE325CB28D854BEBB7D5EFC8704F944D2CEAC693281DA75E909C756
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10001140 Relevance: 68.4, APIs: 22, Strings: 17, Instructions: 161libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                • GetProcAddress.KERNEL32(00000000), ref: 10001168
                • LoadLibraryA.KERNEL32 ref: 100011B4
                • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                • GetProcAddress.KERNEL32(00000000), ref: 10001203
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                • GetProcAddress.KERNEL32(00000000), ref: 10001214
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                • GetProcAddress.KERNEL32(00000000), ref: 10001227
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                • #825.MFC42(?), ref: 100012C4
                • #825.MFC42(00000000,?), ref: 100012CC
                • #825.MFC42(?,00000000,?), ref: 100012D5
                • #825.MFC42(?,?,00000000,?), ref: 100012DE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$#825
                • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                • API String ID: 345516743-2415744366
                • Opcode ID: c000df12d25c6f53a7b11585f0796f77ff8d4ca47dc4d8261024f874ab2dc61b
                • Instruction ID: ee08c086a63c9b71c05a681bfea59521c0724e463f90de67ab2405d2b34fdba8
                • Opcode Fuzzy Hash: c000df12d25c6f53a7b11585f0796f77ff8d4ca47dc4d8261024f874ab2dc61b
                • Instruction Fuzzy Hash: 2B517175904384ABCB10EF748C88E9B7FA8EF98351F450D49FB849B346DA36D905CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000C680 Relevance: 61.5, APIs: 30, Strings: 5, Instructions: 212sleepwindowCOMMON
                Download Yara Rule
                APIs
                • SetEvent.KERNEL32(?), ref: 1000C68C
                • FindWindowA.USER32(Progman,00000000), ref: 1000C6C3
                • ShowWindow.USER32(00000000,00000000), ref: 1000C6CC
                • FindWindowA.USER32(Progman,00000000), ref: 1000C6E2
                • ShowWindow.USER32(00000000,00000005), ref: 1000C6EB
                • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1000C707
                • ShowWindow.USER32(00000000,00000000), ref: 1000C712
                • FindWindowA.USER32(Button,100F5F48), ref: 1000C71E
                • ShowWindow.USER32(00000000,00000000), ref: 1000C723
                • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1000C73B
                • ShowWindow.USER32(00000000,00000005), ref: 1000C746
                • FindWindowA.USER32(Button,100F5F48), ref: 1000C752
                • ShowWindow.USER32(00000000,00000005), ref: 1000C757
                • FindWindowA.USER32(00000000,00000000), ref: 1000C772
                • SendMessageA.USER32(00000000), ref: 1000C779
                • FindWindowA.USER32(00000000,00000000), ref: 1000C798
                • SendMessageA.USER32(00000000), ref: 1000C79F
                • mciSendStringA.WINMM(set cdaudio door open,00000000,00000000,00000000), ref: 1000C7B9
                • mciSendStringA.WINMM(set cdaudio door closed wait,00000000,00000000,00000000), ref: 1000C7D3
                • Beep.KERNEL32(000003E8,0000001E), ref: 1000C7F6
                • Sleep.KERNEL32(00000064), ref: 1000C7FA
                • GetForegroundWindow.USER32 ref: 1000C80F
                • GetWindowRect.USER32(00000000,?), ref: 1000C837
                • MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 1000C85E
                • Sleep.KERNEL32(00000028), ref: 1000C862
                • MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 1000C87F
                • Sleep.KERNEL32(00000028), ref: 1000C883
                • Beep.KERNEL32(00000FFF,0000000A), ref: 1000C88C
                • SwapMouseButton.USER32(00000001), ref: 1000C8A5
                • SwapMouseButton.USER32(00000000), ref: 1000C8B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Window$Find$Show$Send$Sleep$BeepButtonMessageMouseMoveStringSwap$EventForegroundRect
                • String ID: Button$Progman$Shell_TrayWnd$set cdaudio door closed wait$set cdaudio door open
                • API String ID: 2556331450-1413032928
                • Opcode ID: 709870fc80e0e8e69c93ac51de8ce754abde7dbd27f32ff7a8b968b812ad5dd2
                • Instruction ID: c886d6d3add34ece47e187ad78ed35b021b35e69a0d648dc262f7d43e9efa9fc
                • Opcode Fuzzy Hash: 709870fc80e0e8e69c93ac51de8ce754abde7dbd27f32ff7a8b968b812ad5dd2
                • Instruction Fuzzy Hash: 7851147A7803247BF220E758DC8AFDA7714EBC4732F208136FF05A61D0D67564098AB9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100170E0 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 261stringCOMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32 ref: 1001711C
                  • Part of subcall function 100168E0: LoadLibraryW.KERNEL32(ntdll.dll,?,00001F95,1001713F,?,?,?), ref: 100168E9
                  • Part of subcall function 100168E0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                  • Part of subcall function 100168E0: FreeLibrary.KERNEL32(00000000), ref: 10016922
                  • Part of subcall function 10016720: lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F95,759223A0), ref: 100167A7
                  • Part of subcall function 10016720: gethostname.WS2_32(?,?), ref: 100167AF
                  • Part of subcall function 10016720: lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F95,759223A0), ref: 100167B6
                • getsockname.WS2_32(?), ref: 10017186
                • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 100171F3
                • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 10017214
                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001725D
                • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10017278
                • GetTickCount.KERNEL32 ref: 1001730B
                • wsprintfA.USER32 ref: 1001732C
                • wsprintfA.USER32 ref: 10017349
                • wsprintfA.USER32 ref: 10017363
                • wsprintfA.USER32 ref: 1001738A
                • free.MSVCRT(00000000), ref: 100173B8
                • free.MSVCRT(?,?,?,00000100), ref: 1001742E
                • lstrcpyA.KERNEL32(?,00000000,?,?,00000100), ref: 10017447
                • GetLastInputInfo.USER32(?), ref: 10017461
                • GetTickCount.KERNEL32 ref: 10017467
                • lstrcpyA.KERNEL32(?,00000000), ref: 1001748D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: wsprintf$CountFreeInfoLibraryTickfreelstrcpylstrlen$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersiongethostnamegetsockname
                • String ID: %$6gkIBfkS+qY=$@$D$Mtldtl Dumdu$a$d$e$f$f$l$t$u
                • API String ID: 3120897193-2233143661
                • Opcode ID: a9b92a96c4369d6e81ffcbae9037dc32718a10426265270617612408bdc0e9d6
                • Instruction ID: d62cdfb082d1a75627d98523c0125e9ce58e088c9f404048c39b39b746d53e56
                • Opcode Fuzzy Hash: a9b92a96c4369d6e81ffcbae9037dc32718a10426265270617612408bdc0e9d6
                • Instruction Fuzzy Hash: C3A19BB55083859FE325CB64CC80BDBBBE9EFC9304F044A1DF58987241EB75A509CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001A4A0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 263sleepsynchronizationstringCOMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 1001A4DE
                • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 1001A4F3
                • GetLastError.KERNEL32 ref: 1001A4FF
                • ReleaseMutex.KERNEL32(00000000), ref: 1001A50D
                • CloseHandle.KERNEL32(00000000), ref: 1001A514
                • CloseHandle.KERNEL32(00000000), ref: 1001A53C
                • CloseHandle.KERNEL32(00000000), ref: 1001A55D
                • CloseHandle.KERNEL32(00000000), ref: 1001A575
                • CloseHandle.KERNEL32(00000000), ref: 1001A590
                • CloseHandle.KERNEL32(00000000), ref: 1001A5AB
                • Sleep.KERNEL32(00000BB8), ref: 1001A5F0
                • lstrcpyA.KERNEL32(?,206.238.196.240), ref: 1001A613
                • GetTickCount.KERNEL32 ref: 1001A65F
                • GetTickCount.KERNEL32 ref: 1001A683
                • GetTickCount.KERNEL32 ref: 1001A6BD
                • GetTickCount.KERNEL32 ref: 1001A701
                • GetTickCount.KERNEL32 ref: 1001A71F
                • Sleep.KERNEL32(00000064,?,00000001), ref: 1001A73B
                • GetTickCount.KERNEL32 ref: 1001A75F
                • WaitForSingleObject.KERNEL32(?,00000064), ref: 1001A76D
                • Sleep.KERNEL32(00000190), ref: 1001A77A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseCountHandleTick$Sleep$Mutex$CreateErrorLastObjectReleaseSingleWaitlstrcpywsprintf
                • String ID: %s:%d:%s$206.238.196.240$Mtldtl Dumdu$e$tdC2pg==
                • API String ID: 3027695092-2355791709
                • Opcode ID: 9d7150f100be0c02902ae68ed44c96dc3e8a283a0e1769531764386ec7ca12b7
                • Instruction ID: dc56ed8e96a0a473f3ceccd143fbb57c5463b5468fdcf1a8512feb3f7a12ec6f
                • Opcode Fuzzy Hash: 9d7150f100be0c02902ae68ed44c96dc3e8a283a0e1769531764386ec7ca12b7
                • Instruction Fuzzy Hash: 7A91E575508381AAE330DB74CC89FDB7BE9EB96750F00091CF5489B192EB75A688C662
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10026300 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 187stringfilememoryCOMMON
                Download Yara Rule
                APIs
                • lstrcatA.KERNEL32(00000000,?), ref: 10026356
                • lstrcatA.KERNEL32(00000000,\*.*), ref: 10026365
                • FindFirstFileA.KERNEL32(00000000,?), ref: 10026381
                • strstr.MSVCRT ref: 1002642E
                • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,10125614,?,00000104,?), ref: 1002647E
                • lstrlenA.KERNEL32(00000000), ref: 10026488
                • lstrlenA.KERNEL32(?), ref: 10026491
                • LocalSize.KERNEL32(?), ref: 100264A7
                • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 100264C0
                • lstrlenA.KERNEL32(?), ref: 100264D0
                • lstrlenA.KERNEL32(?), ref: 100264FA
                • lstrlenA.KERNEL32(00000000), ref: 10026514
                • lstrlenA.KERNEL32(00000000), ref: 10026544
                • FindNextFileA.KERNEL32(?,?), ref: 10026560
                • FindClose.KERNEL32(?), ref: 1002656F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                • String ID: .$.url$InternetShortcut$URL$\*.*
                • API String ID: 3365753205-65308377
                • Opcode ID: 6fe7781855e7051b680883f4bac82d6d3a317ac5f84533cd35bbfe081694e390
                • Instruction ID: 87e1bb42a69771b972d38f98c6adb2aa95a4d86102d5fa0a37b1bfd3e987af2e
                • Opcode Fuzzy Hash: 6fe7781855e7051b680883f4bac82d6d3a317ac5f84533cd35bbfe081694e390
                • Instruction Fuzzy Hash: 556138711047549FD328CB38CC84AEBBBE9FBC9301F508A2DEA4697254EB35A909CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10008740 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 119filestringCOMMON
                Download Yara Rule
                APIs
                • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 10008766
                • wsprintfA.USER32 ref: 100087BC
                • FindFirstFileA.KERNEL32(?,?,100F5484,?,00000000,00000065), ref: 100087CE
                • wsprintfA.USER32 ref: 10008830
                • wsprintfA.USER32 ref: 1000885C
                • SetFileAttributesA.KERNEL32(?,00000080), ref: 10008876
                • DeleteFileA.KERNEL32(?), ref: 10008884
                • FindNextFileA.KERNEL32(?,?), ref: 10008894
                • FindClose.KERNEL32(?), ref: 100088A7
                • RemoveDirectoryA.KERNEL32(?), ref: 100088AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                • String ID: %$%$%$%$%$.$.
                • API String ID: 1639472542-2249276185
                • Opcode ID: d9e64f9345b0402f6918c17be90c718ca4e22ae175219570850045d08e44636b
                • Instruction ID: 21311e50925f34d8e1f6941ef68614689c34f6300e3c1fb60ec4bdd6fcbace88
                • Opcode Fuzzy Hash: d9e64f9345b0402f6918c17be90c718ca4e22ae175219570850045d08e44636b
                • Instruction Fuzzy Hash: 50418D7100C3819AE310CB64DC48AEBBBE8ABDA344F588A5DF9C843241DA75D608C76B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10008340 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161stringCOMMON
                Download Yara Rule
                APIs
                • GetLogicalDriveStringsA.KERNEL32 ref: 1000836D
                • GetUserNameA.ADVAPI32(?,?), ref: 10008399
                • _stricmp.MSVCRT(?,SYSTEM), ref: 100083AC
                • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 100083D7
                • CloseHandle.KERNEL32(00000000), ref: 100083DE
                • lstrlenA.KERNEL32(?), ref: 100083F2
                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 1000842D
                • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 1000844B
                • lstrlenA.KERNEL32(?), ref: 10008459
                • lstrlenA.KERNEL32(?), ref: 10008467
                • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008486
                • GetDriveTypeA.KERNEL32(?), ref: 100084C5
                • lstrlenA.KERNEL32(?), ref: 1000852F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_stricmp
                • String ID: SYSTEM$g
                • API String ID: 3735514147-3120117691
                • Opcode ID: bd696c4cef1b93f272b65f2cd570373f29085df2035be5b46b8d8c85b68281c1
                • Instruction ID: 995c0707421343ab744ffff33625381e1df9850639ea77a8c7a4dd0424174244
                • Opcode Fuzzy Hash: bd696c4cef1b93f272b65f2cd570373f29085df2035be5b46b8d8c85b68281c1
                • Instruction Fuzzy Hash: 8451B0715083599FE710DF14C880AEFBBE9FBC8344F444A2DF98997251CB74AA09CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10014650 Relevance: 24.2, APIs: 16, Instructions: 222keyboardCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10027CC0: GetCurrentThreadId.KERNEL32 ref: 10027CD2
                  • Part of subcall function 10027CC0: GetThreadDesktop.USER32(00000000), ref: 10027CD9
                  • Part of subcall function 10027CC0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10027D0C
                  • Part of subcall function 10027CC0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 10027D17
                  • Part of subcall function 10027CC0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 10027D3E
                  • Part of subcall function 10027CC0: lstrcmpiA.KERNEL32(?,?), ref: 10027D4D
                  • Part of subcall function 10027CC0: SetThreadDesktop.USER32(00000000), ref: 10027D58
                  • Part of subcall function 10027CC0: CloseDesktop.USER32(00000000), ref: 10027D70
                  • Part of subcall function 10027CC0: CloseDesktop.USER32(00000000), ref: 10027D73
                • GetDeviceCaps.GDI32(?,00000076), ref: 1001469F
                • _ftol.MSVCRT ref: 100146B7
                • GetDeviceCaps.GDI32(?,00000075), ref: 100146C7
                • _ftol.MSVCRT ref: 100146DF
                • MapVirtualKeyA.USER32(?,00000000), ref: 10014738
                • keybd_event.USER32(?,00000000), ref: 10014743
                • MapVirtualKeyA.USER32(?,00000000), ref: 10014755
                • keybd_event.USER32(00000000,00000000), ref: 10014760
                • MapVirtualKeyA.USER32(?,00000000), ref: 10014789
                • keybd_event.USER32(?,00000000), ref: 10014794
                • MapVirtualKeyA.USER32(?,00000000), ref: 100147A6
                • keybd_event.USER32(?,00000000), ref: 100147B1
                • mouse_event.USER32(00008006,00000000,00000000,00000000,00000000), ref: 10014808
                • mouse_event.USER32(00008006,00000000,00000000,00000000,00000000), ref: 100148A1
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Desktop$Virtualkeybd_event$Thread$CapsCloseDeviceInformationObjectUser_ftolmouse_event$CurrentInputOpenlstrcmpi
                • String ID:
                • API String ID: 155679656-0
                • Opcode ID: b35ef54b6048c289d2f3728692a894843c00b48f20be30021ec7376e9369996f
                • Instruction ID: f08f1c6231b75a2d8fdc7810d46143b97d517c61a25559a5b22ab7eb5df22c5a
                • Opcode Fuzzy Hash: b35ef54b6048c289d2f3728692a894843c00b48f20be30021ec7376e9369996f
                • Instruction Fuzzy Hash: 0651AB346883907AF670CA558C8AF9F7B98EB46B90F328515F645AE0E0CEF0E5C4C765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000C570 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82filesleepshutdownCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32 ref: 1000C5D2
                • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000C605
                • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000C619
                • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000C634
                • CloseHandle.KERNEL32(00000000), ref: 1000C637
                • Sleep.KERNEL32(000007D0), ref: 1000C642
                • GetVersion.KERNEL32 ref: 1000C648
                • ExitWindowsEx.USER32(00000006,00000000), ref: 1000C668
                • ExitProcess.KERNEL32 ref: 1000C670
                  • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                  • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                • API String ID: 554375110-3993181469
                • Opcode ID: ec22cffec440fbac7ee8039e5b82bcb5052ab0dcdaea311913a5ae636d515fbd
                • Instruction ID: 205b70589b789033467f2a3b0af619853c481c55584e71c3bc365793bb5a12d1
                • Opcode Fuzzy Hash: ec22cffec440fbac7ee8039e5b82bcb5052ab0dcdaea311913a5ae636d515fbd
                • Instruction Fuzzy Hash: 4821F2353847657BF630EB24CC4AFDA3B90AB84B11F204B18FB65BA0D0D6A07604875A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10008570 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 139filememorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlenA.KERNEL32(?,?,?,00000065), ref: 1000859A
                • wsprintfA.USER32 ref: 100085EA
                • FindFirstFileA.KERNEL32(?,?,?,100F5484,?,00000065), ref: 10008600
                • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10008636
                • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10008664
                • lstrlenA.KERNEL32(?,?,00000065), ref: 100086A3
                • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 100086F6
                • LocalFree.KERNEL32(00000000,?,00000065), ref: 10008712
                • FindClose.KERNEL32(?,?,00000065), ref: 1000871D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                • String ID: .$h
                • API String ID: 4283800025-2131999284
                • Opcode ID: b6a7e83d22f7991ca3024222d3095c0377de5e009c4a1f7f1239e70007da91b5
                • Instruction ID: 9e9fa09597343c3d33f58066edf1bc9ac54451ce5a7623f6020eb3d89927d9eb
                • Opcode Fuzzy Hash: b6a7e83d22f7991ca3024222d3095c0377de5e009c4a1f7f1239e70007da91b5
                • Instruction Fuzzy Hash: 755106756083848FD310CF68CC84B9BBBE4FBD9345F548A2CF98497341D6799A09CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10013720 Relevance: 18.4, APIs: 12, Instructions: 410COMMON
                Download Yara Rule
                APIs
                • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 100137CC
                • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001399C
                • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003), ref: 10013B2C
                  • Part of subcall function 10012F70: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10013058
                • #825.MFC42(00000000), ref: 10013B81
                • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003), ref: 10013B91
                • #825.MFC42(?), ref: 10013C19
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823$#825$Open
                • String ID:
                • API String ID: 2779812387-0
                • Opcode ID: 564811c81090fafd9c88047a90e8582f58457f7036380442e5ba9a3557740b09
                • Instruction ID: 6770e2bfe27b35aec20c0b657e72e1cff44af21098f06d03b8ebb5f60cd9b73f
                • Opcode Fuzzy Hash: 564811c81090fafd9c88047a90e8582f58457f7036380442e5ba9a3557740b09
                • Instruction Fuzzy Hash: 25D120B56046059BC308DF28D89166FB3D6FFC8610F84853DF9468B381DB35EA8AC792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10021440 Relevance: 18.1, APIs: 12, Instructions: 125stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenA.KERNEL32(00000000), ref: 10021469
                • lstrlenA.KERNEL32(00000000), ref: 10021479
                • lstrlenA.KERNEL32(00000000), ref: 10021480
                  • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001FFDE
                  • Part of subcall function 1001FFC0: #823.MFC42(00000002,?,00000000,00000000), ref: 1001FFEB
                  • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10020007
                • NetUserAdd.NETAPI32 ref: 100214D6
                • #825.MFC42(?), ref: 100214E4
                • #825.MFC42(?,?), ref: 100214EE
                • wcscpy.MSVCRT ref: 10021532
                • #825.MFC42(?), ref: 1002153D
                • #825.MFC42(?,?), ref: 10021547
                • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 1002156A
                • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10021572
                • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 1002159F
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                • String ID:
                • API String ID: 3899135135-0
                • Opcode ID: 471d24f2a99f04f068336eb5ee4591de7282793d3427b92e0a67ffe67382fa1b
                • Instruction ID: 7d8fadddd2169925b57e10fd67cde15fd11a706cf5bde10c36258d042e66e1d0
                • Opcode Fuzzy Hash: 471d24f2a99f04f068336eb5ee4591de7282793d3427b92e0a67ffe67382fa1b
                • Instruction Fuzzy Hash: B941B4755043406BD710DF64DC85EAFBBE8EFC9744F400D2DF54497242EAB9EA098762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001F470 Relevance: 15.1, APIs: 10, Instructions: 77networksleepthreadCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WS2_32(00000202,?), ref: 1001F481
                • socket.WS2_32(00000002,00000001,00000006), ref: 1001F491
                • htons.WS2_32 ref: 1001F4C0
                • bind.WS2_32 ref: 1001F4DB
                • listen.WS2_32(00000000,00000032), ref: 1001F4EC
                • accept.WS2_32(00000000,00000000,00000000), ref: 1001F515
                • malloc.MSVCRT ref: 1001F51B
                • CreateThread.KERNEL32(00000000,00000000,Function_0001F180,00000000,00000000,?), ref: 1001F537
                • Sleep.KERNEL32(000003E8), ref: 1001F546
                • CloseHandle.KERNEL32(00000000), ref: 1001F54F
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                • String ID:
                • API String ID: 1905318980-0
                • Opcode ID: a59095f9e3124cbee1a4d9441902c249b362dc60a6f7d5ebdabd048e0652216a
                • Instruction ID: d64cc42701f4da185ffe0f43c7499a31d7295766506552b4b360b44478263ad1
                • Opcode Fuzzy Hash: a59095f9e3124cbee1a4d9441902c249b362dc60a6f7d5ebdabd048e0652216a
                • Instruction Fuzzy Hash: E521C834648310BBF310DF64DC89BAB77A9EF54B50F20871CF9599A2E0E770D9448626
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10022310 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42serviceCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                  • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1002232D
                • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 10022340
                • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1002234E
                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,100200D6), ref: 10022363
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100200D6), ref: 10022370
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100200D6), ref: 10022373
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                • String ID: SeDebugPrivilege$sharedaccess
                • API String ID: 3393504433-1846105483
                • Opcode ID: 9a5bec22da184aafc7de1840fb89d9ed27d65efad80d4713c520f9db900ec074
                • Instruction ID: 5f6db0e678fc87dd5abd25df875302259054930dedc4e593eacc6998952c9221
                • Opcode Fuzzy Hash: 9a5bec22da184aafc7de1840fb89d9ed27d65efad80d4713c520f9db900ec074
                • Instruction Fuzzy Hash: F7F0F63A6601207BE210B7688C8AFFF3F68EF91752F504124FF0865191DBB565488AB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100174F0 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                • OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10017532
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001754A
                • GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 10017550
                • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001755F
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                • String ID:
                • API String ID: 3398352648-0
                • Opcode ID: 0ad56e8a79e4debe52c01416b8063527252df3a7d3e373228cf3d4ae0fe8c4a5
                • Instruction ID: b2682cf87979ee8176c9da1bf77602dff9e403c07e320506278319093fb252ce
                • Opcode Fuzzy Hash: 0ad56e8a79e4debe52c01416b8063527252df3a7d3e373228cf3d4ae0fe8c4a5
                • Instruction Fuzzy Hash: 0D0179B9614700BFE314DF64CC99F6B77A8FF84700F95C91CF94686190D675D4448B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10014210 Relevance: 9.1, APIs: 6, Instructions: 121keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000000), ref: 100142A6
                • BlockInput.USER32(?,?,?), ref: 100142C9
                • InterlockedExchange.KERNEL32(?,?), ref: 100142E0
                • BlockInput.USER32(?,?,?), ref: 100142E9
                • InterlockedExchange.KERNEL32(?,?), ref: 10014300
                • InterlockedExchange.KERNEL32(?,?), ref: 10014319
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: BlockExchangeInputInterlocked
                • String ID:
                • API String ID: 3466551546-0
                • Opcode ID: e5828a2dd93037858442616e4caf3bd3ce8519f10e178e18d8f9e38ffa49e733
                • Instruction ID: 17d1c2bafebc0ce83059b9f736f966c6318352bbbbab30d7eddd310a63ab96de
                • Opcode Fuzzy Hash: e5828a2dd93037858442616e4caf3bd3ce8519f10e178e18d8f9e38ffa49e733
                • Instruction Fuzzy Hash: BB31353B30856117D284E738B852EEFA759EBD5321F05893BF5958B245CE20AC8683F0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10016340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 10016347
                • CoCreateInstance.OLE32(100E6B40,00000000,00000001,100E6B20,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001635F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CreateInitializeInstance
                • String ID: FriendlyName
                • API String ID: 3519745914-3623505368
                • Opcode ID: c9b7d0305d722346b35be157ceed7fd0cb712297c628feb38cc64e36833bea2d
                • Instruction ID: 815dfca348a4872d2d48d528abea59a0c072ecb8b509b37909914934ed124131
                • Opcode Fuzzy Hash: c9b7d0305d722346b35be157ceed7fd0cb712297c628feb38cc64e36833bea2d
                • Instruction Fuzzy Hash: 2631E674204202AFD604CF65CC88F5BB7E9FF88744F108A58F959DB250EB75E84ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100090A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileA.KERNEL32(?,?,?,00000000), ref: 100090E5
                • FindClose.KERNEL32(00000000), ref: 10009167
                • CloseHandle.KERNEL32(?), ref: 10009179
                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009191
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseFileFind$CreateFirstHandle
                • String ID: p
                • API String ID: 3283578348-2181537457
                • Opcode ID: eba956b9fcbe3bfcc7104d0eaea32a5904e49d3a37679d4c714c3b9362f4e101
                • Instruction ID: b12e5796499e45cbb7bbc860ac8b97f10ac8faff609f7352a5540c7b03686c13
                • Opcode Fuzzy Hash: eba956b9fcbe3bfcc7104d0eaea32a5904e49d3a37679d4c714c3b9362f4e101
                • Instruction Fuzzy Hash: 5531B975A087029BE324DF28CC457CFB7EAEBC53A0F258A1DF4A9873D4D63499458B42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10006010 Relevance: 7.6, APIs: 6, Instructions: 145COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49e1a3441f48fd08871a00606a187dde43cc83fe5c9fb3bd3fdf33e5fbf61024
                • Instruction ID: 21c3bced292d153852bad5432d3ee80454c38e9ea06e495423d8ed335e1c25ce
                • Opcode Fuzzy Hash: 49e1a3441f48fd08871a00606a187dde43cc83fe5c9fb3bd3fdf33e5fbf61024
                • Instruction Fuzzy Hash: 7D41E4B27003056FE754DF689C81B67B7D9EB883A5F24402AFA05C7686DBB1F80487A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001F0C0 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: bindsocket
                • String ID:
                • API String ID: 3370621091-0
                • Opcode ID: 48ec17574366238cad99c539dcb6618e3c139e77b47012e2206df5b20fac36fb
                • Instruction ID: 199b92a5082f7001cbb4ac8ce796d27b6acc07d0293226c99db6652306a76db7
                • Opcode Fuzzy Hash: 48ec17574366238cad99c539dcb6618e3c139e77b47012e2206df5b20fac36fb
                • Instruction Fuzzy Hash: 581130B4814311AFE300DF64D8456EAB7E4FF98318F148A2DF89887291E3B5DA858786
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10029700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: exitfprintf
                • String ID: %s
                • API String ID: 4243785698-620797490
                • Opcode ID: 25dc1b16975e234d7738d6ab2dc72ba28bf17fa3fa696483168906151d4a282f
                • Instruction ID: 52e782dcf910148b0d5456635dd42d683ac935d6c7f17b3f20a5fbffaddbf4db
                • Opcode Fuzzy Hash: 25dc1b16975e234d7738d6ab2dc72ba28bf17fa3fa696483168906151d4a282f
                • Instruction Fuzzy Hash: 73E06539804111AFD200DFA4DC45EAEB7B8EF85304F009454F54897211DB75F8498BA7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000C4C0 Relevance: 4.5, APIs: 3, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • OpenEventLogA.ADVAPI32(00000000,100F5EBC), ref: 1000C4F4
                • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000C4FF
                • CloseEventLog.ADVAPI32(00000000), ref: 1000C502
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Event$ClearCloseOpen
                • String ID:
                • API String ID: 1391105993-0
                • Opcode ID: 50fefd087aa6a671c00c0657d2ab3d1fb2068d43f4025ee25c5d2f956d57d5f3
                • Instruction ID: 2495073f6dabbcf6a498c7976ae4cfae5c952359d87d41c5d84001ea3fcae639
                • Opcode Fuzzy Hash: 50fefd087aa6a671c00c0657d2ab3d1fb2068d43f4025ee25c5d2f956d57d5f3
                • Instruction Fuzzy Hash: 26F0A73664536567D301EB09AC80F5FFBA8FFC5652F910518EB0593210C77AAB0546E6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000E010 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                  • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                • ExitWindowsEx.USER32(?,00000000), ref: 1000E026
                  • Part of subcall function 100174F0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10017532
                  • Part of subcall function 100174F0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001754A
                  • Part of subcall function 100174F0: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 10017550
                  • Part of subcall function 100174F0: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001755F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                • String ID: SeShutdownPrivilege
                • API String ID: 3672536310-3733053543
                • Opcode ID: 48d77c60ab9cfe5784c9ed0b12854fca7aef6a4897eb2b4279d6559b26e2d240
                • Instruction ID: 972a209dc102ca07ab5f7e13293a3fa0107094833a283df555782093fa129901
                • Opcode Fuzzy Hash: 48d77c60ab9cfe5784c9ed0b12854fca7aef6a4897eb2b4279d6559b26e2d240
                • Instruction Fuzzy Hash: 5FC0807955020037F510D7585C47F463A11FB50707F544010FB085D1D2D772F1544176
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100904D0 Relevance: 3.3, Strings: 2, Instructions: 786COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 2$?
                • API String ID: 0-2669683831
                • Opcode ID: ce50cb4aa04ee45f41a8e26cf65952bd776c285aaeaf9599e7ff39fb0307dda7
                • Instruction ID: f120eaf025a48dea1a1c0d1a8c80c8a2fcbec25aa556ae18888ddc72439d763f
                • Opcode Fuzzy Hash: ce50cb4aa04ee45f41a8e26cf65952bd776c285aaeaf9599e7ff39fb0307dda7
                • Instruction Fuzzy Hash: FF72B3B4604B429FD368CF29C890A9AF7E5FB88344F108A2EE59D87711E730A955CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10092470 Relevance: 2.2, Strings: 1, Instructions: 914COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: `
                • API String ID: 0-2679148245
                • Opcode ID: b55e0c77f83df8f1df704a5cf75a8cb830c8ca68b6b29744beddd0b2ad468a87
                • Instruction ID: 0c7aaa38d8c783589e85b83618c4bc388c215b7dfc65211fb1efa83baf929443
                • Opcode Fuzzy Hash: b55e0c77f83df8f1df704a5cf75a8cb830c8ca68b6b29744beddd0b2ad468a87
                • Instruction Fuzzy Hash: D67257B16087019FD358CF28CC95A6BB7EAFBC8344F14892DF99A83355E774E8019B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1007C7B0 Relevance: 2.0, APIs: 1, Instructions: 486COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: _ftol
                • String ID:
                • API String ID: 2545261903-0
                • Opcode ID: 997a57a968470b66315254100b85294a1dcbeea25d0c872c58c1f5cbc637ae74
                • Instruction ID: b9a7dbf72bbca29d31a185fc8253c05419d39b86673ae775c678e6732502143a
                • Opcode Fuzzy Hash: 997a57a968470b66315254100b85294a1dcbeea25d0c872c58c1f5cbc637ae74
                • Instruction Fuzzy Hash: F42217746043868FDB68CF18C580B9ABBE2FFC8340F11896EE9898B355D734E951CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10093080 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: p
                • API String ID: 0-2181537457
                • Opcode ID: ef50fb7f95fc95ab007bebbc7a484f52570524163a8ac5852587389ada60b133
                • Instruction ID: 0415f33868ec631d9f24845f51a2c3a4756a252f261da6e74c37cfebc9223e3b
                • Opcode Fuzzy Hash: ef50fb7f95fc95ab007bebbc7a484f52570524163a8ac5852587389ada60b133
                • Instruction Fuzzy Hash: 852226B5604704AFD368CF68C885AABB7E9FBC8304F04891DF99AD7351DB74E9048B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001F010 Relevance: 1.6, APIs: 1, Instructions: 75networkCOMMON
                Download Yara Rule
                APIs
                • recv.WS2_32(?,?,00002000,00000000), ref: 1001F063
                  • Part of subcall function 1001ED50: htons.WS2_32(?), ref: 1001ED66
                  • Part of subcall function 1001ED50: inet_ntoa.WS2_32(00000000), ref: 1001ED9B
                  • Part of subcall function 1001ED50: inet_ntoa.WS2_32(00000000), ref: 1001EDAC
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: inet_ntoa$htonsrecv
                • String ID:
                • API String ID: 826432298-0
                • Opcode ID: 72135a8dfcf5cc0b8b212f4ba6f92ad98aee94a3764f79d1aeb36d8dd001d3f0
                • Instruction ID: f378efb6a1b2145cc55955a357e8c1e4b1f56b2039e2025070f4f4beaf0bd611
                • Opcode Fuzzy Hash: 72135a8dfcf5cc0b8b212f4ba6f92ad98aee94a3764f79d1aeb36d8dd001d3f0
                • Instruction Fuzzy Hash: 2411C87B6402821BE312C6249C41FBB63D9EFA9364F59052DF5958A183D335ECC18662
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10053740 Relevance: .8, Instructions: 850COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c9d4e269c7e5d8dfc1c3b1479ce608c319bb6856b4f63d24a71a2977f90843c
                • Instruction ID: e1e09e00d2cb919f4e0c1b2fb75a94ff4fd2e580d4839679f701139020a6b155
                • Opcode Fuzzy Hash: 4c9d4e269c7e5d8dfc1c3b1479ce608c319bb6856b4f63d24a71a2977f90843c
                • Instruction Fuzzy Hash: A9626C75600B418FD728CF29D990A67B7F1EF85700B258A2DE986C7B51D730F84ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100334E0 Relevance: .7, Instructions: 684COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4a1a3a7a6c1a61a110cc9872121fa8f5dd959bd39fb4efbe824d6cc6267858a1
                • Instruction ID: 8322abf8b0b955dac81cea3db484e8213f042d7ce1aeca65ef4ca4cbfabb46ab
                • Opcode Fuzzy Hash: 4a1a3a7a6c1a61a110cc9872121fa8f5dd959bd39fb4efbe824d6cc6267858a1
                • Instruction Fuzzy Hash: 15426CB8604B418FC326CF19D491A6BB7F5FF89305F04896DE9868B712D731E906CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1008F4D0 Relevance: .5, Instructions: 517COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6531e2dcb4bf90011010f25e107e9b58ec79ad60afa305f281d8e9dc45f80e5
                • Instruction ID: 8b525b23a56454370f3609cf3247acb9ca1e09c5ae49427a1e87592fd837b5d7
                • Opcode Fuzzy Hash: a6531e2dcb4bf90011010f25e107e9b58ec79ad60afa305f281d8e9dc45f80e5
                • Instruction Fuzzy Hash: 44123EB56087419FD354CF28C880AABB7E6FBC8704F158A2EF59A87354E770E905CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10037260 Relevance: .4, Instructions: 446COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b2072d55bb7c1a585e8fc70eb866a26767e4c444dd9cd7d1b0fc4c0a4501d85
                • Instruction ID: 62e7ed029932a5a0c2726ee49bf5d388e2cffa013f09f1f91472f4ff30602f15
                • Opcode Fuzzy Hash: 9b2072d55bb7c1a585e8fc70eb866a26767e4c444dd9cd7d1b0fc4c0a4501d85
                • Instruction Fuzzy Hash: 6E123C74A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10056580 Relevance: .4, Instructions: 379COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                • Instruction ID: 649f1e7f4b3158c3088a07b07cbcdc8be7234f0b54355cb83c5254a91e377189
                • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                • Instruction Fuzzy Hash: 73F1AEB65092418FC309CF18D8989E2BBE5EF98714F1F82FDC4499B362D3329985CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408690 Relevance: .3, Instructions: 318COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25881f16b58807a938364f955c92d3d7af288063f8e9c30ce1f58f96746fbce9
                • Instruction ID: aecb983a4e204d6b7d41b0058bf545735e8a4f7804ef016193cf37d791b1b25d
                • Opcode Fuzzy Hash: 25881f16b58807a938364f955c92d3d7af288063f8e9c30ce1f58f96746fbce9
                • Instruction Fuzzy Hash: 69A19FB1608300AFD644EB68CD85D7BB7ECEBC8718F404B1DF599A72C1EA74E9018766
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1007A430 Relevance: .3, Instructions: 309COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a4a767744e4c19a47f92bdd4c448351933d34ef1759a38cf811ada6d24431ff
                • Instruction ID: 15cc7bd5faffbe600695c5bcb3d1fe30eaa379d87f997e966023115dd4e626bf
                • Opcode Fuzzy Hash: 3a4a767744e4c19a47f92bdd4c448351933d34ef1759a38cf811ada6d24431ff
                • Instruction Fuzzy Hash: A0C134716087068BD31CCF19C89156BFBE2FBC8304F048A2DE59A87354EB34E915CB89
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10055490 Relevance: .3, Instructions: 256COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                • Instruction ID: 432799a227a104eec1ff79a2288d05d0e4e1369f6b1345dc811011302a061338
                • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                • Instruction Fuzzy Hash: 89718333755A8207E71CCE3E8C712BAABD34FC522932EC87E94DAC7756EC79941A5204
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1008F1A0 Relevance: .3, Instructions: 255COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a445a02a992d47832cc69a1fcabfbb982e78f1ba09698b0b68cabf9ccd5209e
                • Instruction ID: 16c0175a477e18b109f141d824dada1b23d5b3178ee30b8fb2fe71ae4ba23b7d
                • Opcode Fuzzy Hash: 6a445a02a992d47832cc69a1fcabfbb982e78f1ba09698b0b68cabf9ccd5209e
                • Instruction Fuzzy Hash: 38915C756047059FD358CF68C881AABB7E9FBC8340F14892EF99A87341EA74F909CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1007A180 Relevance: .2, Instructions: 243COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb52c3b1f88c05b4eb834061f1912a52330814b5715fd87aa2888b364c86378e
                • Instruction ID: 9404cba3d8da1d211fdb4783ed3079d2e62e9d1759d12bfb618f7433bb15857f
                • Opcode Fuzzy Hash: fb52c3b1f88c05b4eb834061f1912a52330814b5715fd87aa2888b364c86378e
                • Instruction Fuzzy Hash: 2E914C716083814FC318CF6DC89055AFBE2FFCA304F198A3EE5C9C7365DA7599068A46
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10057190 Relevance: .2, Instructions: 220COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b7c448c6a1fb9114aafba6b0d16267dbc202f2804b4a444c376df820d5a9da16
                • Instruction ID: 6402ec8e47e860fd8fd12f861d34c86558428d32eeeae7b909b9d1c132786d36
                • Opcode Fuzzy Hash: b7c448c6a1fb9114aafba6b0d16267dbc202f2804b4a444c376df820d5a9da16
                • Instruction Fuzzy Hash: 2C8160327145924BFB18CF2AECD053BBB93FBCD344B19843ED64A97356C931A91987A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401750 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 11c899860c195424700a0b890a5cb09387a15f58315fdf02e7c33c25e6a64087
                • Instruction ID: 6575505ae75dd1c1f9348f39632b22049ed565af78a29a04a2b41f255fef8f2c
                • Opcode Fuzzy Hash: 11c899860c195424700a0b890a5cb09387a15f58315fdf02e7c33c25e6a64087
                • Instruction Fuzzy Hash: 57218171700204AFDB94DE24DC81F2773ADEF89750F50906AFD05EB286D674EC018764
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006B24D6 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9596b78dc0841a7e5ef552def59707af9dc7c94da4141312680d04a056233423
                • Instruction ID: 8066b037d15b27088d762d004ec8da4be3eaf5f07f740f009bd3de3425b3afa9
                • Opcode Fuzzy Hash: 9596b78dc0841a7e5ef552def59707af9dc7c94da4141312680d04a056233423
                • Instruction Fuzzy Hash: 2EF022F240C207ABCB36EF24A4653EA77F2BB49314F54944DEA8647142D7246CA6AB43
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401130 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec8646ffc51d8fc4221b7e90bab627d6854bf4118ce5bc99cac41a5ec6f84d7a
                • Instruction ID: 999ddb8cb16b21cfd890f03937288f7ec840a46fb55ffe90febd494451b3534b
                • Opcode Fuzzy Hash: ec8646ffc51d8fc4221b7e90bab627d6854bf4118ce5bc99cac41a5ec6f84d7a
                • Instruction Fuzzy Hash: 43F0E9B2B012116BEB24AF28CC01F53B7A55F0A354F28555DB644BF286E777D8438B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006C2039 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3fb1ff44a80461300d6581f2dbc9b1cbcbcc0eaef85236061300b273718b54a0
                • Instruction ID: 3b78b2593288f1ea510e7f91bc32a4489a6b90e0a1c85778c9ad37ec9dfbf9c6
                • Opcode Fuzzy Hash: 3fb1ff44a80461300d6581f2dbc9b1cbcbcc0eaef85236061300b273718b54a0
                • Instruction Fuzzy Hash: E2C08C9020C353480A2BBB2400046AEA742E880600A50884EB4860A243C1314001EB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10018790 Relevance: 299.7, APIs: 11, Strings: 160, Instructions: 425librarysleeploaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • LoadLibraryA.KERNEL32 ref: 10018B09
                • GetProcAddress.KERNEL32 ref: 10018BD5
                • GetProcAddress.KERNEL32 ref: 10018E4C
                • GetCurrentProcess.KERNEL32 ref: 10018EE3
                • Sleep.KERNEL32(00000014), ref: 10018F35
                • Sleep.KERNEL32(000003E8), ref: 10018FBC
                • CloseHandle.KERNEL32(?), ref: 1001900F
                • CloseHandle.KERNEL32(?), ref: 1001902C
                • CloseHandle.KERNEL32(?), ref: 10019037
                • CloseHandle.KERNEL32(?), ref: 10019045
                • FreeLibrary.KERNEL32(00000000), ref: 1001904C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y
                • API String ID: 2138834447-1109127159
                • Opcode ID: d60e362cb3ea19bb9b918263f8a5cc7cbf0147f7071e98e4caf12c5e75ccddf2
                • Instruction ID: 9f46a4fe2709f87d1547e335fc683e97650eff0903745346e8a720fc49d5be28
                • Opcode Fuzzy Hash: d60e362cb3ea19bb9b918263f8a5cc7cbf0147f7071e98e4caf12c5e75ccddf2
                • Instruction Fuzzy Hash: DC32926050D3C0C9E332C7688858BDBBFD66BA6748F08499DE1CC4B292C7BA5558C777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10005440 Relevance: 206.9, APIs: 24, Strings: 94, Instructions: 409libraryloaderstringCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 1000545C
                • GetProcAddress.KERNEL32(00000000), ref: 10005465
                • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005475
                • GetProcAddress.KERNEL32(00000000), ref: 10005478
                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 1000548B
                • GetProcAddress.KERNEL32(00000000), ref: 1000548E
                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 100054A1
                • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 100054B4
                • GetProcAddress.KERNEL32(00000000), ref: 100054B7
                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054C7
                • GetProcAddress.KERNEL32(00000000), ref: 100054CA
                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054DD
                • GetProcAddress.KERNEL32(00000000), ref: 100054E0
                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 100054F3
                • GetProcAddress.KERNEL32(00000000), ref: 100054F6
                • strchr.MSVCRT ref: 10005810
                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10005851
                • wsprintfA.USER32 ref: 10005871
                • #823.MFC42(00001000), ref: 100058CD
                • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 10005A92
                • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10005A98
                • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10005A9E
                • #825.MFC42(00000000), ref: 10005AD6
                  • Part of subcall function 100051B0: LoadLibraryA.KERNEL32 ref: 10005207
                  • Part of subcall function 100051B0: GetProcAddress.KERNEL32(00000000), ref: 1000520E
                  • Part of subcall function 100051B0: wsprintfA.USER32 ref: 10005277
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                • API String ID: 2391671045-4160613188
                • Opcode ID: 5dd7f00943cd2c0a923effaf4c7da91811888f5d84e71c45dea34ae61a63ae2e
                • Instruction ID: e9c7c0b327a0fb81a2237c4f4fcca35bddff45c7dcc2e83bc4e322a20fe25bf7
                • Opcode Fuzzy Hash: 5dd7f00943cd2c0a923effaf4c7da91811888f5d84e71c45dea34ae61a63ae2e
                • Instruction Fuzzy Hash: 52121E6150D7C0DEE322C7788858B9BBFD5AFE2748F48494DE1C847292C6BA9508C777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10019060 Relevance: 184.1, APIs: 34, Strings: 71, Instructions: 373servicesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • GetVersionExA.KERNEL32 ref: 100192A9
                  • Part of subcall function 100168E0: LoadLibraryW.KERNEL32(ntdll.dll,?,00001F95,1001713F,?,?,?), ref: 100168E9
                  • Part of subcall function 100168E0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100168FB
                  • Part of subcall function 100168E0: FreeLibrary.KERNEL32(00000000), ref: 10016922
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100192DE
                • sprintf.MSVCRT ref: 100192F9
                • Sleep.KERNEL32(?), ref: 10019315
                • GetCurrentProcessId.KERNEL32(00000000), ref: 10019323
                • WTSQuerySessionInformationA.WTSAPI32(?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001937D
                • WTSFreeMemory.WTSAPI32(?,00000000,00000000,00000005,?,?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100193A4
                • AttachConsole.KERNEL32(?,?,00000000,00000000,00000005,?,?,?,?,?,?,?,00000000,00000000,00000005,?), ref: 100193DE
                • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100193E6
                • AttachConsole.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100193F0
                • GetConsoleProcessList.KERNEL32(?,00000001,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019406
                • #823.MFC42(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019417
                • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1001942A
                • GetCurrentProcessId.KERNEL32 ref: 10019435
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10019449
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 10019458
                • CloseHandle.KERNEL32(00000000), ref: 1001945F
                • #825.MFC42(00000000), ref: 10019472
                • FreeConsole.KERNEL32(?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019480
                • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019488
                • FreeConsole.KERNEL32(?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001948E
                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001949A
                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100194F1
                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100194F9
                • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019541
                • OpenServiceA.ADVAPI32(00000000,Mtldtl Dumdu,00000010,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019559
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019566
                • StartServiceA.ADVAPI32(00000000,00000001,?,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 1001957F
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019590
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 10019593
                • CloseHandle.KERNEL32(00000000), ref: 100195AD
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000,00000000,00000005,?,?), ref: 100195CE
                • CloseHandle.KERNEL32(00000000), ref: 100195D1
                • ExitProcess.KERNEL32 ref: 100195D5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Handle$Close$Process$ConsoleService$Free$LibraryOpenSleep$AddressAttachCurrentListLoadModuleProcTerminate$#823#825ExitFileInformationManagerMemoryNameQuerySessionStartVersionsprintf
                • String ID: %s -acsi$-rsvc$.$.$2$2$3$3$A$A$A$C$D$G$I$I$I$K$L$Mtldtl Dumdu$N$P$P$R$S$S$S$S$S$T$V$W$a$c$c$d$d$d$d$i$i$i$i$l$l$l$l$l$n$n$n$o$o$o$o$r$s$s$s$s$s$s$s$t$t$t$t$t$u$v$v
                • API String ID: 309006072-103200462
                • Opcode ID: 6bc688acfbcd506cfc9628f4cac4e9847c425aea0a80178a34410cc7117900cb
                • Instruction ID: 0d8a1c0337f729bf120780405ecb07af7d4cbcd350d0dad57c0dea9748ba42e3
                • Opcode Fuzzy Hash: 6bc688acfbcd506cfc9628f4cac4e9847c425aea0a80178a34410cc7117900cb
                • Instruction Fuzzy Hash: F2F1393050C3D19EE321CB688888B5BBFE5AB96744F14494CF5D84B292D7BAD548CBA3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100181E0 Relevance: 129.2, APIs: 4, Strings: 82, Instructions: 220sleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • Sleep.KERNEL32(00000064,?,?,?,?,?), ref: 10018572
                • malloc.MSVCRT ref: 100185A8
                • free.MSVCRT(00000000,?,?,?,?,?,?), ref: 100185DF
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 100185ED
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Handle$AddressCloseLibraryLoadModuleProcSleepfreemalloc
                • String ID: .$.$2$2$3$3$A$A$A$A$C$D$G$I$I$I$I$P$P$Q$S$S$S$S$S$T$T$T$T$T$U$V$W$W$a$d$d$d$d$d$f$g$i$i$i$i$i$k$k$l$l$l$l$m$n$n$n$n$n$n$n$o$o$o$o$o$o$o$r$r$r$r$r$s$s$t$t$t$t$u$v$y
                • API String ID: 1468382267-2587082030
                • Opcode ID: a3d7307fdc4262af2ae71d1e207a59b29c039eec11ffa01f7e7848866a66bb23
                • Instruction ID: f8b4604172815dbbf924b76dd4a6860b725f790ca83e141a00bfd1a50c1d4dd8
                • Opcode Fuzzy Hash: a3d7307fdc4262af2ae71d1e207a59b29c039eec11ffa01f7e7848866a66bb23
                • Instruction Fuzzy Hash: 23C1AD6050C7C0DDE332C2388449B9BBFD55BA2748F48499DA2DC4A293C7FA9658CB77
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10020590 Relevance: 114.1, APIs: 19, Strings: 46, Instructions: 328stringmemoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174F0: GetCurrentProcess.KERNEL32(00000028,00000000,00000104,?), ref: 100174FA
                  • Part of subcall function 100174F0: OpenProcessToken.ADVAPI32(00000000), ref: 10017501
                • LocalAlloc.KERNEL32(00000040,00000400), ref: 100205B6
                • WTSEnumerateSessionsA.WTSAPI32 ref: 100205EB
                • GetVersionExA.KERNEL32(?), ref: 10020603
                  • Part of subcall function 10020440: WTSQuerySessionInformationW.WTSAPI32 ref: 10020464
                  • Part of subcall function 10020400: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10020881,?,?,?), ref: 1002041F
                  • Part of subcall function 100204F0: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020510
                  • Part of subcall function 100204F0: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020530
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208B3
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208D5
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208E1
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208EA
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100208F6
                • LocalSize.KERNEL32(00000000), ref: 10020904
                • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10020912
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020923
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020941
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020957
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002097F
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10020995
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100209B6
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100209CC
                • lstrlenA.KERNEL32(?,?,?,?,?), ref: 100209ED
                • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 10020A50
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                • API String ID: 3275454331-1820797497
                • Opcode ID: fa9b1362d51a891e5aa67abb4069f8c472a3376c900e0b1363beb883e3c3a62a
                • Instruction ID: 473d89a8a620706a7e1dc6bb4a96d90b09cb1464d826f49f00a793c1ea81399f
                • Opcode Fuzzy Hash: fa9b1362d51a891e5aa67abb4069f8c472a3376c900e0b1363beb883e3c3a62a
                • Instruction Fuzzy Hash: E5E1063050C3C1CEE325CB28C494B9FBBE2AB96708F58495DF5C857252C7BA9509CB67
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001A170 Relevance: 103.5, APIs: 6, Strings: 53, Instructions: 211stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • strrchr.MSVCRT ref: 1001A376
                • DeleteUrlCacheEntry.WININET(?), ref: 1001A3C4
                  • Part of subcall function 10027400: GetFileAttributesA.KERNEL32(?,1001A3E6,?), ref: 10027405
                  • Part of subcall function 10027400: GetLastError.KERNEL32 ref: 10027410
                • free.MSVCRT(?), ref: 1001A3EE
                • strrchr.MSVCRT ref: 1001A3FB
                • _stricmp.MSVCRT(00000000,.bat), ref: 1001A40E
                • free.MSVCRT(?,?,?), ref: 1001A43E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: freestrrchr$AddressAttributesCacheDeleteEntryErrorFileHandleLastLibraryLoadModuleProc_stricmp
                • String ID: .$.$.$.bat$2$2$3$3$A$A$E$E$E$E$F$H$K$L$L$L$L$M$N$N$O$P$R$R$T$T$a$a$c$d$d$d$d$e$e$e$e$e$e$h$i$m$n$p$t$t$u$w$x
                • API String ID: 2380421641-2479118741
                • Opcode ID: ee87ea3f4d77b4e628393a47c3542b82fada6d47b58a998bfb5d574fa0dfee24
                • Instruction ID: a6303484c15a343b57759271ba5627d096c80b6721d22544dc32c5737b9dd4b9
                • Opcode Fuzzy Hash: ee87ea3f4d77b4e628393a47c3542b82fada6d47b58a998bfb5d574fa0dfee24
                • Instruction Fuzzy Hash: 7191476114C7C09EE352C238888879FBFD55BA2608F48099DF6D84B393C6BAC548C73B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100223C0 Relevance: 96.4, APIs: 1, Strings: 54, Instructions: 109processCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Exec
                • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                • API String ID: 459137531-3041118241
                • Opcode ID: 629be47fbcb081da40840767131ebefb143d2beefc4f156cf1384e374abc7d55
                • Instruction ID: 9fb5809027c82ad1b4419236376a01b5f97328f6bcb48b4eb796f21288b7ede1
                • Opcode Fuzzy Hash: 629be47fbcb081da40840767131ebefb143d2beefc4f156cf1384e374abc7d55
                • Instruction Fuzzy Hash: 29510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA925CC777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10011520 Relevance: 91.5, APIs: 38, Strings: 14, Instructions: 462networkstringfileCOMMON
                Download Yara Rule
                APIs
                • strstr.MSVCRT ref: 10011597
                • strstr.MSVCRT ref: 100115AA
                • strstr.MSVCRT ref: 100115BF
                • strncpy.MSVCRT ref: 100115F9
                • _itoa.MSVCRT ref: 1001163F
                • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10011658
                • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001167E
                • InternetCloseHandle.WININET(00000000), ref: 1001168B
                • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 100116BB
                • InternetCloseHandle.WININET(00000000), ref: 100116CE
                • InternetCloseHandle.WININET(00000000), ref: 100116D1
                • sprintf.MSVCRT ref: 100116FC
                • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10011734
                • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10011750
                • InternetCloseHandle.WININET(00000000), ref: 10011761
                • InternetCloseHandle.WININET(00000000), ref: 10011764
                • InternetCloseHandle.WININET(00000000), ref: 10011767
                • atol.MSVCRT(?,?,?), ref: 10011780
                • #823.MFC42(00000001,?,?), ref: 1001178E
                • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 100117B6
                • #825.MFC42(00000000), ref: 100117C1
                • InternetCloseHandle.WININET(00000000), ref: 100117D0
                • InternetCloseHandle.WININET(00000000), ref: 100117D3
                • InternetCloseHandle.WININET(?), ref: 100117DA
                • InternetCloseHandle.WININET(00000000), ref: 100117F2
                • InternetCloseHandle.WININET(00000000), ref: 100117F5
                • InternetCloseHandle.WININET(?), ref: 100117FC
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001180C
                • #823.MFC42(00000002), ref: 10011819
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10011843
                • #825.MFC42(00000000), ref: 1001184A
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10011861
                • #823.MFC42(00000001), ref: 1001186D
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10011898
                • #825.MFC42(00000000), ref: 1001189F
                • #825.MFC42(00000000,00000000,00000000), ref: 100118AD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                • API String ID: 3684279964-3639289013
                • Opcode ID: 8cd366d35a56cc67e953ceca93f10caae82da04eb858c4f707cbfba63977e83d
                • Instruction ID: f41a4409aab42c67a4222de06bf1a9b6598beb96a592aff86d4465959b7fc557
                • Opcode Fuzzy Hash: 8cd366d35a56cc67e953ceca93f10caae82da04eb858c4f707cbfba63977e83d
                • Instruction Fuzzy Hash: EAD15376A002102BE314DB749C45FEB77E8EB88760F044629FA45A72C1EB75E90987A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000C280 Relevance: 85.9, APIs: 9, Strings: 40, Instructions: 163libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 1000C31B
                • GetProcAddress.KERNEL32(00000000), ref: 1000C324
                • LoadLibraryA.KERNEL32 ref: 1000C37C
                • GetProcAddress.KERNEL32(00000000), ref: 1000C37F
                • malloc.MSVCRT ref: 1000C3A9
                • SetEvent.KERNEL32(?,00000000,?,00000001), ref: 1000C3C9
                • free.MSVCRT(00000000,0000002F), ref: 1000C3E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$Eventfreemalloc
                • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                • API String ID: 4197004350-898277365
                • Opcode ID: 06c5343088ad0be74049b29a999acdc587aa91bbb7caf46546b28c9174a9f940
                • Instruction ID: e2eeff473db2cc0a6c334e26801d82f8b95635e02a729b8633b668800f956786
                • Opcode Fuzzy Hash: 06c5343088ad0be74049b29a999acdc587aa91bbb7caf46546b28c9174a9f940
                • Instruction Fuzzy Hash: 5661586100C3C0DEE302C7688848B8BBFD59BA6348F08499DF5C857292C6BA925CC77B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000F3F0 Relevance: 84.3, APIs: 47, Strings: 1, Instructions: 292COMMON
                Download Yara Rule
                APIs
                • #535.MFC42(00000030,00000002,00000000,00000000), ref: 1000F433
                • #540.MFC42 ref: 1000F444
                • #540.MFC42 ref: 1000F452
                • #6282.MFC42 ref: 1000F46E
                • #6283.MFC42 ref: 1000F477
                • #941.MFC42(100F54AC), ref: 1000F485
                • #2784.MFC42(100F617C,100F54AC), ref: 1000F493
                • #6662.MFC42(00000022,00000001,100F617C,100F54AC), ref: 1000F4BC
                • #4278.MFC42(?,00000001,00000000,00000022,00000001,100F617C,100F54AC), ref: 1000F4DB
                • #858.MFC42(00000000,?,00000001,00000000,00000022,00000001,100F617C,100F54AC), ref: 1000F4EA
                • #4129.MFC42(?,00000000,100F617C,100F54AC), ref: 1000F5C8
                • #858.MFC42(00000000,?,00000000,100F617C,100F54AC), ref: 1000F5D5
                • #800.MFC42(00000000,?,00000000,100F617C,100F54AC), ref: 1000F5E2
                • #535.MFC42(?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F5FF
                • #858.MFC42(?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F612
                • #6874.MFC42(0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F61D
                • #6874.MFC42(0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F631
                • #6874.MFC42(00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F645
                • #800.MFC42(00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F652
                • #858.MFC42(?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F681
                • #858.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F68E
                • #2614.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F697
                • #2614.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6A0
                • #5710.MFC42(100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6BD
                • #858.MFC42(00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6CC
                • #800.MFC42(00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6D9
                • #6282.MFC42(00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6E2
                • #2784.MFC42(100F617C,00000000,100B37DC,?,00000000,?,00000000,100F617C,100F54AC), ref: 1000F6F0
                • #535.MFC42(?,100F617C,100F54AC), ref: 1000F718
                • #858.MFC42(?,?,100F617C,100F54AC), ref: 1000F72B
                • #6874.MFC42(0000002F,?,?,100F617C,100F54AC), ref: 1000F736
                • #6874.MFC42(0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F74A
                • #6874.MFC42(00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F75E
                • #800.MFC42(00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F76B
                • #858.MFC42(?,?,000000FF,00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F79A
                • #858.MFC42(?,?,?,000000FF,00000020,0000002D,0000002F,?,?,100F617C,100F54AC), ref: 1000F7A7
                • #800.MFC42(100F617C,100F54AC), ref: 1000F7BD
                • #800.MFC42(100F617C,100F54AC), ref: 1000F7CB
                • #800.MFC42(100F617C,100F54AC), ref: 1000F7DC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #858$#800$#6874$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                • String ID: -
                • API String ID: 3213762517-2547889144
                • Opcode ID: 8acf3cb63babd9786aea4a7d3520a08386678d002cc51827b3737ca6d400d473
                • Instruction ID: 2d3482710ad86b21f31d95882338d400fd67b2b2f7a2d5024396f9a694a1e96c
                • Opcode Fuzzy Hash: 8acf3cb63babd9786aea4a7d3520a08386678d002cc51827b3737ca6d400d473
                • Instruction Fuzzy Hash: 7BC1703910E381ABD344DF24D995AAFB7E4EF94780F80091CF99643292DB34FA09CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001D5F0 Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 274libraryloadersleepCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32 ref: 1001D62B
                • GetProcAddress.KERNEL32(00000000), ref: 1001D638
                • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1001D64C
                • GetProcAddress.KERNEL32(00000000), ref: 1001D64F
                • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 1001D69B
                • GetProcAddress.KERNEL32(00000000), ref: 1001D69E
                • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 1001D712
                • GetProcAddress.KERNEL32(00000000), ref: 1001D715
                • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 1001D725
                • GetProcAddress.KERNEL32(00000000), ref: 1001D728
                • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 1001D738
                • GetProcAddress.KERNEL32(00000000), ref: 1001D73B
                • Sleep.KERNEL32(0000000A), ref: 1001D750
                • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1001D770
                • #823.MFC42 ref: 1001D781
                • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1001D78F
                • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,10125F08), ref: 1001D79E
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1001D7B5
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 1001D7C4
                • CloseHandle.KERNEL32(00000000), ref: 1001D7CB
                • #825.MFC42(?), ref: 1001D7DB
                • FreeConsole.KERNEL32 ref: 1001D7E9
                • Sleep.KERNEL32(0000000A), ref: 1001D7F1
                • FreeConsole.KERNEL32 ref: 1001D7F7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                • API String ID: 708691324-3966567685
                • Opcode ID: 053c5955f392c687bfd33b2469e7dd0ab56c0e0b56cc72b742401b93eab69fa6
                • Instruction ID: 35777ab2d1f3cb90c61100db4c14cde2d1ae3a79af34cf3268925a4ae83cd207
                • Opcode Fuzzy Hash: 053c5955f392c687bfd33b2469e7dd0ab56c0e0b56cc72b742401b93eab69fa6
                • Instruction Fuzzy Hash: 2EA1B2715083949BD720EB78CC84B9F7FE9AF85740F14491EF5849B281CBB6E940CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000D5E0 Relevance: 79.0, APIs: 12, Strings: 33, Instructions: 205libraryloaderfileCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 1000D67C
                • GetProcAddress.KERNEL32(00000000), ref: 1000D685
                • LoadLibraryA.KERNEL32(?,.23L), ref: 1000D6CC
                • GetProcAddress.KERNEL32(00000000), ref: 1000D6CF
                • GetTickCount.KERNEL32 ref: 1000D736
                • sprintf.MSVCRT ref: 1000D747
                • GetTickCount.KERNEL32 ref: 1000D776
                • sprintf.MSVCRT ref: 1000D787
                • lstrcatA.KERNEL32(?,?), ref: 1000D79D
                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000D803
                • CloseHandle.KERNEL32(00000000), ref: 1000D80A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                • String ID: .23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$g$h$i$igulP$l$l$l$l$m$p$r$s$t$t$t$u
                • API String ID: 3729143920-1982144353
                • Opcode ID: 8500295940ee5713c979f938623f7523479d27b1662c309ef609c6efbb48d7eb
                • Instruction ID: 3b86f45124331e69cc26e3988c22d688a9d6c29007d44fd87142ae4bdaf882f7
                • Opcode Fuzzy Hash: 8500295940ee5713c979f938623f7523479d27b1662c309ef609c6efbb48d7eb
                • Instruction Fuzzy Hash: 1A816C3110C3C0D9E311C7689888B9FBFD59BA2318F484A5EF6D4462C2D6BA964CC7B7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10011240 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 271networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenA.WININET ref: 100112AF
                • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100112D5
                • InternetCloseHandle.WININET(00000000), ref: 100112E2
                • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10011312
                • InternetCloseHandle.WININET(00000000), ref: 10011325
                • InternetCloseHandle.WININET(00000000), ref: 10011328
                Strings
                • , xrefs: 1001129C
                • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001124F
                • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001134D
                • POST, xrefs: 1001130C
                • /cgi-bin/qun_mgr/search_group_members, xrefs: 10011278
                • HTTP/1.1, xrefs: 10011306
                • qun.qq.com, xrefs: 10011258
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                • API String ID: 3078302290-2376693140
                • Opcode ID: bd9fa302bee900862bf426a8875ed0a3dbf66317b0aa3280b1abee7e86b53b1e
                • Instruction ID: 4ad5aca93e34474c20f29cdb4eae83b40ac075edd08c27d1a8f8fa6645732482
                • Opcode Fuzzy Hash: bd9fa302bee900862bf426a8875ed0a3dbf66317b0aa3280b1abee7e86b53b1e
                • Instruction Fuzzy Hash: 817127767403147BE324EB749C45FAB77DDEB88720F14862AFA45E62C0DAB4A90487A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100120C0 Relevance: 61.6, APIs: 22, Strings: 13, Instructions: 400registrystringlibraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                • GetProcAddress.KERNEL32(00000000), ref: 100120F7
                • #823.MFC42(?), ref: 10012123
                • #823.MFC42(73252073), ref: 1001217D
                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000104), ref: 1001226B
                • RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000104,?,00001F95), ref: 100122D4
                • strncat.MSVCRT ref: 10012309
                • strncat.MSVCRT ref: 1001231C
                • strchr.MSVCRT ref: 10012321
                • RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000004,?,?,?,?), ref: 1001236B
                • wsprintfA.USER32 ref: 10012389
                • RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100123BB
                • RegEnumKeyExA.ADVAPI32(?,763795E0,?,00000104,00000000,00000000,00000000,00000000), ref: 1001240E
                • wsprintfA.USER32 ref: 1001242F
                • RegEnumValueA.ADVAPI32(?,763795E2,?,00000020,00000000,?,?,00000104), ref: 100124E0
                • wsprintfA.USER32(?,?,?,REG_SZ,?), ref: 1001251D
                • wsprintfA.USER32(?,?,?,REG_EXPAND_SZ,?), ref: 1001253F
                • wsprintfA.USER32(?,'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n',',?,REG_DWORD,?,?), ref: 10012569
                • wsprintfA.USER32(?,?,?,REG_BINARY), ref: 1001258B
                • lstrcatA.KERNEL32(?,?), ref: 1001259B
                • #825.MFC42(?), ref: 100125C7
                • #825.MFC42(00000001,?), ref: 100125D0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: wsprintf$Value$Query$#823#825Enumstrncat$AddressLibraryLoadProclstrcatstrchr
                • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                • API String ID: 1793144691-2764046103
                • Opcode ID: b80f459a7f35ef880510022212f48df7bf583857994cb6187f93a0e29b96c2d7
                • Instruction ID: 6e1f4b84cb619d63e8fe981d9e852213dff8859bb30e1cffc45be7c0d31010ac
                • Opcode Fuzzy Hash: b80f459a7f35ef880510022212f48df7bf583857994cb6187f93a0e29b96c2d7
                • Instruction Fuzzy Hash: 1AE1E8B5900558ABDB14CFA4CC94ADEB7B9FF88310F10429DF519A7290DB71AE85CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10001700 Relevance: 59.6, APIs: 12, Strings: 22, Instructions: 127libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                • GetProcAddress.KERNEL32(00000000), ref: 10001720
                • LoadLibraryA.KERNEL32 ref: 10001792
                • GetProcAddress.KERNEL32(00000000), ref: 10001795
                • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                • API String ID: 2574300362-3155383694
                • Opcode ID: 54035a306bc455f23417f1d514db26f36071f5d7ff2e4b13f3130c1cef3d81cf
                • Instruction ID: 13c6fadc6fc6de4963117757f067def7adb7781f5d41049c58ce33d0f32d84e0
                • Opcode Fuzzy Hash: 54035a306bc455f23417f1d514db26f36071f5d7ff2e4b13f3130c1cef3d81cf
                • Instruction Fuzzy Hash: D041BE6050C384AAE310DB758C48B8BBFD8EFD5758F444A1DF68497281DABAD608CB67
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001B170 Relevance: 55.7, APIs: 1, Strings: 36, Instructions: 167COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • CloseHandle.KERNEL32(00000000), ref: 1001B3BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Handle$AddressCloseLibraryLoadModuleProc
                • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                • API String ID: 1380958172-3142711299
                • Opcode ID: 21583695aab97b59dc2da0f4581df6c348da833e472b1a552ddf1e6033f920b0
                • Instruction ID: a868e874d23b2159b369d60bd78af4235ee83f98fe54d068fe945bb826491e5b
                • Opcode Fuzzy Hash: 21583695aab97b59dc2da0f4581df6c348da833e472b1a552ddf1e6033f920b0
                • Instruction Fuzzy Hash: 1F712B6014C3C0DDE342C6A8888875FFFD55BA2748F48099DF2C85B292C2FA9558C77B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10026680 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 273stringmemorycomCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32 ref: 10026693
                • CoCreateInstance.OLE32(100B3894,00000000,00000001,100B38B4,?), ref: 100266AC
                • LocalAlloc.KERNEL32(00000040,00002710), ref: 100266BB
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10026752
                • #823.MFC42(00000000), ref: 10026765
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10026780
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002679D
                • #823.MFC42(00000000), ref: 100267AD
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100267C8
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 100267D6
                • wsprintfA.USER32 ref: 10026826
                • lstrlenA.KERNEL32(00000000), ref: 10026830
                • lstrlenA.KERNEL32(?), ref: 10026839
                • lstrlenA.KERNEL32(?), ref: 10026842
                • LocalSize.KERNEL32(?), ref: 10026854
                • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10026862
                • lstrlenA.KERNEL32(?), ref: 10026871
                • lstrlenA.KERNEL32(?), ref: 10026898
                • lstrlenA.KERNEL32(00000000), ref: 100268A7
                • lstrlenA.KERNEL32(00000000), ref: 100268C3
                • lstrlenA.KERNEL32(?), ref: 100268D6
                • lstrlenA.KERNEL32(?), ref: 100268F4
                • #825.MFC42(00000000), ref: 10026915
                • #825.MFC42(?), ref: 10026934
                • CoUninitialize.OLE32 ref: 10026969
                • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 10026977
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrlen$ByteCharLocalMultiWide$Alloc$#823#825Time$CreateFileInitializeInstanceSizeSystemUninitializewsprintf
                • String ID: %d-%d-%d %d:%d:%d
                • API String ID: 1491319390-2068262593
                • Opcode ID: 7ed334581e13f78fb49acbd591281340d2f6404bd03b892269f2411400cdfcea
                • Instruction ID: 2585ae8bd131340c97572d7615d770b0d002d09b44d3df47a7e5f1b242e6799b
                • Opcode Fuzzy Hash: 7ed334581e13f78fb49acbd591281340d2f6404bd03b892269f2411400cdfcea
                • Instruction Fuzzy Hash: E1919371204302AFE314CF24DC85F6BB7E9EBC8B10F548A2CFA5597390DA74E9098B56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001D1B0 Relevance: 44.1, APIs: 11, Strings: 14, Instructions: 314libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 1000E390: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F95,1001A69F,?,00000000,00001F95), ref: 1000E3B0
                  • Part of subcall function 1000E390: GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                • LoadLibraryA.KERNEL32 ref: 1001D23C
                • GetProcAddress.KERNEL32(00000000), ref: 1001D245
                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 1001D255
                • GetProcAddress.KERNEL32(00000000), ref: 1001D258
                • LoadLibraryA.KERNEL32(KERNEL32.dll,CreatePipe), ref: 1001D268
                • GetProcAddress.KERNEL32(00000000), ref: 1001D26B
                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetStartupInfoA), ref: 1001D27B
                • GetProcAddress.KERNEL32(00000000), ref: 1001D27E
                • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateProcessA), ref: 1001D28E
                • GetProcAddress.KERNEL32(00000000), ref: 1001D291
                • WaitForInputIdle.USER32(00000000,000000FF), ref: 1001D466
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$IdleInputWait
                • String ID: C$CreatePipe$CreateProcessA$D$GetStartupInfoA$GetSystemDirectoryA$H$KERNEL32.dll$\cmd.exe$a$d$n$o$s
                • API String ID: 2019908028-2710123323
                • Opcode ID: 398de6a9a246124730f9f97313e10ce8374521fbbd3ae929985d5ed2c7fafb31
                • Instruction ID: 9f6d8f11a929b764d91f568a8260bfe8586987121c3337f2e1d97e3d4e61c701
                • Opcode Fuzzy Hash: 398de6a9a246124730f9f97313e10ce8374521fbbd3ae929985d5ed2c7fafb31
                • Instruction Fuzzy Hash: 46C18971608384AFD310EF24C880B8BBBE5EFC9744F10891EF6889B291D775E944CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001F180 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 249networksynchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(10126498), ref: 1001F18C
                • LeaveCriticalSection.KERNEL32(10126498), ref: 1001F1A4
                • malloc.MSVCRT ref: 1001F1BD
                • malloc.MSVCRT ref: 1001F1C6
                • malloc.MSVCRT ref: 1001F1CF
                • recv.WS2_32 ref: 1001F236
                • send.WS2_32 ref: 1001F2B6
                • getpeername.WS2_32(?,?,?), ref: 1001F2E5
                • inet_addr.WS2_32(00000000), ref: 1001F2F2
                • inet_addr.WS2_32(00000000), ref: 1001F30C
                • htons.WS2_32(?), ref: 1001F317
                • send.WS2_32 ref: 1001F359
                • CreateThread.KERNEL32(00000000,00000000,1001F710,?,00000000,?), ref: 1001F398
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001F3A9
                  • Part of subcall function 1001EF40: htons.WS2_32 ref: 1001EF63
                  • Part of subcall function 1001EF40: inet_addr.WS2_32(?), ref: 1001EF79
                  • Part of subcall function 1001EF40: inet_addr.WS2_32(?), ref: 1001EF97
                  • Part of subcall function 1001EF40: socket.WS2_32(00000002,00000001,00000006), ref: 1001EFA3
                  • Part of subcall function 1001EF40: setsockopt.WS2_32 ref: 1001EFCE
                  • Part of subcall function 1001EF40: connect.WS2_32(?,?,00000010), ref: 1001EFDE
                  • Part of subcall function 1001EF40: closesocket.WS2_32 ref: 1001EFEC
                • send.WS2_32(?,?,00000008,00000000), ref: 1001F3FA
                • CreateThread.KERNEL32(00000000,00000000,1001F950,?,00000000,?), ref: 1001F427
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 1001F434
                  • Part of subcall function 1001ED30: gethostbyname.WS2_32(?), ref: 1001ED35
                • closesocket.WS2_32(00000000), ref: 1001F443
                • closesocket.WS2_32(?), ref: 1001F449
                • free.MSVCRT(?), ref: 1001F452
                • free.MSVCRT(00000000), ref: 1001F455
                • free.MSVCRT(?), ref: 1001F45C
                • free.MSVCRT(00000000), ref: 1001F45F
                  • Part of subcall function 1001E8C0: EnterCriticalSection.KERNEL32(10126498), ref: 1001E8EA
                  • Part of subcall function 1001E8C0: LeaveCriticalSection.KERNEL32(10126498), ref: 1001E900
                  • Part of subcall function 1001E8C0: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 1001E99C
                  • Part of subcall function 1001E8C0: CreateThread.KERNEL32(00000000,00000000,1001F950,?,00000000,?), ref: 1001EA47
                  • Part of subcall function 1001E8C0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 1001EA54
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                • String ID: [
                • API String ID: 3942976521-784033777
                • Opcode ID: af2f3a6755e4dd54eba74b6d812a398b91a693528deb826b729d090648f3ac60
                • Instruction ID: 78c909b6e9883a692a89872d42e63ff08bd18c564b2496e608a0bf91c473c944
                • Opcode Fuzzy Hash: af2f3a6755e4dd54eba74b6d812a398b91a693528deb826b729d090648f3ac60
                • Instruction Fuzzy Hash: A481D275908340AFE310DB24CC84B6BBBE8EFD8754F208A1DF99587390E775E8458B62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100015A0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 132libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7591F550), ref: 100015B9
                • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7591F550), ref: 100015D2
                • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7591F550), ref: 100015E5
                • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7591F550), ref: 100015F8
                • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7591F550), ref: 10001609
                • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7591F550), ref: 1000161C
                • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7591F550), ref: 1000162F
                • GetProcAddress.KERNEL32(00000000), ref: 10001632
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                • API String ID: 2574300362-1356117283
                • Opcode ID: 53f8f97ecea0f07707f0ce813dd369aed999d2d9eb66686662b6088bc8cd252f
                • Instruction ID: 6df2d328ee56342332754b68cf572232ace2e14c1bc22b0122cb6f865c4340fb
                • Opcode Fuzzy Hash: 53f8f97ecea0f07707f0ce813dd369aed999d2d9eb66686662b6088bc8cd252f
                • Instruction Fuzzy Hash: 244150B1900308ABDB10EF759C88E9BBBA8FF88351F11495AFB449B205D776E505CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10002060 Relevance: 39.2, APIs: 26, Instructions: 212memoryCOMMON
                Download Yara Rule
                APIs
                • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                • GlobalLock.KERNEL32(00000000), ref: 1000208C
                • GlobalFree.KERNEL32(00000000), ref: 10002099
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Global$AllocFreeLock
                • String ID:
                • API String ID: 1811133220-0
                • Opcode ID: c70d963ceb7205a77e7b039621d8b6287a5f299361663ae9f1a594045dc5f360
                • Instruction ID: 2963b7c595fe6703442901b184946e2e633142f8b2496e550674c782d1ab8e5e
                • Opcode Fuzzy Hash: c70d963ceb7205a77e7b039621d8b6287a5f299361663ae9f1a594045dc5f360
                • Instruction Fuzzy Hash: 6E71A276610301ABD314CF60CC8AF96B3B4FF54714F669604EA04AB2B1E3B5E509C76A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10002340 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 183windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowLongA.USER32(?,000000EB), ref: 10002358
                • PostQuitMessage.USER32(00000000), ref: 10002389
                • SetWindowLongA.USER32(?,000000EB,?), ref: 100023AC
                • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B6
                • LoadIconA.USER32(00000000), ref: 100023BD
                • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C7
                • DestroyWindow.USER32(?), ref: 100023EE
                Strings
                • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 100024F6
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                • String ID: %s %d/%d/%d %d:%02d:%02d %s
                • API String ID: 3894596752-2160474225
                • Opcode ID: c6ef11715ce3834cbf7b63564787257b2ac56eb4a1fe9dc3c93563d08b9826fd
                • Instruction ID: ac77f1b25a34f61bdfd576b2c1d92d54315cfb2c758991c1eb945010c81a4bc8
                • Opcode Fuzzy Hash: c6ef11715ce3834cbf7b63564787257b2ac56eb4a1fe9dc3c93563d08b9826fd
                • Instruction Fuzzy Hash: B051D3766043116BF320D728DC89FFB739CFB84311F508A39FA46D21C1DA7DA6458661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100210D0 Relevance: 38.6, APIs: 5, Strings: 17, Instructions: 92registrystringCOMMON
                Download Yara Rule
                APIs
                • strncmp.MSVCRT(?,00000,?,75920F00,00000000,?,?,?,?,?,?,?,?,100216CB,?,00000000), ref: 100210EF
                • wsprintfA.USER32 ref: 10021113
                • RegOpenKeyA.ADVAPI32 ref: 100211C1
                • RegDeleteKeyA.ADVAPI32(00000055,?), ref: 100211DF
                • RegCloseKey.ADVAPI32(00000055), ref: 100211EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseDeleteOpenstrncmpwsprintf
                • String ID: 00000$00000%s$D$S$S$U$a$e$i$m$n$n$o$o$r$t$u
                • API String ID: 3243141281-189977666
                • Opcode ID: 82d64efb8bd3c0169095f34cab8c79fbb69e2b2c6739765b8e04520f52e22601
                • Instruction ID: e6bae5c4d6058b7237b7c4b99d682e7c1299bf716e5efd4840c56e2be42a815b
                • Opcode Fuzzy Hash: 82d64efb8bd3c0169095f34cab8c79fbb69e2b2c6739765b8e04520f52e22601
                • Instruction Fuzzy Hash: B2316B2500D3C0AED302C7388888B9FBFD15FA6248F485A9DF4D857292D2A5C658C777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10016170 Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 131registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32 ref: 100162FD
                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 1001631E
                • RegCloseKey.ADVAPI32(?), ref: 10016329
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: 0$C$C$H$N$O$P$P$T$W$a$c$l$m$n$o$o$y
                • API String ID: 3677997916-1107408310
                • Opcode ID: cc1f3afda5f25d5d5c6910a2eca2037ded0ff48e43e832b6a259963ce7b7dd9c
                • Instruction ID: 2d7e6642d5d34e9925561298202e2e9c56bbddca8206934248b48eaff07bd9b0
                • Opcode Fuzzy Hash: cc1f3afda5f25d5d5c6910a2eca2037ded0ff48e43e832b6a259963ce7b7dd9c
                • Instruction Fuzzy Hash: 2651053110E3C19ED322CB78949479FBFE15BE6244F08499DF2D947392C2A6864CC7A7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10018690 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 68sleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • Sleep.KERNEL32(?), ref: 10018777
                • GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 1001877D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressCurrentHandleLibraryLoadModuleProcProcessSleep
                • String ID: .$2$3$K$L$N$P$R$W$c$d$g$k$n$r$r$t$t$z
                • API String ID: 2634094405-2686203248
                • Opcode ID: e5c070dabb9814ca0299c0816af8263300361d6bc12fe2894b49ad7e736bf595
                • Instruction ID: 93f6354b3e455c9359d04b7e0602711e8d407314bd373b2f7964dfcac6467bbe
                • Opcode Fuzzy Hash: e5c070dabb9814ca0299c0816af8263300361d6bc12fe2894b49ad7e736bf595
                • Instruction Fuzzy Hash: 8A31A01500E3C1DDE342CA28848474FBFD51BB6648F485A8DF0D81B393C2AA865CC77B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000F110 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 108COMMON
                Download Yara Rule
                APIs
                • #540.MFC42 ref: 1000F137
                • #2818.MFC42(00000000, %c%s,?,?), ref: 1000F160
                • #2763.MFC42(00000020), ref: 1000F17D
                • #537.MFC42(100F5B4C,00000000,00000020), ref: 1000F195
                • #537.MFC42(100F617C,100F5B4C,00000000,00000020), ref: 1000F1AA
                • #922.MFC42(?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1BB
                • #922.MFC42(?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1CC
                • #939.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1DB
                • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1E9
                • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1F7
                • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F205
                • #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F213
                • #537.MFC42(100F54AC,00000020), ref: 1000F224
                • #922.MFC42(00000000,00000000,?,100F54AC,00000020), ref: 1000F235
                • #939.MFC42(00000000,00000000,00000000,?,100F54AC,00000020), ref: 1000F244
                • #800.MFC42(00000000,00000000,00000000,?,100F54AC,00000020), ref: 1000F252
                • #800.MFC42(00000000,00000000,00000000,?,100F54AC,00000020), ref: 1000F260
                • #535.MFC42(00000000), ref: 1000F270
                • #800.MFC42(00000000), ref: 1000F286
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #800$#537#922$#939$#2763#2818#535#540
                • String ID: %c%s
                • API String ID: 566216251-4217438733
                • Opcode ID: 1eabbaef6823bc920628103d38dd739d1ece5b7014670c955b8b041a784970c3
                • Instruction ID: d6c525beef93d6d8679147f2c5d4460e388dc9380c8c9f5f885b40ae94460d49
                • Opcode Fuzzy Hash: 1eabbaef6823bc920628103d38dd739d1ece5b7014670c955b8b041a784970c3
                • Instruction Fuzzy Hash: 9B41927D00D381AED305DB24D859B6FBBD4EFA4758F44490CF88963282DB74AA09C767
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10010190 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 200libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100101E2
                • GetProcAddress.KERNEL32(00000000,socket), ref: 100101F6
                • GetProcAddress.KERNEL32(00000000,recv), ref: 10010202
                • GetProcAddress.KERNEL32(00000000,connect), ref: 1001020E
                • GetProcAddress.KERNEL32(00000000,getsockname), ref: 1001021A
                • GetProcAddress.KERNEL32(00000000,select), ref: 10010226
                • GetLastError.KERNEL32(00000000), ref: 10010243
                • GetLastError.KERNEL32(00000000), ref: 10010293
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$ErrorLast$LibraryLoad
                • String ID: %$connect$getsockname$recv$select$socket$ws2_32.dll
                • API String ID: 1969025732-1932156442
                • Opcode ID: 34d701f7f83a1233487097c4504d55a1e41bd25d118b03ef6462f042e1a6fca9
                • Instruction ID: feb9a907931d40a3a4d0135a168c2ecf67b2f2631b1eac8dea27b7dabfe89221
                • Opcode Fuzzy Hash: 34d701f7f83a1233487097c4504d55a1e41bd25d118b03ef6462f042e1a6fca9
                • Instruction Fuzzy Hash: 95716B756083419FD300DF64C888AABBBE8FFC8354F108A2DFA9997290D7B5D945CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10007600 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156windowCOMMON
                Download Yara Rule
                APIs
                • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10007630
                • #5186.MFC42 ref: 1000764A
                • #665.MFC42 ref: 1000765F
                • #540.MFC42(?), ref: 1000767F
                • #537.MFC42(?,?), ref: 1000768E
                • #4204.MFC42(?,?), ref: 100076CA
                • #2915.MFC42(00000080,?,?), ref: 100076DA
                • #5442.MFC42(00000000,?,00000080,?,?), ref: 10007721
                • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10007730
                • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000773B
                • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10007744
                • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10007752
                • MessageBoxA.USER32(00000000,100F5494,warning,00000000), ref: 1000779A
                • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100077B2
                • #800.MFC42 ref: 100077C0
                • #800.MFC42 ref: 100077CE
                • #665.MFC42 ref: 100077DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                • String ID: $warning
                • API String ID: 2155908909-2294955047
                • Opcode ID: f0b5dcdfcecbdf8fcdb1401f5d0367c5b06f59ef465da6436665c017a5d3e557
                • Instruction ID: 3e2e336fd4e66b461f65b3a3a7d61c41f3b405be7ce234c9fafe03686b0b0973
                • Opcode Fuzzy Hash: f0b5dcdfcecbdf8fcdb1401f5d0367c5b06f59ef465da6436665c017a5d3e557
                • Instruction Fuzzy Hash: 3E510E796093419FD308DF28E891B9EB7E1FBD4750F80091CF99A93281DB35AE08CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10009360 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 139COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10006EB0: #541.MFC42(?,?,?,10093BFB,000000FF), ref: 10006ED0
                  • Part of subcall function 10006EB0: #540.MFC42(?,?,?,10093BFB,000000FF), ref: 10006EE0
                • #540.MFC42(?,?,00000000,00000065), ref: 100093AE
                • #540.MFC42 ref: 100093BF
                • #540.MFC42 ref: 100093D0
                • #2614.MFC42 ref: 100093E1
                • #860.MFC42(*.*), ref: 100093EF
                • #3811.MFC42(?,*.*), ref: 10009415
                • #3811.MFC42(?,?,*.*), ref: 10009425
                • #3811.MFC42(?,?,?,*.*), ref: 10009435
                • #3811.MFC42(?,?,?,?,*.*), ref: 10009445
                • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009455
                • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 10009465
                • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 10009493
                • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 100094AA
                • #860.MFC42(?,?,00000000,00000065), ref: 100094F7
                • #800.MFC42 ref: 10009532
                • #800.MFC42 ref: 10009543
                • #800.MFC42 ref: 10009553
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #3811$#540$#800#860$#2614#2818#541
                • String ID: *%s*$*.*
                • API String ID: 185796673-1558234275
                • Opcode ID: f3f4fa458144455813e9f1941b5d47db53ef8a6b879c0d5b94e638632577bd8b
                • Instruction ID: 423085315ff641abc04c7078cf6d7afe046adc771317f1a8858087fadee05ff7
                • Opcode Fuzzy Hash: f3f4fa458144455813e9f1941b5d47db53ef8a6b879c0d5b94e638632577bd8b
                • Instruction Fuzzy Hash: 425127794093819FD324CF64D495A9BBBE5FFD9700F804E2DB19943291DB74A608CB63
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10001310 Relevance: 33.3, APIs: 4, Strings: 15, Instructions: 85libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                • GetProcAddress.KERNEL32(00000000), ref: 10001332
                • LoadLibraryA.KERNEL32 ref: 100013A4
                • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7591F550), ref: 100015B9
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7591F550), ref: 100015D2
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7591F550), ref: 100015E5
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7591F550), ref: 100015F8
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7591F550), ref: 10001609
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7591F550), ref: 1000161C
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                  • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7591F550), ref: 1000162F
                  • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                • API String ID: 2574300362-1789360232
                • Opcode ID: a166e62ea3106cbbb19ddae654761d6378f1e2560a5de16bcd4d7998630b047f
                • Instruction ID: 79bad19294003be944af05e2a3a02d10cd6f8ba42ffaf3ccbfff314eee45a48d
                • Opcode Fuzzy Hash: a166e62ea3106cbbb19ddae654761d6378f1e2560a5de16bcd4d7998630b047f
                • Instruction Fuzzy Hash: 4631E22110C3C08ED301DA699840B8BFFD59FA6658F080A9DE5C897343C66AD60CC7BB
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10005010 Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 105libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 1000506A
                • GetProcAddress.KERNEL32(00000000), ref: 10005073
                • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005083
                • GetProcAddress.KERNEL32(00000000), ref: 10005086
                • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005094
                • GetProcAddress.KERNEL32(00000000), ref: 10005097
                • free.MSVCRT(?), ref: 100050F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$free
                • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                • API String ID: 1540231353-1695543321
                • Opcode ID: db1f1adb1b7f18fac24bbc77eecb5520449f33e86495ce116e9eed326085b21e
                • Instruction ID: 6fcf9963470e9c66f3b5ba85de9563ea291f185d7e63e2ddb678491d27fcf75c
                • Opcode Fuzzy Hash: db1f1adb1b7f18fac24bbc77eecb5520449f33e86495ce116e9eed326085b21e
                • Instruction Fuzzy Hash: 4B31D2B210C385AFD300DB68DC84A9BBFD8DBD8254F04491EF984C3241D6B5EA09CBA3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100212F0 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 99registryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseDeleteFreeLocalOpenwsprintf
                • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                • API String ID: 321629408-3882932831
                • Opcode ID: 92bf30bf3027e4507bdc0db52b90b85f77396adb438749fa654483d7f8d9e39c
                • Instruction ID: 3ed0fbc41df4cf011b988fc4e1afbb857f9d81656ae9e40e43e80165df1ee3a0
                • Opcode Fuzzy Hash: 92bf30bf3027e4507bdc0db52b90b85f77396adb438749fa654483d7f8d9e39c
                • Instruction Fuzzy Hash: 6141076610E3C19ED302DB68948468BBFD55FB6608F48499DF4C857342C2A9C61CC77B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10009590 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 116stringsleepfileCOMMON
                Download Yara Rule
                APIs
                • #540.MFC42 ref: 100095AF
                • #540.MFC42 ref: 100095C3
                • #860.MFC42(00000000), ref: 10009611
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000E9B5
                  • Part of subcall function 1000E980: #825.MFC42(?), ref: 1000E9F0
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA06
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA13
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA20
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA2D
                  • Part of subcall function 1000E980: #801.MFC42 ref: 1000EA3A
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA47
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA54
                  • Part of subcall function 1000E980: #800.MFC42 ref: 1000EA64
                • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000963A
                • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000964D
                • GetFileSize.KERNEL32(00000000,00000000), ref: 1000965D
                • CloseHandle.KERNEL32(00000000), ref: 1000966B
                • PathFindFileNameA.SHLWAPI(?), ref: 10009676
                • lstrcpyA.KERNEL32(?,00000000), ref: 10009685
                • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 10009693
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 100096A3
                • wsprintfA.USER32 ref: 100096D6
                • #823.MFC42(0000022E), ref: 100096E1
                • Sleep.KERNEL32(0000000A), ref: 10009711
                • #800.MFC42 ref: 10009725
                • #800.MFC42 ref: 10009739
                  • Part of subcall function 1000F8A0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,100943A8,000000FF,1000960C), ref: 1000F8D8
                  • Part of subcall function 1000F8A0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,100943A8,000000FF,1000960C), ref: 1000F8E9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                • String ID: %d-%d-%d
                • API String ID: 4162832437-1067691376
                • Opcode ID: 8da111a0ccbd5b81e393d9f05b686b4f3c5c2e4f43409741cb799548d5318c76
                • Instruction ID: 21adac118ac1a3d22f22db7e4ccb3c5fa41a4288115175b77754e23db17b4505
                • Opcode Fuzzy Hash: 8da111a0ccbd5b81e393d9f05b686b4f3c5c2e4f43409741cb799548d5318c76
                • Instruction Fuzzy Hash: 7D416179148382ABE324DB64CC59FAFB7A8FF84740F108A2CF599932D0DB74A5058B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10016460 Relevance: 28.0, APIs: 2, Strings: 14, Instructions: 49libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32 ref: 100164D2
                • GetProcAddress.KERNEL32(00000000), ref: 100164D9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                • API String ID: 1646373207-3978980583
                • Opcode ID: 44a28597f0d466bbe54a4cd8c62617ba047553ced51f53b6b84ca1c176f9cbaa
                • Instruction ID: 76f335fc34860fd29dc4ec242bd97a5762851810f53614de93e2330c81fce09d
                • Opcode Fuzzy Hash: 44a28597f0d466bbe54a4cd8c62617ba047553ced51f53b6b84ca1c176f9cbaa
                • Instruction Fuzzy Hash: 6A111F1050C3D28EE301DB6C884438BBFD55FA2648F48888DF4D84A292D2BAC69CC7B7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10039380 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 94COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: getenv
                • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                • API String ID: 498649692-40509672
                • Opcode ID: 2bdca469eb1f4c8cd7f74797f3e2f54c5997b5496bca4d1b9cc46674ff0bc64f
                • Instruction ID: ef247b63f098e4333d3efabe3abd0855fdd5821f48198182909b032b497f0f54
                • Opcode Fuzzy Hash: 2bdca469eb1f4c8cd7f74797f3e2f54c5997b5496bca4d1b9cc46674ff0bc64f
                • Instruction Fuzzy Hash: 382107A6A071441FE754C2359E897A632D5E3542D3F0A9130EA08CF3BAFB38DC025762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100051B0 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 93libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 10005207
                • GetProcAddress.KERNEL32(00000000), ref: 1000520E
                  • Part of subcall function 10004A80: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 10004A9C
                  • Part of subcall function 10004A80: GetProcAddress.KERNEL32(00000000), ref: 10004AA5
                  • Part of subcall function 10004A80: LoadLibraryA.KERNEL32 ref: 10004AF6
                  • Part of subcall function 10004A80: GetProcAddress.KERNEL32(00000000), ref: 10004AF9
                  • Part of subcall function 10004A80: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10004B07
                  • Part of subcall function 10004A80: GetProcAddress.KERNEL32(00000000), ref: 10004B0A
                • wsprintfA.USER32 ref: 10005277
                  • Part of subcall function 10005010: LoadLibraryA.KERNEL32 ref: 1000506A
                  • Part of subcall function 10005010: GetProcAddress.KERNEL32(00000000), ref: 10005073
                  • Part of subcall function 10005010: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005083
                  • Part of subcall function 10005010: GetProcAddress.KERNEL32(00000000), ref: 10005086
                  • Part of subcall function 10005010: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005094
                  • Part of subcall function 10005010: GetProcAddress.KERNEL32(00000000), ref: 10005097
                  • Part of subcall function 100052E0: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 100052F6
                  • Part of subcall function 100052E0: GetProcAddress.KERNEL32(00000000), ref: 100052FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$wsprintf
                • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                • API String ID: 2290142023-608447665
                • Opcode ID: 30f463635e1a4875aa09e411c7b5b35d793b108a13a915ca86658f8851624c70
                • Instruction ID: 84bb1f5448e4a274f0715bf3815c20e49b2e3dacba25022615ed876d59f224f2
                • Opcode Fuzzy Hash: 30f463635e1a4875aa09e411c7b5b35d793b108a13a915ca86658f8851624c70
                • Instruction Fuzzy Hash: E231D0751083809FD305CFA8C894A6FBBE9AF99741F04495CF5C987342D6B6DA08CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10001000 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 91libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 1000105A
                • GetProcAddress.KERNEL32(00000000), ref: 10001061
                • #823.MFC42(000003E8), ref: 1000109D
                • #823.MFC42(00000020,000003E8), ref: 100010A7
                • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823$AddressLibraryLoadProc
                • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                • API String ID: 4155842574-2549505875
                • Opcode ID: 51bd1dd82d00143a8cdb6546822411bb95342cbcbd0749ba9e4245cebdc29538
                • Instruction ID: 2822403b8f08ad602c06a97c45789028a5216e8bfbd40cf3f64cb702b5711b84
                • Opcode Fuzzy Hash: 51bd1dd82d00143a8cdb6546822411bb95342cbcbd0749ba9e4245cebdc29538
                • Instruction Fuzzy Hash: 87319CB04097809EE310CF29D844547FFE8EF58308F44895DE5898B712D3B9E648CB6A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10018010 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10057530: CreateFileW.KERNEL32(1001802F,C0000000,00000000,00000000,00000003,00000080,00000000,?,1001802F,1012644C,00000000), ref: 10057561
                  • Part of subcall function 10057530: GetLastError.KERNEL32(?,1001802F,1012644C,00000000), ref: 1005756E
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 10018076
                • swprintf.MSVCRT(?,SYSTEM\CurrentControlSet\Services\%S,Mtldtl Dumdu), ref: 100180C9
                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 1001811F
                • wcscat.MSVCRT ref: 10018134
                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 10018162
                • wcscat.MSVCRT ref: 10018171
                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100181A0
                • wcscat.MSVCRT ref: 100181AF
                  • Part of subcall function 10017780: GetWindowsDirectoryA.KERNEL32 ref: 1001779C
                  • Part of subcall function 10017780: GetCurrentProcess.KERNEL32(?), ref: 100177A7
                  • Part of subcall function 10017780: IsWow64Process.KERNEL32(00000000), ref: 100177AE
                  • Part of subcall function 10017780: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10017873
                  • Part of subcall function 10017780: WriteFile.KERNEL32(00000000,10106038,?,00000104,00000000), ref: 100178AA
                  • Part of subcall function 10017780: CloseHandle.KERNEL32(00000000), ref: 100178B5
                  • Part of subcall function 10057530: malloc.MSVCRT ref: 10057580
                  • Part of subcall function 10057530: CloseHandle.KERNEL32(00000000,00000000), ref: 1005758D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: DirectoryFile$Systemwcscat$CloseCreateHandleProcess$CurrentErrorLastModuleNameWindowsWow64Writemallocswprintf
                • String ID: Mtldtl Dumdu$SYSTEM\CurrentControlSet\Services\%S$\audiodg.exe$\lsass.exe$\lsm.exe
                • API String ID: 894407600-1143183960
                • Opcode ID: e5edea0454a23e52e4bdccb43d9ca7e7d158ad0bb122e7cdc5f0e9123b9c4f3a
                • Instruction ID: 364108441924454984723050d8630c2e4011a9070e94262d6fe381631b54a037
                • Opcode Fuzzy Hash: e5edea0454a23e52e4bdccb43d9ca7e7d158ad0bb122e7cdc5f0e9123b9c4f3a
                • Instruction Fuzzy Hash: DD41A5B5600345BBD214EB60DC86FEB73ADEBC8700F048D1CF644861C1E6B5E649C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10010010 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 114libraryloadersleepCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10010021
                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10010031
                • wsprintfA.USER32 ref: 10010063
                • CloseHandle.KERNEL32(00000000), ref: 100100B7
                • Sleep.KERNEL32(00000002), ref: 100100D1
                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10010110
                • GetProcAddress.KERNEL32(00000000,send), ref: 1001011C
                • FreeLibrary.KERNEL32(?), ref: 10010174
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                • String ID: ID= %d $closesocket$send$ws2_32.dll
                • API String ID: 1680113600-2339802411
                • Opcode ID: caead9352300d690aacfc6565e40d65679a0f54f63f645c65897dd9a4dbe00c8
                • Instruction ID: 1977dbbe5936afe754478adadd53682a3f15b347482e6e568a3283db1f873a1c
                • Opcode Fuzzy Hash: caead9352300d690aacfc6565e40d65679a0f54f63f645c65897dd9a4dbe00c8
                • Instruction Fuzzy Hash: 01418F35604355AFE710DFB4CC84B9B7BE8FB88344F104A18FA85DB241E7B9E9448B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10017580 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78serviceCOMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(?), ref: 100175D4
                • CloseHandle.KERNEL32(?), ref: 100175DD
                • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 100175E8
                • OpenServiceA.ADVAPI32(00000000,Mtldtl Dumdu,00000010), ref: 100175FC
                • CloseServiceHandle.ADVAPI32(00000000), ref: 10017609
                • StartServiceA.ADVAPI32(00000000,00000001,?), ref: 10017629
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001763A
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001763D
                • CloseServiceHandle.ADVAPI32(00000000), ref: 10017649
                • CloseServiceHandle.ADVAPI32(00000000), ref: 1001764C
                • ExitProcess.KERNEL32 ref: 10017650
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandleService$Open$ExitManagerProcessStart
                • String ID: -wait$Mtldtl Dumdu
                • API String ID: 560043911-1997642681
                • Opcode ID: e245130537142ea01ed15361159789d44a4ff3c89450aa275989a24b6e39fb8e
                • Instruction ID: e593243639bc46a37c5ff123e361992a4e900fee870cb10c5864219e02b116fc
                • Opcode Fuzzy Hash: e245130537142ea01ed15361159789d44a4ff3c89450aa275989a24b6e39fb8e
                • Instruction Fuzzy Hash: 0821C93521066167D311EB28DCC4FDB77A9FFD4750F128915F8449B290D7B4EC858A61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10027430 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 100274CB
                • GetProcAddress.KERNEL32(00000000), ref: 100274D2
                  • Part of subcall function 10027720: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,100274E9,00000000), ref: 1002773B
                  • Part of subcall function 10027720: GetProcAddress.KERNEL32(00000000), ref: 10027744
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: .$2$3$K$L$N$R$S$d$n$v
                • API String ID: 2574300362-924470386
                • Opcode ID: 239e7d5484e6e7de8914853fb81fae4ac45b47c284811d1eebe42bf563dd7d9b
                • Instruction ID: e22ea56f81167809c6b98e8fee439baa6eb41fbd18513ea98b6f221bad690a68
                • Opcode Fuzzy Hash: 239e7d5484e6e7de8914853fb81fae4ac45b47c284811d1eebe42bf563dd7d9b
                • Instruction Fuzzy Hash: E3317175C092D8EEDB01CBE8D884ADEFF75AF2A240F044559E54477342C7794608CBB6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10027670 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 64libraryloaderthreadCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,75920BD0,00000000,?,7591F550), ref: 1002768A
                • GetProcAddress.KERNEL32(00000000), ref: 10027693
                • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,7591F550), ref: 100276A1
                • GetProcAddress.KERNEL32(00000000), ref: 100276A4
                • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 100276C8
                • SetThreadDesktop.USER32(?,?,7591F550), ref: 100276DE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                • API String ID: 2607951617-608436089
                • Opcode ID: d2343acd70f964f6d9e73709e9419f5986920cc52dff689c9824b2cfbd684ae5
                • Instruction ID: 56cf2ca52c9595b1f84137fc8de1eae00d8291b24afd933cdb6c838a960a7d87
                • Opcode Fuzzy Hash: d2343acd70f964f6d9e73709e9419f5986920cc52dff689c9824b2cfbd684ae5
                • Instruction Fuzzy Hash: 1401B97670021D37E61467B9AC89FDB7B8CDB80765F814432FB14D3100EA7EA84446B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10057480 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 63libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlDosPathNameToRelativeNtPathName_U,?,?,10057536,?,1001802F,1012644C,00000000), ref: 100574A1
                • GetProcAddress.KERNEL32(00000000), ref: 100574A4
                • GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 100574AF
                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlFormatCurrentUserKeyPath,?,?,10057536,?,1001802F,1012644C,00000000), ref: 100574D3
                • GetProcAddress.KERNEL32(00000000), ref: 100574D6
                • GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 100574E1
                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlFreeUnicodeString,?,?,10057536,?,1001802F,1012644C,00000000), ref: 10057505
                • GetProcAddress.KERNEL32(00000000), ref: 10057508
                • GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 10057513
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressErrorHandleLastModuleProc
                • String ID: RtlDosPathNameToRelativeNtPathName_U$RtlFormatCurrentUserKeyPath$RtlFreeUnicodeString$ntdll.dll
                • API String ID: 4275029093-883409132
                • Opcode ID: a895c9c6f9aedaabd8393c46a3ebcf7f36a05ab4e636c85486febbe17d75ca31
                • Instruction ID: 4c6bc2ddfafc4b1b6e2e63541fa733738877968d7308d87e76998631d9058310
                • Opcode Fuzzy Hash: a895c9c6f9aedaabd8393c46a3ebcf7f36a05ab4e636c85486febbe17d75ca31
                • Instruction Fuzzy Hash: 27118675B051236AF300E77EEC44B896BDBEBC4295B178071E404D5158FB3498965D50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10002590 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 104windowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 100025E2
                • GetLocalTime.KERNEL32(?), ref: 100025F9
                • sprintf.MSVCRT ref: 10002664
                • GetDlgItem.USER32(?,000003E8), ref: 10002679
                • GetWindowTextLengthA.USER32(00000000), ref: 10002688
                • SetWindowTextA.USER32(00000000,10125614), ref: 10002697
                • GetWindowTextLengthA.USER32(00000000), ref: 1000269E
                • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 100026AE
                • SendMessageA.USER32(00000000,000000C2,00000000,?), ref: 100026BD
                • ShowWindow.USER32(?,00000009), ref: 100026C8
                  • Part of subcall function 1000E580: SetEvent.KERNEL32(?,10001B2B), ref: 1000E584
                Strings
                • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 1000265E
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Window$MessageSendText$Length$EventItemLocalShowTimesprintf
                • String ID: %s %d/%d/%d %d:%02d:%02d %s
                • API String ID: 3595294075-2160474225
                • Opcode ID: af4e1782e2380a4bfc19bcec33c5f8bb5d63cbbe9542183d41b56f5a966d040d
                • Instruction ID: f3d78d3da39a4f7d58d604062a5c6b7fdfd23bcb46c582fe78627b16340e3250
                • Opcode Fuzzy Hash: af4e1782e2380a4bfc19bcec33c5f8bb5d63cbbe9542183d41b56f5a966d040d
                • Instruction Fuzzy Hash: 273127762047127BF720DB14CC85FEB7399EF89311F204638FE4197284C638A8499B76
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10014120 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100174C0: GetModuleHandleA.KERNEL32(?,759183C0,1001BB36), ref: 100174C6
                  • Part of subcall function 100174C0: LoadLibraryA.KERNEL32(?), ref: 100174D1
                  • Part of subcall function 100174C0: GetProcAddress.KERNEL32(00000000,?), ref: 100174E1
                • sprintf.MSVCRT ref: 1001416F
                • sprintf.MSVCRT ref: 10014184
                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 100141B0
                • RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 100141CF
                • RegCloseKey.ADVAPI32(?), ref: 100141DE
                • RegCloseKey.ADVAPI32(?), ref: 100141F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Closesprintf$AddressHandleLibraryLoadModuleOpenProcValue
                • String ID: %s\%s$DwmEnableComposition$Dwmapi.dll$Software\Microsoft\Windows\DWM$SuppressDisableCompositionUI
                • API String ID: 4114852116-3285329454
                • Opcode ID: f95c8638a6eec1af999b9b30360cc7607a1f77164d8b3b362c64c7dbd84d459e
                • Instruction ID: 3c80574b7c74393b933e56cd7828a7ca5a0613af95fff4d3ee7798af007ab6d2
                • Opcode Fuzzy Hash: f95c8638a6eec1af999b9b30360cc7607a1f77164d8b3b362c64c7dbd84d459e
                • Instruction Fuzzy Hash: AB21D475604202BBE310EB24CC81FA737A8EF88795F00892CFB559A090DB34E589C765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100226B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69stringmemorylibraryCOMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 100226C5
                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100226DB
                • lstrcatA.KERNEL32(?,?), ref: 100226EE
                • LocalAlloc.KERNEL32(00000040,00000400), ref: 100226FB
                • GetFileAttributesA.KERNEL32(?), ref: 1002270B
                • LoadLibraryA.KERNEL32(?), ref: 1002271E
                • lstrlenA.KERNEL32(?,?,?,75920F00), ref: 10022739
                • lstrlenA.KERNEL32(?,?,75920F00), ref: 10022759
                • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,75920F00), ref: 10022763
                • LocalFree.KERNEL32(00000000,?,75920F00), ref: 10022777
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                • String ID: \termsrv_t.dll
                • API String ID: 2807520882-1337493607
                • Opcode ID: d05dafc5fe6d14057582a55e5b4722bc21772c6013dc9381755346d13f2db951
                • Instruction ID: a9041602d65a234f1924c5882a4677b5f27ea997392bc1cbde97f530f7afb129
                • Opcode Fuzzy Hash: d05dafc5fe6d14057582a55e5b4722bc21772c6013dc9381755346d13f2db951
                • Instruction Fuzzy Hash: 1E21F37A104315AFD324DB60DC88EEB77A8EB85310F108B18FA56D6190DB74E509CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10027530 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 54libraryloaderthreadCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,C:\Windows\system32,75920F00,0000005C,00000000,00000000,75920F00,1001C7E6,?,?,?,?,?,?,?), ref: 1002755E
                • GetProcAddress.KERNEL32(00000000), ref: 10027567
                • CreateThread.KERNEL32(?,?,10027430,?,?,?), ref: 10027595
                • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?), ref: 100275A7
                • GetProcAddress.KERNEL32(00000000), ref: 100275AA
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 100275BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                • String ID: C:\Windows\system32$CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                • API String ID: 2992130774-4096930842
                • Opcode ID: 2c1ff59eba6be876e36673c30af6e9a69b8f08df05ac575060c6b707c4ef4945
                • Instruction ID: 2f0a56f5d40e5cff3a63aa68bef0bb8a478e86ce94cfbdcd054d9ceef03db571
                • Opcode Fuzzy Hash: 2c1ff59eba6be876e36673c30af6e9a69b8f08df05ac575060c6b707c4ef4945
                • Instruction Fuzzy Hash: EC111E75608315BFD640DFA88C84F9BBBE8EBCC324F504A0DF698D3251C674E9058B92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100215B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107sleepregistryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001FFDE
                  • Part of subcall function 1001FFC0: #823.MFC42(00000002,?,00000000,00000000), ref: 1001FFEB
                  • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10020007
                • NetUserDel.NETAPI32(00000000,00000000), ref: 100215D8
                • #825.MFC42(00000000,00000000,00000000), ref: 100215E0
                • wsprintfA.USER32 ref: 10021628
                • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10021648
                • Sleep.KERNEL32(00000032), ref: 10021654
                  • Part of subcall function 100210A0: LocalSize.KERNEL32(00000000), ref: 100210B0
                  • Part of subcall function 100210A0: LocalFree.KERNEL32(00000000,?,1002159A,00000001,?,00000000,00000001,?,?), ref: 100210C0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharLocalMultiWide$#823#825FreeOpenSizeSleepUserwsprintf
                • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                • API String ID: 3751864237-1111274145
                • Opcode ID: b8c23196a3a83fa7ffb35ae4972e3dae7a6f759f9ab6db5e449d1d71dc04ed71
                • Instruction ID: 19f2a48cf0ea9bc467426b91027db1d1e551371d79a469111d0dba8f8b1a22a4
                • Opcode Fuzzy Hash: b8c23196a3a83fa7ffb35ae4972e3dae7a6f759f9ab6db5e449d1d71dc04ed71
                • Instruction Fuzzy Hash: DE31E47A2043156BE214DB24FC85FEF77D8EBD5294F80092DFE4596241EA39E90C87A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100014B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                • API String ID: 2574300362-4065288365
                • Opcode ID: 2f637b39e38ff6b7ca012c7e9c1340899ad12a80c5c05bc5b15e4a0ab5224134
                • Instruction ID: 5138c781762bdaf7d2be9a3f8db0ee17f07db1ab80d4ea102ccef75462070410
                • Opcode Fuzzy Hash: 2f637b39e38ff6b7ca012c7e9c1340899ad12a80c5c05bc5b15e4a0ab5224134
                • Instruction Fuzzy Hash: 3F21F672600204ABDB14DF68DC84A967BE4FFC8311F114469EB059B345DB36E909DBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10027720 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 58libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,100274E9,00000000), ref: 1002773B
                • GetProcAddress.KERNEL32(00000000), ref: 10027744
                  • Part of subcall function 10027670: LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,75920BD0,00000000,?,7591F550), ref: 1002768A
                  • Part of subcall function 10027670: GetProcAddress.KERNEL32(00000000), ref: 10027693
                  • Part of subcall function 10027670: LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,7591F550), ref: 100276A1
                  • Part of subcall function 10027670: GetProcAddress.KERNEL32(00000000), ref: 100276A4
                  • Part of subcall function 10027670: GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 100276C8
                • LoadLibraryA.KERNEL32(USER32.dll,OpenInputDesktop,?,?,00000000,100274E9,00000000), ref: 1002775E
                • GetProcAddress.KERNEL32(00000000), ref: 10027767
                • LoadLibraryA.KERNEL32(USER32.dll,CloseDesktop), ref: 10027795
                • GetProcAddress.KERNEL32(00000000), ref: 10027798
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$InformationObjectUser
                • String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$USER32.dll
                • API String ID: 3339922732-643134891
                • Opcode ID: f49df19dfd7a481f2431d29014ac3989a76107643ac1541244d958575534b706
                • Instruction ID: 05f3591641b59c40158af03f51d3c63c2cafec4d9869337a30d4bd98cc44708c
                • Opcode Fuzzy Hash: f49df19dfd7a481f2431d29014ac3989a76107643ac1541244d958575534b706
                • Instruction Fuzzy Hash: AB01817B74122A3BF515A3B96C81FCEA388EFC46A6F524032FB04EA150C795AC4115B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000E160 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104fileCOMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E192
                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000E209
                • GetFileSize.KERNEL32(00000000,00000000), ref: 1000E218
                • #823.MFC42(00000000), ref: 1000E221
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000E234
                • #825.MFC42(00000000), ref: 1000E25C
                • CloseHandle.KERNEL32(00000000), ref: 1000E265
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: File$#823#825CloseCreateDirectoryHandleReadSizeSystem
                • String ID: .key$6gkIBfkS+qY=
                • API String ID: 836583384-3577161720
                • Opcode ID: f6c8326082b23d6279ffa8405f357592c43ee62e521fba7e4166068b07f62420
                • Instruction ID: 61497290cd371e3597cec339e2895b0745de3c3bbeacfb8a241aa010364a87dc
                • Opcode Fuzzy Hash: f6c8326082b23d6279ffa8405f357592c43ee62e521fba7e4166068b07f62420
                • Instruction Fuzzy Hash: BB3148711046056FE300DB34CC85A9B7BD9FB89360F100B2CFA62D72D1DAB59948C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10007570 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • #2614.MFC42(?,?,1000706F), ref: 10007574
                • #860.MFC42(*.*,?,?,1000706F), ref: 10007581
                • #3811.MFC42(?,*.*,?,?,1000706F), ref: 100075A2
                • #3811.MFC42(?,?,*.*,?,?,1000706F), ref: 100075B1
                • #3811.MFC42(?,?,?,*.*,?,?,1000706F), ref: 100075C0
                • #3811.MFC42(?,?,?,?,*.*,?,?,1000706F), ref: 100075CF
                • #3811.MFC42(?,?,?,?,?,*.*,?,?,1000706F), ref: 100075DE
                • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,1000706F), ref: 100075ED
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #3811$#2614#860
                • String ID: *.*
                • API String ID: 4293058641-438819550
                • Opcode ID: f7e80b46e8e8ad192a980f7d64b587719454c85639dc02cddce59df522029549
                • Instruction ID: 886016e6cc9c24fc1ad7d238590431bfb23b4bf9589cd23df48c0071d0ebcafa
                • Opcode Fuzzy Hash: f7e80b46e8e8ad192a980f7d64b587719454c85639dc02cddce59df522029549
                • Instruction Fuzzy Hash: EF11C2B9805B019FC364DF65D585947B7F4FF886007808E2EB18AC7A21E738F6049F91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10005130 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,100050D9,?,?), ref: 10005144
                • GetProcAddress.KERNEL32(00000000), ref: 1000514D
                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,100050D9,?,?), ref: 1000515B
                • GetProcAddress.KERNEL32(00000000), ref: 1000515E
                • malloc.MSVCRT ref: 1000517F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc$malloc
                • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                • API String ID: 1625907898-566195008
                • Opcode ID: a73406a0adc5e66accce3e236893738fa79a00bb5dc0068611bde8894a42f104
                • Instruction ID: d18e7df542eac22ebb7ecdbcd3e1eaee5414bd8950a5a21a81c744e59eaea12e
                • Opcode Fuzzy Hash: a73406a0adc5e66accce3e236893738fa79a00bb5dc0068611bde8894a42f104
                • Instruction Fuzzy Hash: 16F0C8B65403197BE610A7748C4AF67BBECDF84351F118426F641D3310DA69E80087B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001F710 Relevance: 15.2, APIs: 10, Instructions: 161sleepnetworkCOMMON
                Download Yara Rule
                APIs
                • select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 1001F7A5
                • _errno.MSVCRT ref: 1001F7AF
                • __WSAFDIsSet.WS2_32(?,?), ref: 1001F7C7
                • __WSAFDIsSet.WS2_32(00000000,?), ref: 1001F7DD
                • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 1001F816
                • inet_addr.WS2_32(00000000), ref: 1001F897
                • htons.WS2_32(?), ref: 1001F8A6
                • Sleep.KERNEL32(00000005,00000000,?), ref: 1001F920
                • closesocket.WS2_32 ref: 1001F935
                • closesocket.WS2_32(?), ref: 1001F93B
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: closesocket$Sleep_errnohtonsinet_addrrecvfromselect
                • String ID:
                • API String ID: 2127894283-0
                • Opcode ID: a14384a698a24317f3d9bb2e5b19546c97c6d3696cb471342b9180b9e8079b4f
                • Instruction ID: 8f7cdc0751f26ed70635fe3987a00804b8bbec81c42ef1f195f88b90dc5300a6
                • Opcode Fuzzy Hash: a14384a698a24317f3d9bb2e5b19546c97c6d3696cb471342b9180b9e8079b4f
                • Instruction Fuzzy Hash: FE516EB5508341ABD720DF24D848AAFB7E8EFC8714F008E2EF99997250E770D945CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001F560 Relevance: 15.1, APIs: 10, Instructions: 122stringnetworkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeatoi
                • String ID:
                • API String ID: 804761504-0
                • Opcode ID: 58d56ab3cf45778fe87170a0f8302ecf9a1404fe5e69cada2aa785e03c6c3e59
                • Instruction ID: 33b99e4236c682c1ff544956042dcef2d68a68459d95c472ebf3e151dc08d8b3
                • Opcode Fuzzy Hash: 58d56ab3cf45778fe87170a0f8302ecf9a1404fe5e69cada2aa785e03c6c3e59
                • Instruction Fuzzy Hash: 823137354046556BE329DB388C449FB7BD4EB99360F244B2EF9A6C31D1EE74E90883A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100225A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67filestringCOMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100225C6
                • lstrcatA.KERNEL32(?,?), ref: 100225D8
                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 100225F5
                • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10022606
                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10022623
                • CloseHandle.KERNEL32(00000000), ref: 1002262A
                • LocalFree.KERNEL32(?), ref: 1002265A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                • String ID: p
                • API String ID: 3379061965-2181537457
                • Opcode ID: 0448c0b931146a8c36397459a33dc16f4ec4fcd6be4f3791ac0fe111e6f4aa32
                • Instruction ID: 830bdd5a37aca25b5db47bd58d1b075b1b8376053e8957c8ffc8c3b5572035f6
                • Opcode Fuzzy Hash: 0448c0b931146a8c36397459a33dc16f4ec4fcd6be4f3791ac0fe111e6f4aa32
                • Instruction Fuzzy Hash: 4221AE75144315ABE304DF50CC85FEBB7E8FBC8705F008A0DF68196290D774AA098BA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100204F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020510
                • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020530
                • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020544
                • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10020558
                • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 1002056B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: FreeMemory$InformationQuerySession
                • String ID: Console$ICA$RDP
                • API String ID: 2964284127-2419630658
                • Opcode ID: 5b76ab8d2eab254213b625b62b322d80698c701e8117683301043695099a301d
                • Instruction ID: f07eb4cdcb9ce89c6d976fc07c5deb833dbe8419acdb8c8d8ec998c8d3d62e73
                • Opcode Fuzzy Hash: 5b76ab8d2eab254213b625b62b322d80698c701e8117683301043695099a301d
                • Instruction Fuzzy Hash: EB01F5B662427167C500EB5C7C4189BBAD9FB90A55F84443EF94897201D130EE1CC7F6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100265B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 52registrymemoryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 100265F2
                • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 10026613
                • RegCloseKey.ADVAPI32(?), ref: 1002661E
                • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002662B
                  • Part of subcall function 10026300: lstrcatA.KERNEL32(00000000,?), ref: 10026356
                  • Part of subcall function 10026300: lstrcatA.KERNEL32(00000000,\*.*), ref: 10026365
                  • Part of subcall function 10026300: FindFirstFileA.KERNEL32(00000000,?), ref: 10026381
                  • Part of subcall function 10026300: FindNextFileA.KERNEL32(?,?), ref: 10026560
                  • Part of subcall function 10026300: FindClose.KERNEL32(?), ref: 1002656F
                • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 10026660
                Strings
                • P, xrefs: 100265D8
                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 100265E8
                • Favorites, xrefs: 1002660D
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Find$AllocCloseFileLocallstrcat$FirstNextOpenQueryValue
                • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                • API String ID: 4098999320-2418616894
                • Opcode ID: d38f954dffb21e116ecf76efb4b1a33598bd86147cc245a8f687d18b0dcbf1eb
                • Instruction ID: 207ce911c8bdc5724ef97e225e2c39c068d07c00de13f2cd5441e6dface86ce0
                • Opcode Fuzzy Hash: d38f954dffb21e116ecf76efb4b1a33598bd86147cc245a8f687d18b0dcbf1eb
                • Instruction Fuzzy Hash: C2118FB4118341BFE304DF64CC85FAB7BE4FB88704F508A1CFA45962A0D7B8A409CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10015100 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                Download Yara Rule
                APIs
                • CreateRectRgnIndirect.GDI32(?), ref: 100151C6
                • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001525A
                • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001525F
                • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10015270
                • DeleteObject.GDI32(?), ref: 10015277
                • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,100144BA), ref: 10015287
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                • String ID:
                • API String ID: 643377033-0
                • Opcode ID: 6cd3a40624aaf2b3a70f4f21656276c2c61fbd1c74dd23bc6e4d59d29cf7c9eb
                • Instruction ID: 51e7224ae3624a2980f9e7a68c6af005ed2f82c84f400dcefa22d485ddae3dba
                • Opcode Fuzzy Hash: 6cd3a40624aaf2b3a70f4f21656276c2c61fbd1c74dd23bc6e4d59d29cf7c9eb
                • Instruction Fuzzy Hash: 88519FB66083019FD314DF29D880A1BB7E6EFC8750F19892DF485CB301E775E9498B56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100256F0 Relevance: 13.6, APIs: 9, Instructions: 79stringmemorywindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextA.USER32(?,?,000003FF), ref: 10025714
                • IsWindowVisible.USER32 ref: 10025723
                • lstrlenA.KERNEL32(?), ref: 1002573C
                • LocalAlloc.KERNEL32(00000040,00000001), ref: 1002574F
                • LocalSize.KERNEL32 ref: 1002575F
                • lstrlenA.KERNEL32(?), ref: 1002577D
                • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10025789
                • GetWindowThreadProcessId.USER32(?), ref: 10025796
                • lstrlenA.KERNEL32(?,?,?,?,00000042), ref: 100257A4
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                • String ID:
                • API String ID: 925664022-0
                • Opcode ID: 5d086fe3937d838b90e67041d79722ebd9b443406b06677e66d77e433def714f
                • Instruction ID: 7d19a4c73dd60ce49c1d08fb9ed81b9060044fd37b04de75dff91a7ad7e4940d
                • Opcode Fuzzy Hash: 5d086fe3937d838b90e67041d79722ebd9b443406b06677e66d77e433def714f
                • Instruction Fuzzy Hash: 1321BD7A144342AFE720DB20EC84BEBB7E8EB85751F80851CEE4697240DB75A806CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10016650 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 100166DF
                  • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                  • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                  • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                  • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823$AddressLibraryLoadProcwsprintf
                • String ID: E$M$T$Y$\$c$l$t
                • API String ID: 398864417-1479156189
                • Opcode ID: 839f9f33b092c3a3ef27cdf20dafac7ff5c0948866d149cddd004d82c26508e2
                • Instruction ID: d161b109e26757c0e016afd906964d12d4c74bbfde226435cfd698c4430c68b1
                • Opcode Fuzzy Hash: 839f9f33b092c3a3ef27cdf20dafac7ff5c0948866d149cddd004d82c26508e2
                • Instruction Fuzzy Hash: C8118E6110C3C0AEE311CA28C854B9BBFD59BA9208F48895DF6C843382C2B5960CC777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412DFE Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 383COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: Button$CheckBox$ComboLBox$GroupBox$Radio$ka)
                • API String ID: 3519838083-778572818
                • Opcode ID: 1c004b97266f29afe500daec680581637c94665d25bcfc55dd0e6090873bdf94
                • Instruction ID: 4e6e0563b22fb279f9115b36b4ea8f2f229353e7383cc66f1524e5911ac984c3
                • Opcode Fuzzy Hash: 1c004b97266f29afe500daec680581637c94665d25bcfc55dd0e6090873bdf94
                • Instruction Fuzzy Hash: AEC1E670B0420DAADF58AF69D9517FE3EA56B15701F20801FF81AEA2C1CE7C4BC1965E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10004460 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                Download Yara Rule
                APIs
                • _CxxThrowException.MSVCRT(?,100F17A0), ref: 10004533
                • #823.MFC42(100043EC,?,00000004,00000000,00000004,100043FB,00000004,?,00000003,00000003,00000000,?,100043FB,?,00000000,?), ref: 100045A7
                • #823.MFC42(00000000,?,?,?,00000000,10093BC0,000000FF,76A923A0,100043FB,?,00000000), ref: 100045B8
                • #825.MFC42(00000000,00000000,?,?,?), ref: 1000461E
                • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004624
                • _CxxThrowException.MSVCRT(?), ref: 10004641
                • #825.MFC42(?,?,?,?,?,00000000,10093BC0,000000FF,76A923A0,100043FB,?,00000000), ref: 1000464E
                • #825.MFC42(10093BC0,?,?,?,?,00000000,10093BC0,000000FF,76A923A0,100043FB,?,00000000), ref: 1000465E
                  • Part of subcall function 10004710: _ftol.MSVCRT ref: 1000474F
                  • Part of subcall function 10004710: #823.MFC42(00000000), ref: 10004759
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #825$#823$ExceptionThrow$_ftol
                • String ID:
                • API String ID: 3722084872-0
                • Opcode ID: 7b6c839bc1f1c7eeed4faadeb398d1d7556b8d00bb047abc290883428f9721fe
                • Instruction ID: 37ce7ba9c98554e48ddb0bc7efc9b065fca5e2527d8adf9451804a4ee83aff98
                • Opcode Fuzzy Hash: 7b6c839bc1f1c7eeed4faadeb398d1d7556b8d00bb047abc290883428f9721fe
                • Instruction Fuzzy Hash: 1951A6B5A002495BEF00DF64C891BEE77B9EF496D0F414029F909AB385DF34FA058BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001E790 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 60COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: _strnicmp
                • String ID: CONNECT $GET $HEAD $POST
                • API String ID: 2635805826-4031508290
                • Opcode ID: 93138a8ce70166d2e555019417cd724c68339df3a3b5bb599bcff5081d5a5623
                • Instruction ID: daba4ceaa9776cde7dddb0fd9b392e0e7d50ac99e23fad51604f21fc9a4dfe64
                • Opcode Fuzzy Hash: 93138a8ce70166d2e555019417cd724c68339df3a3b5bb599bcff5081d5a5623
                • Instruction Fuzzy Hash: 43015E363006519BE3019A2DEC01BCEB7D8EFC5726F864462FA40DB281E7B9D9858B95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100167D0 Relevance: 12.0, APIs: 2, Strings: 6, Instructions: 45stringCOMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 10016826
                  • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                  • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                  • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                  • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                • lstrlenA.KERNEL32(?), ref: 1001684C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823$AddressLibraryLoadProclstrlenwsprintf
                • String ID: %s%s%s%s$BITS$EM\CurrentContro$SYST$b60d2cdeea0e88ff96434911ba63aaaf$lSet\Services\
                • API String ID: 3212130186-3563974952
                • Opcode ID: 133485ffff4acf27f58a3e7d8c00029755d0e52aa6559b7a22f0e48e8f68ee0d
                • Instruction ID: d9838c07a811eb2c444358d1de88ff52e16cc224c34e7e15c096802846f8c857
                • Opcode Fuzzy Hash: 133485ffff4acf27f58a3e7d8c00029755d0e52aa6559b7a22f0e48e8f68ee0d
                • Instruction Fuzzy Hash: A4F028717001107BE7288664EC56FEBB39AEB88310F80013DFB01A7280D779591AC262
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414430 Relevance: 11.4, Strings: 9, Instructions: 195COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: Edit$ListBox$RICHEDIT$SysHeader32$SysIPAddress32$SysListView32$SysTabControl32$SysTreeView32$msctls_trackbar32
                • API String ID: 3519838083-1485315085
                • Opcode ID: 1bec5dd53aa60816b4c3e6b1462548168e96f48f7ebc87767eaa36f663f34ac8
                • Instruction ID: aecb75d3286cdd77751de1033035295991afe75e6fc574e18052f4de222e0f9e
                • Opcode Fuzzy Hash: 1bec5dd53aa60816b4c3e6b1462548168e96f48f7ebc87767eaa36f663f34ac8
                • Instruction Fuzzy Hash: C4718771C45158EEDB41EBF8C855AEDBBB8AF1A300F14808EE46667292DA741E08DF35
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10003050 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: sprintf$floor
                • String ID: %.0f
                • API String ID: 389794084-4293663076
                • Opcode ID: 7ccd3b92bbac42b763a2ad79f483a76ff8b4e97a6daef8b763983b906cb2aeaa
                • Instruction ID: 0b5ab0f8ae05cc736f461bd1cbd55a9dec5afe7fb7ff7e3707d3778c599be75b
                • Opcode Fuzzy Hash: 7ccd3b92bbac42b763a2ad79f483a76ff8b4e97a6daef8b763983b906cb2aeaa
                • Instruction Fuzzy Hash: 79416AB5A00615A3F211CB49FD496CB736CFB863D2F1083A1FF8482194DB32A860C7E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10028100 Relevance: 10.6, APIs: 7, Instructions: 106networkCOMMON
                Download Yara Rule
                APIs
                • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10028180
                • __WSAFDIsSet.WS2_32(?,00000001), ref: 10028194
                • recv.WS2_32(?,?,00002000,00000000), ref: 100281AD
                • __WSAFDIsSet.WS2_32(?,00000001), ref: 100281D5
                • recv.WS2_32(?,?,00002000,00000000), ref: 100281EE
                • closesocket.WS2_32 ref: 10028224
                • closesocket.WS2_32(?), ref: 10028227
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: closesocketrecv$select
                • String ID:
                • API String ID: 2008065562-0
                • Opcode ID: 37af3d6b040336431061d56ed504c05db64c9d4f8946455ae64c9fe786210e88
                • Instruction ID: 1d9cce2d7163427c8f217063053e670333ba9fc9f935424b0d8e83eac20c16c0
                • Opcode Fuzzy Hash: 37af3d6b040336431061d56ed504c05db64c9d4f8946455ae64c9fe786210e88
                • Instruction Fuzzy Hash: D831B739545355ABE320CB249C89BDBB7DCEB44780F910819FA49D7182D774FA09CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100041D0 Relevance: 10.6, APIs: 7, Instructions: 98networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10004690: setsockopt.WS2_32(?,0000FFFF,00000080,00001F95), ref: 100046BA
                  • Part of subcall function 10004690: CancelIo.KERNEL32(?), ref: 100046C7
                  • Part of subcall function 10004690: InterlockedExchange.KERNEL32(?,00000000), ref: 100046D6
                  • Part of subcall function 10004690: closesocket.WS2_32(?), ref: 100046E3
                  • Part of subcall function 10004690: SetEvent.KERNEL32(00001F95), ref: 100046F0
                • ResetEvent.KERNEL32(00001F95,00000000,00001F95), ref: 100041E3
                • socket.WS2_32 ref: 100041F6
                • gethostbyname.WS2_32(?), ref: 10004216
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                • String ID:
                • API String ID: 513860241-0
                • Opcode ID: 560da0ad1e09394bb61a1ea4ebc2176ed548f9340fdc13da60b428493df4eb36
                • Instruction ID: cde73489f8ded7fcc43a664061ca7f37ba7fa19947b49e51f62f8624d830cfe1
                • Opcode Fuzzy Hash: 560da0ad1e09394bb61a1ea4ebc2176ed548f9340fdc13da60b428493df4eb36
                • Instruction Fuzzy Hash: E131BEB5204301BFE310DF28CC85FDBB7E5BF89314F508A1DF6999A290D7B1A4888B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000F010 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                Download Yara Rule
                APIs
                • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000), ref: 1000F068
                • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000), ref: 1000F079
                • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F08B
                • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F097
                • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F0CA
                • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F0DF
                  • Part of subcall function 1000F110: #540.MFC42 ref: 1000F137
                  • Part of subcall function 1000F110: #2818.MFC42(00000000, %c%s,?,?), ref: 1000F160
                  • Part of subcall function 1000F110: #2763.MFC42(00000020), ref: 1000F17D
                  • Part of subcall function 1000F110: #537.MFC42(100F5B4C,00000000,00000020), ref: 1000F195
                  • Part of subcall function 1000F110: #537.MFC42(100F617C,100F5B4C,00000000,00000020), ref: 1000F1AA
                  • Part of subcall function 1000F110: #922.MFC42(?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1BB
                  • Part of subcall function 1000F110: #922.MFC42(?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1CC
                  • Part of subcall function 1000F110: #939.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1DB
                  • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1E9
                  • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F1F7
                  • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F205
                  • Part of subcall function 1000F110: #800.MFC42(00000000,?,00000000,00000000,?,00000000,?,100F617C,100F5B4C,00000000,00000020), ref: 1000F213
                  • Part of subcall function 1000F110: #535.MFC42(00000000), ref: 1000F270
                  • Part of subcall function 1000F110: #800.MFC42(00000000), ref: 1000F286
                • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,10094258,000000FF,1000ED9F,?,000000FF,00000000,?,00000000,00000000), ref: 1000F0EF
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                • String ID:
                • API String ID: 37758464-0
                • Opcode ID: 43a720adb34fa7b72872a061643b73973f38b0b6103dcf7fcbc3da43ebf69690
                • Instruction ID: 9ba243b2a72519bdef91ec6ba025c3f528ee63e4f3c78ca14cc9a5259ab4c7a6
                • Opcode Fuzzy Hash: 43a720adb34fa7b72872a061643b73973f38b0b6103dcf7fcbc3da43ebf69690
                • Instruction Fuzzy Hash: F421D53A2086408BD724CB19C880A2FF3D5FB886A4F910A2CF55A97B46CA34FE459B41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10021210 Relevance: 10.6, APIs: 7, Instructions: 78stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenA.KERNEL32(00000000), ref: 10021229
                  • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001FFDE
                  • Part of subcall function 1001FFC0: #823.MFC42(00000002,?,00000000,00000000), ref: 1001FFEB
                  • Part of subcall function 1001FFC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10020007
                • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 10021258
                • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 1002128D
                • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 10021295
                • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 100212A2
                • NetApiBufferFree.NETAPI32(?), ref: 100212D1
                • LocalFree.KERNEL32(?), ref: 100212DB
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                • String ID:
                • API String ID: 1574401665-0
                • Opcode ID: 46735f53a2903c6d7e492f2955271c51c61b6edf0f377a20ffdd2ac6339c8558
                • Instruction ID: d399105d514aca8900d070816a0f4a2e5108d89dd4e60ff2f78bd32616ee1468
                • Opcode Fuzzy Hash: 46735f53a2903c6d7e492f2955271c51c61b6edf0f377a20ffdd2ac6339c8558
                • Instruction Fuzzy Hash: E921CFB9508301AFD310DF68AC85D5BBBECEF95A44F00092DF54897252EA74ED4D8BA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100284B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepthreadCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000064,?,?), ref: 100284C1
                • wsprintfA.USER32 ref: 100284EC
                • closesocket.WS2_32(00000000), ref: 10028504
                • TerminateThread.KERNEL32(?,00000000), ref: 1002853C
                • CloseHandle.KERNEL32(101281A0), ref: 10028543
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                • String ID: nsocket-di:%d
                • API String ID: 1790861966-355283319
                • Opcode ID: d738ad8e917f7a3b746703ee66ea95e36dc3f124e81ced7bea38bb7d44f674ae
                • Instruction ID: fdbfb397e925a873915e35bb2c60bbb03b2a1e3ab5f3a653bc80193b1a98e8eb
                • Opcode Fuzzy Hash: d738ad8e917f7a3b746703ee66ea95e36dc3f124e81ced7bea38bb7d44f674ae
                • Instruction Fuzzy Hash: CC111938602222AFE710DB2DDCC9B527BE5EB443A4FA40205FD08976E4D37DA967CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10022790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 100227B6
                • lstrcatA.KERNEL32(?,?), ref: 100227C8
                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100227E5
                • CloseHandle.KERNEL32(00000000), ref: 1002280D
                • LocalFree.KERNEL32(?), ref: 10022826
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateDirectoryFileFreeHandleLocalSystemlstrcat
                • String ID: p
                • API String ID: 3845662661-2181537457
                • Opcode ID: 360983da1dba87eddf3ce4209fc1d081b8d67444aed54e77390c085efffd211f
                • Instruction ID: 76c0ca7e168083ab8e7b56479baba7c7bd685732b753ecaec25c40b1d91f927f
                • Opcode Fuzzy Hash: 360983da1dba87eddf3ce4209fc1d081b8d67444aed54e77390c085efffd211f
                • Instruction Fuzzy Hash: 4A019275404311BFE310DF64DC8AFDB77E8AB88714F508E0DF695961E0E7B8A5488B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042E7D0 Relevance: 10.4, Strings: 8, Instructions: 384COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: $&$.$6$>$@$d$e
                • API String ID: 0-2702541336
                • Opcode ID: 2a7f3580ca243aecfe75ad1fbb1a42ff8d4b2ce4270ded13bfc48303b62d24c6
                • Instruction ID: 9a9323a1d08443b5c7ad518ffd851957c2db0c335e51a15eeeb8de25b837bd7b
                • Opcode Fuzzy Hash: 2a7f3580ca243aecfe75ad1fbb1a42ff8d4b2ce4270ded13bfc48303b62d24c6
                • Instruction Fuzzy Hash: A0D1E1713083519FEB24DB2AD885B2FB7E9EFC4714F840A1EF59483281C779D8058B5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10020070 Relevance: 10.2, APIs: 8, Instructions: 199sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Sleep$atoi$CloseHandle
                • String ID:
                • API String ID: 3951340052-0
                • Opcode ID: aa9359f932d660711f9899074e644ea17092b6b0dc32b1ac732ffe73607f6b3d
                • Instruction ID: 00c677a1e56c77a172047a4b8c4669ce562aae35e1aa3c39e12fde649147ef05
                • Opcode Fuzzy Hash: aa9359f932d660711f9899074e644ea17092b6b0dc32b1ac732ffe73607f6b3d
                • Instruction Fuzzy Hash: CA41D83B30462027C194F329B855FEFAB55EBF5721F81442FF1858A186CA106C9B83B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10004710 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10001EF0: EnterCriticalSection.KERNEL32(?,76337310,759183C0,10004727,76337310,759183C0,759223A0,00000000,?,?,?,?,?,?,?,00000100), ref: 10001EF8
                  • Part of subcall function 10001EF0: LeaveCriticalSection.KERNEL32(?,00000400,?,?,?,?,?,?,?,00000100), ref: 10001F11
                • _ftol.MSVCRT ref: 1000474F
                • #823.MFC42(00000000), ref: 10004759
                • #825.MFC42(00000000,?,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 1000478E
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CriticalSection$#823#825EnterLeave_ftol
                • String ID:
                • API String ID: 2982282317-0
                • Opcode ID: 383ef655ac8f6fedcca7d9934e41858ffce3b41d39233b38587a54daa4e1965a
                • Instruction ID: 151cba10dd302cfdd08b685247497689396b72e64293b537d4334c1f2e96d35a
                • Opcode Fuzzy Hash: 383ef655ac8f6fedcca7d9934e41858ffce3b41d39233b38587a54daa4e1965a
                • Instruction Fuzzy Hash: 5141F4B97443045BE204EF249C52BAFB3D9EBC8690F41452DFA0597386DE34FA098766
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100152B0 Relevance: 9.1, APIs: 6, Instructions: 129windowCOMMON
                Download Yara Rule
                APIs
                • CreateDIBSection.GDI32(?,00000000,00000000,75FD5D50,00000000,00000000), ref: 10015321
                • SelectObject.GDI32(00000000,00000000), ref: 1001532F
                • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001534E
                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001536F
                • DeleteObject.GDI32(?), ref: 100153C5
                • free.MSVCRT(?,?,00CC0020,?,10015286,00000000,00000000,?,?,00000001,?,?,?), ref: 100153D4
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Object$CreateDeleteSectionSelectfree
                • String ID:
                • API String ID: 2595996717-0
                • Opcode ID: 887497eaceb188f058d34d4869c424205da7e7f5aed0cf582579a54abdd03fb3
                • Instruction ID: 0c043ad52958cd3b14dae1ff8ff7b18953000f6685b449f3fdc92eb6ecbc4a7c
                • Opcode Fuzzy Hash: 887497eaceb188f058d34d4869c424205da7e7f5aed0cf582579a54abdd03fb3
                • Instruction Fuzzy Hash: BE4124B5200705AFD714DF69CD94E6BB7EAEF88600F14891CFA868B790D670FE448B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100155C0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                Download Yara Rule
                APIs
                • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10014C42,?,?,?,?,?,?,00000000), ref: 100155EB
                • GetDC.USER32(00000000), ref: 10015646
                • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10015653
                • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10015666
                • ReleaseDC.USER32(00000000,00000000), ref: 1001566F
                • DeleteObject.GDI32(00000000), ref: 10015676
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                • String ID:
                • API String ID: 1489246511-0
                • Opcode ID: c1846dc3492ed7490e41e3b8efee52bb51f45bcde56b8ce4b2a4ec49df6fd671
                • Instruction ID: 5656d7b1f0fdb8729cb8ec7308b8b8dafa7dccdb65a81c0c0b83e1d1b9a22dae
                • Opcode Fuzzy Hash: c1846dc3492ed7490e41e3b8efee52bb51f45bcde56b8ce4b2a4ec49df6fd671
                • Instruction Fuzzy Hash: 983113712017018FD324CF68CC94B5AFBE6FF95305F188A6DE4868F2A1E7B1A508CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10028370 Relevance: 9.1, APIs: 6, Instructions: 88sleepthreadnetworkCOMMON
                Download Yara Rule
                APIs
                • _snprintf.MSVCRT ref: 100283AF
                  • Part of subcall function 100282B0: inet_addr.WS2_32(?), ref: 100282BA
                • recv.WS2_32(00000000,?,00000002,00000000), ref: 10028411
                • CreateThread.KERNEL32(00000000,00000000,100282D0,?,00000000,?), ref: 10028460
                • CloseHandle.KERNEL32(00000000), ref: 10028474
                • Sleep.KERNEL32(000003E8), ref: 1002847D
                • closesocket.WS2_32(00000000), ref: 10028491
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                • String ID:
                • API String ID: 1576220768-0
                • Opcode ID: 00eadbeaeb201012b0927691c094c3a5161020362d1214b6b27fedf7c57495dc
                • Instruction ID: 497dff6657eaaf77b9defc5f611267720a89ff3c3d4cd293dfab77866c2f2ac2
                • Opcode Fuzzy Hash: 00eadbeaeb201012b0927691c094c3a5161020362d1214b6b27fedf7c57495dc
                • Instruction Fuzzy Hash: 8031D678105352AFE310DF14DC84BAB77E9EFC5750F50891CFA8897290D775A906CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10016510 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: malloc$Tablefree
                • String ID:
                • API String ID: 2903114640-0
                • Opcode ID: 28e37d4da508f8d2d058f11b67623aa510d39478e0795e9589a828142d561b05
                • Instruction ID: 392ca506e9d3a2c1924250b0f5a6a0c487a71deac8f3964ff9532963557b40af
                • Opcode Fuzzy Hash: 28e37d4da508f8d2d058f11b67623aa510d39478e0795e9589a828142d561b05
                • Instruction Fuzzy Hash: B91148736026142BE315CA0EBC81BDFF3D9EBC4660F51052AF901CB200DB21FE8587A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100275D0 Relevance: 9.1, APIs: 6, Instructions: 53processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100275F1
                • Process32First.KERNEL32(00000000,00000000), ref: 1002760B
                • _stricmp.MSVCRT(?,?), ref: 10027627
                • Process32Next.KERNEL32(00000000,?), ref: 10027636
                • CloseHandle.KERNEL32(00000000), ref: 10027640
                • CloseHandle.KERNEL32(00000000,?,76379E60), ref: 10027653
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_stricmp
                • String ID:
                • API String ID: 1332747125-0
                • Opcode ID: fd99c215672c8caa1d25ccd81968c825ecf160c7ffbb80c7e0cc659d646a0bb4
                • Instruction ID: 4b4bec2270871bc9508021c82bd67cafa7db8a1a7ddde656dc61282940e99d29
                • Opcode Fuzzy Hash: fd99c215672c8caa1d25ccd81968c825ecf160c7ffbb80c7e0cc659d646a0bb4
                • Instruction Fuzzy Hash: B10192391056107FE350DB28EC45ADB73D8EF85361F808928FD1882280DB38E91986A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000E280 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82sleepfileCOMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E2B8
                • Sleep.KERNEL32(000004D2), ref: 1000E362
                • DeleteFileA.KERNEL32(?), ref: 1000E323
                  • Part of subcall function 1000E160: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E192
                  • Part of subcall function 1000E160: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000E209
                  • Part of subcall function 1000E160: GetFileSize.KERNEL32(00000000,00000000), ref: 1000E218
                  • Part of subcall function 1000E160: #823.MFC42(00000000), ref: 1000E221
                  • Part of subcall function 1000E160: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000E234
                  • Part of subcall function 1000E160: #825.MFC42(00000000), ref: 1000E25C
                  • Part of subcall function 1000E160: CloseHandle.KERNEL32(00000000), ref: 1000E265
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                • String ID: .key$6gkIBfkS+qY=
                • API String ID: 3115437274-3577161720
                • Opcode ID: 52d5c34fec1058b21deb3f8e7361faa1260aab5b3d716f31b033e2faa6641d6a
                • Instruction ID: 8b295e50c60843580cfd6389b87f51f9169854e69fc94e39db10b536c9611ff5
                • Opcode Fuzzy Hash: 52d5c34fec1058b21deb3f8e7361faa1260aab5b3d716f31b033e2faa6641d6a
                • Instruction Fuzzy Hash: C62177356042910BF725DB38CC9479A7FC4FB853A0F044729F496A72DADBB49D48C352
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10016720 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55stringnetworkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100120C0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,?), ref: 100120F0
                  • Part of subcall function 100120C0: GetProcAddress.KERNEL32(00000000), ref: 100120F7
                  • Part of subcall function 100120C0: #823.MFC42(?), ref: 10012123
                  • Part of subcall function 100120C0: #823.MFC42(73252073), ref: 1001217D
                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F95,759223A0), ref: 100167A7
                • gethostname.WS2_32(?,?), ref: 100167AF
                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,00001F95,759223A0), ref: 100167B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823lstrlen$AddressLibraryLoadProcgethostname
                • String ID: Host$SYSTEM\Setup
                • API String ID: 3998130814-2058306683
                • Opcode ID: 56e7420ec7e53d1e6086bdcf6c58d7f673946b10884cd24e3a049a0a59ebb871
                • Instruction ID: 89e900fceae59ac8d3f09e9af1364124967943dc5bc78569f875330dc368f6ce
                • Opcode Fuzzy Hash: 56e7420ec7e53d1e6086bdcf6c58d7f673946b10884cd24e3a049a0a59ebb871
                • Instruction Fuzzy Hash: 2001C4756042546FE314CB18DC90BABBBE9EBC8245F14453CFB4493391D7729A05CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10057530 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10057480: GetModuleHandleW.KERNEL32(ntdll.dll,RtlDosPathNameToRelativeNtPathName_U,?,?,10057536,?,1001802F,1012644C,00000000), ref: 100574A1
                  • Part of subcall function 10057480: GetProcAddress.KERNEL32(00000000), ref: 100574A4
                  • Part of subcall function 10057480: GetLastError.KERNEL32(?,10057536,?,1001802F,1012644C,00000000), ref: 100574AF
                • CreateFileW.KERNEL32(1001802F,C0000000,00000000,00000000,00000003,00000080,00000000,?,1001802F,1012644C,00000000), ref: 10057561
                • GetLastError.KERNEL32(?,1001802F,1012644C,00000000), ref: 1005756E
                • malloc.MSVCRT ref: 10057580
                • CloseHandle.KERNEL32(00000000,00000000), ref: 1005758D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: ErrorHandleLast$AddressCloseCreateFileModuleProcmalloc
                • String ID: \\.\QAssist
                • API String ID: 3918230743-1620305513
                • Opcode ID: c74637825da1256f0bc27f790e83a9fe10c173631bf399fe062de42ba4e07804
                • Instruction ID: 2617bb851b5f1441201b4be41023a6116d41d176203a3ef9fd8cf81c813fd235
                • Opcode Fuzzy Hash: c74637825da1256f0bc27f790e83a9fe10c173631bf399fe062de42ba4e07804
                • Instruction Fuzzy Hash: B5014C79B406202BF314D738BC017CA26D5EB84720F12C230F985EB2D4FEB0A8455280
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100092E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34synchronizationCOMMON
                Download Yara Rule
                APIs
                • ShellExecuteExA.SHELL32 ref: 10009321
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009332
                • CloseHandle.KERNEL32(?), ref: 1000933D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseExecuteHandleObjectShellSingleWait
                • String ID: <$@
                • API String ID: 3837156514-1426351568
                • Opcode ID: 1b34141c0c47c6f06558b0f2ed81d179a17c353eb6c44df50b52a01acea419f1
                • Instruction ID: 373787d667dad42a9a598f5b4b60ee5f53bdce74bc95899c6e3054471be14af9
                • Opcode Fuzzy Hash: 1b34141c0c47c6f06558b0f2ed81d179a17c353eb6c44df50b52a01acea419f1
                • Instruction Fuzzy Hash: 9AF06971508311ABD704DF18C848A9FBBE4FFC4350F108A1DF699972A0DB76D6048B96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000C520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28registryCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyA.ADVAPI32(80000002,SYSTEM\Setup), ref: 1000C530
                • RegSetValueExA.ADVAPI32(?,Host,00000000,00000001,?), ref: 1000C557
                • RegCloseKey.ADVAPI32(?), ref: 1000C562
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateValue
                • String ID: Host$SYSTEM\Setup
                • API String ID: 1818849710-2058306683
                • Opcode ID: 5f9fed053b9cfa91d4caa8739edf0f7e93f4ee06f2d893e362b26cb805fc1c5a
                • Instruction ID: 9c6b50d5ac1e52a42a9b9ebb4716c63bfcb5adcd7a01533ca98fdfbb8b9501c1
                • Opcode Fuzzy Hash: 5f9fed053b9cfa91d4caa8739edf0f7e93f4ee06f2d893e362b26cb805fc1c5a
                • Instruction Fuzzy Hash: 18E06D7A214204BBE308D761CC88EAB77BDEFC8A52F20860DFB1682190DA70D9009620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000E550 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15librarysleeploaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10014540,?,?,?,?,?,100945F0,000000FF), ref: 1000E55D
                • GetProcAddress.KERNEL32(00000000), ref: 1000E564
                • Sleep.KERNEL32(00000096,?,?,?,?,?,100945F0,000000FF), ref: 1000E577
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProcSleep
                • String ID: KERNEL32.dll$WaitForSingleObject
                • API String ID: 188063004-3889371928
                • Opcode ID: 6f1913b75059fcdeb32e1ab937262be6e57ad583bf31aca0cc1f484719355a3e
                • Instruction ID: 62ce2c8e92499c9444195fa3867bf8a19e8f497ea87849b71b601687cd9eea2b
                • Opcode Fuzzy Hash: 6f1913b75059fcdeb32e1ab937262be6e57ad583bf31aca0cc1f484719355a3e
                • Instruction Fuzzy Hash: 0FD0C979104231BBEA2467B0AC5CDDB7B18EB483327218704FA22922E0CE669840CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1001D0B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                Download Yara Rule
                APIs
                • #825.MFC42(?,?), ref: 1001D0FD
                • #825.MFC42(?), ref: 1001D15A
                • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 1001D16E
                • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 1001D191
                • #825.MFC42(00000000), ref: 1001D19C
                  • Part of subcall function 1001E380: #825.MFC42(?,?,10126460,?,1001D0FA,?), ref: 1001E3A2
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #825$Lockit@std@@$??0_??1_
                • String ID:
                • API String ID: 3320149174-0
                • Opcode ID: 248e721a4bb1f933bcf7608b263b7d299fc8c9d368e6bfa2f33e42661512f62b
                • Instruction ID: 7c720292ba65290974d9ff8836e0303b4dfe883974515ec1d759db98d0b56278
                • Opcode Fuzzy Hash: 248e721a4bb1f933bcf7608b263b7d299fc8c9d368e6bfa2f33e42661512f62b
                • Instruction Fuzzy Hash: 04315AB5600751AFC710EF68D88481AB7E5FB88650760881EE89A8B740EB34FD86CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100065B0 Relevance: 7.6, APIs: 5, Instructions: 88memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 1000E390: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F95,1001A69F,?,00000000,00001F95), ref: 1000E3B0
                  • Part of subcall function 1000E390: GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                • malloc.MSVCRT ref: 10006605
                • free.MSVCRT(00000000), ref: 10006635
                • LocalAlloc.KERNEL32(00000040,00000005), ref: 1000664F
                • SetEvent.KERNEL32(?), ref: 1000667E
                • LocalFree.KERNEL32(?), ref: 10006696
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Local$AddressAllocEventFreeLibraryLoadProcfreemalloc
                • String ID:
                • API String ID: 2989931879-0
                • Opcode ID: a49bb198e7a3050c482c45dde1c8e5cdea98da9e81467423ad6cbd069d21f764
                • Instruction ID: 0565bafc2cb9ca33cc0fc730bac9966ee2cdbcd20a5ac2973ab713c03d52ec4f
                • Opcode Fuzzy Hash: a49bb198e7a3050c482c45dde1c8e5cdea98da9e81467423ad6cbd069d21f764
                • Instruction Fuzzy Hash: E331F1752046449FD304CF288840AABBBE9FB89760F144B2CF94697385CB79AD05CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100104E0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 87COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: InternetOpen
                • String ID: y$y
                • API String ID: 2038078732-2085659379
                • Opcode ID: 1511636889105b7b4ece37f4309da6395ac4234c7bb70a15faa6c0cfd8e6a53f
                • Instruction ID: 56625c480b4158ec2fd4c5dff48b05de219e24d7b19525f148bfc21f4c62e671
                • Opcode Fuzzy Hash: 1511636889105b7b4ece37f4309da6395ac4234c7bb70a15faa6c0cfd8e6a53f
                • Instruction Fuzzy Hash: DE21467AA042141BD710DB68AC416BF7BC9EFC42A0F444439FD0AD7341DAA9EE0C82E7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000F320 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08,00000000,1000EE43,00000000,00000000,00000000), ref: 1000F382
                • #4278.MFC42(1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08,00000000,1000EE43), ref: 1000F39E
                • #6883.MFC42(?,00000000,1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08), ref: 1000F3B2
                • #800.MFC42(?,00000000,1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8,000000FF,1000EE08), ref: 1000F3C3
                • #6662.MFC42(0000005C,00000001,?,00000000,1000EEAF,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,100942F8), ref: 1000F3D0
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #6662$#4278#6883#800
                • String ID:
                • API String ID: 2113711092-0
                • Opcode ID: c7df3eec0f518cdf2e194ceeaf08541b6e181717fc26662f3cc93f22c61436f8
                • Instruction ID: cd484a30cec0716906a840a730b6a7f9eb33a4c2b287cb289a584b9fdff61532
                • Opcode Fuzzy Hash: c7df3eec0f518cdf2e194ceeaf08541b6e181717fc26662f3cc93f22c61436f8
                • Instruction Fuzzy Hash: DF11F03A3056159FE714CF299C45FBE7795EB806B0F41072CB82A972C1DB34AD0587A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10014580 Relevance: 7.6, APIs: 5, Instructions: 62windowsleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 1000E550: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10014540,?,?,?,?,?,100945F0,000000FF), ref: 1000E55D
                  • Part of subcall function 1000E550: GetProcAddress.KERNEL32(00000000), ref: 1000E564
                  • Part of subcall function 1000E550: Sleep.KERNEL32(00000096,?,?,?,?,?,100945F0,000000FF), ref: 1000E577
                  • Part of subcall function 100149F0: GetDeviceCaps.GDI32(?,00000076), ref: 10014A20
                  • Part of subcall function 100149F0: GetDeviceCaps.GDI32(?,00000075), ref: 10014A33
                • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 100145D9
                • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 100145EC
                • Sleep.KERNEL32(000000C8), ref: 10014629
                  • Part of subcall function 10013FA0: InterlockedExchange.KERNEL32(?,00000000), ref: 10013FCA
                  • Part of subcall function 10013FA0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,100945E1,000000FF), ref: 10013FD5
                  • Part of subcall function 10013FA0: CloseHandle.KERNEL32(?,?,?,?,?,?,100945E1,000000FF), ref: 10013FE2
                  • Part of subcall function 10013FA0: #823.MFC42 ref: 1001400B
                  • Part of subcall function 10013FA0: InterlockedExchange.KERNEL32(?,00000001), ref: 100140B0
                • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10014608
                • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1001461B
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                • String ID:
                • API String ID: 2254935227-0
                • Opcode ID: 8760591bd120a5b02d52516be488a531dd52d958b1f6bc4b874968caca00d7d7
                • Instruction ID: fa78f8423a7644211b4eda94b890ede5bfb66b04f670d2af04a0538561e8c090
                • Opcode Fuzzy Hash: 8760591bd120a5b02d52516be488a531dd52d958b1f6bc4b874968caca00d7d7
                • Instruction Fuzzy Hash: B811E93438439976FA60DB344C02FAA37958F95B54F220528BA05AF1E3CDF0F9889559
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10020440 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                Download Yara Rule
                APIs
                • WTSQuerySessionInformationW.WTSAPI32 ref: 10020464
                • lstrcpyW.KERNEL32(?,00000000), ref: 10020484
                • WTSFreeMemory.WTSAPI32(?), ref: 1002048F
                • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 100204C8
                • lstrcpyA.KERNEL32(?,00000000), ref: 100204DB
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                • String ID:
                • API String ID: 2394411120-0
                • Opcode ID: 4d6b06f213adefdd703ace371fea0502250fd722ebf46fbc23d0bdbbbf8b58e8
                • Instruction ID: f44f65743c4aa95c1b0d8f835a528bed897c216a2caf1a45d4846aad5cd6d694
                • Opcode Fuzzy Hash: 4d6b06f213adefdd703ace371fea0502250fd722ebf46fbc23d0bdbbbf8b58e8
                • Instruction Fuzzy Hash: C11161792183417BE710CB54DC46FFB73ECBBC8B04F508A1CFA98961C0E674A5088B62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100165C0 Relevance: 7.5, APIs: 5, Instructions: 46stringCOMMON
                Download Yara Rule
                APIs
                • strstr.MSVCRT ref: 100165EA
                • lstrcatA.KERNEL32(10126040,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00001F95,?,759223A0), ref: 1001660B
                • lstrcatA.KERNEL32(10126040,100F54AC,?,?,?,?,?,?,?,?,?,?,00000000,00001F95,?,759223A0), ref: 10016617
                • strstr.MSVCRT ref: 10016628
                • lstrcatA.KERNEL32(10126040,10119D9C,?,?,?,?,?,?,?,?,00000000,00001F95,?,759223A0), ref: 1001663B
                  • Part of subcall function 100275D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100275F1
                  • Part of subcall function 100275D0: Process32First.KERNEL32(00000000,00000000), ref: 1002760B
                  • Part of subcall function 100275D0: _stricmp.MSVCRT(?,?), ref: 10027627
                  • Part of subcall function 100275D0: Process32Next.KERNEL32(00000000,?), ref: 10027636
                  • Part of subcall function 100275D0: CloseHandle.KERNEL32(00000000), ref: 10027640
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: lstrcat$Process32strstr$CloseCreateFirstHandleNextSnapshotToolhelp32_stricmp
                • String ID:
                • API String ID: 2904590524-0
                • Opcode ID: f7137ac66cda5ec32b092cc6e9faadf80d3ff30cec51e9382e580b5db92c5ee3
                • Instruction ID: 5774f1ecba56e453be5a0a45c60184a0c1984639b62fdeee2dd82b6a72a6d4d3
                • Opcode Fuzzy Hash: f7137ac66cda5ec32b092cc6e9faadf80d3ff30cec51e9382e580b5db92c5ee3
                • Instruction Fuzzy Hash: F5F0F62170024027D6A0EB65AC41ECB6299DFCC1267A54835FE49B7240D73EF9806575
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10004690 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • setsockopt.WS2_32(?,0000FFFF,00000080,00001F95), ref: 100046BA
                • CancelIo.KERNEL32(?), ref: 100046C7
                • InterlockedExchange.KERNEL32(?,00000000), ref: 100046D6
                • closesocket.WS2_32(?), ref: 100046E3
                • SetEvent.KERNEL32(00001F95), ref: 100046F0
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                • String ID:
                • API String ID: 1486965892-0
                • Opcode ID: bd36ccd5c4a115f5ddb7f7bfb82cff20287f85f718eb939da8920a339c863b65
                • Instruction ID: dcb14e28207f84cddf8b536a38434a622c525def06c45350d6b94f45d0ddf033
                • Opcode Fuzzy Hash: bd36ccd5c4a115f5ddb7f7bfb82cff20287f85f718eb939da8920a339c863b65
                • Instruction Fuzzy Hash: 46F01275214711FFE6148B60CC88FD777A8AF49711F20CB1DFA9A46290DB70A4488755
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100052E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 121libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 100052F6
                • GetProcAddress.KERNEL32(00000000), ref: 100052FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: KERNEL32.dll$WideCharToMultiByte
                • API String ID: 2574300362-2634761684
                • Opcode ID: ffd90f7185964eb556eeb9edbbcc56fdcfe4513e25a79eef093bbb327f4e5d8d
                • Instruction ID: a60fc2479c5358919289a22d77369d577414e2d4bd87a39acfcaa8f0c898c8ef
                • Opcode Fuzzy Hash: ffd90f7185964eb556eeb9edbbcc56fdcfe4513e25a79eef093bbb327f4e5d8d
                • Instruction Fuzzy Hash: 904160701087868FD324CF1CC894DABBBE5EBD1385F15897CE0D187225EA71994ECB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10001410 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                • GetProcAddress.KERNEL32(00000000), ref: 10001425
                  • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                  • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                  • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                  • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                  • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                  • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: WINMM.dll$waveOutWrite
                • API String ID: 2574300362-665518901
                • Opcode ID: 3f99c050e077f9e98bebad0164ceaaba35ab4ae573f71ae4a5201268694d7833
                • Instruction ID: d05ae801d7ea020541401e5570a31778a76b5d6f40a75ca6236e8c94c424c07f
                • Opcode Fuzzy Hash: 3f99c050e077f9e98bebad0164ceaaba35ab4ae573f71ae4a5201268694d7833
                • Instruction Fuzzy Hash: 7A1170752043059FDB18DF68D8C89A7BBE5FB88391B118559FE428B34AD772EC04DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100091E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 1000920A
                • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009226
                • SetFilePointer.KERNEL32 ref: 10009244
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: File$Pointer$Write
                • String ID: p
                • API String ID: 3847668363-2181537457
                • Opcode ID: 75688e670bcdd66ab78c35ec944d7351c0487d13a171b597d89c89cde9d5bf71
                • Instruction ID: f6b3447963bd255bb56c3963be1272a6af8da02ba4e9acce5704280961eb2dd2
                • Opcode Fuzzy Hash: 75688e670bcdd66ab78c35ec944d7351c0487d13a171b597d89c89cde9d5bf71
                • Instruction Fuzzy Hash: 931139B5648341ABE314DF28CC85F9BB7E9FBD8714F108A0DF598A3380D674A9058BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10004020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(?,?,1000404A,75922EE0), ref: 10001B98
                • WSAStartup.WS2_32(00000202,?), ref: 1000408D
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000409B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CreateCriticalEventInitializeSectionStartup
                • String ID: h$x
                • API String ID: 1327880603-380853026
                • Opcode ID: cd2f43bb82de0894d478c275c663b103e14a8962e8b3a3c55ebc20eddf32244e
                • Instruction ID: 8377cd8f58e14501c21d6e2f82e5b3f2157d71346e3eaa906f78fddc55f0e5a8
                • Opcode Fuzzy Hash: cd2f43bb82de0894d478c275c663b103e14a8962e8b3a3c55ebc20eddf32244e
                • Instruction Fuzzy Hash: 78115E74108780DEE321DB24C856BD6BBE4EF5AB54F408A5DE5E9472C1DB796008CB23
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100216F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • #823.MFC42(00000014,76320450,00000000), ref: 100216F7
                • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002171B
                • wsprintfA.USER32 ref: 1002173E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823GlobalMemoryStatuswsprintf
                • String ID: @
                • API String ID: 1983843647-2766056989
                • Opcode ID: 46dc55f5b98e696617ab8079e0c77226f6130b37173b7205a49c53343c9f1ca2
                • Instruction ID: 3e936a1e200515495c8cea8328abc2345836dd2880be01d12b45e091b1464d36
                • Opcode Fuzzy Hash: 46dc55f5b98e696617ab8079e0c77226f6130b37173b7205a49c53343c9f1ca2
                • Instruction Fuzzy Hash: 2CF0A7B5A003146BF3049B28CC55BAB7B95FBC0350F84C938FA5697350E674E91886A7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000E390 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000CEAD,?,00001F95,1001A69F,?,00000000,00001F95), ref: 1000E3B0
                • GetProcAddress.KERNEL32(00000000), ref: 1000E3B7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: CreateEventA$KERNEL32.dll
                • API String ID: 2574300362-2476775342
                • Opcode ID: d1aee5a0c2cb95afd97f5869f5ce86433af31bfaf4b8ea3e7604a51556e75fa9
                • Instruction ID: 4433b7f29ceb8eb465cc27936b5adbe35b564cc54e27e4844f722fd9a3aa1455
                • Opcode Fuzzy Hash: d1aee5a0c2cb95afd97f5869f5ce86433af31bfaf4b8ea3e7604a51556e75fa9
                • Instruction Fuzzy Hash: C8E08CB96843206BE660DBA88C45F86BB98EF48701F20C81EF359D7290CAB0A4408B58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000E3F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1001A7C6), ref: 1000E403
                • GetProcAddress.KERNEL32(00000000), ref: 1000E40A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: CloseHandle$KERNEL32.dll
                • API String ID: 2574300362-2295661983
                • Opcode ID: b12305895c39fb8a578c61ce6f0b1b1bf635014e5a2edb01bb1321b15cc69922
                • Instruction ID: 9ffa4301cfdacd456a4514ca358e47358afde2af3e8bab39a8f1d49bdc8766b9
                • Opcode Fuzzy Hash: b12305895c39fb8a578c61ce6f0b1b1bf635014e5a2edb01bb1321b15cc69922
                • Instruction Fuzzy Hash: B5C012B90442316FD6249BA0EC5C8C6BB58EF482013248509FA5283310CF759C408B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 100277B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100277CA
                • GetProcAddress.KERNEL32(00000000), ref: 100277D1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: KERNEL32.dll$lstrlenA
                • API String ID: 2574300362-1796993502
                • Opcode ID: 1d78dd3e200d6a8313e6b890d9a033281a626efcdf01ca56fd69e71b7549a069
                • Instruction ID: ad4c4cb0ffc1f5063c4aa17eb72008f4b6d4272c756a57cc1d9ff03e21511702
                • Opcode Fuzzy Hash: 1d78dd3e200d6a8313e6b890d9a033281a626efcdf01ca56fd69e71b7549a069
                • Instruction Fuzzy Hash: F7C092B8801625BBEA009BB08C8C9893F68FB083037608205FB05D1224CB354001AAA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10003210 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 172stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: sprintfstrchr
                • String ID: $u%04x
                • API String ID: 3926751878-2846719512
                • Opcode ID: 59a3ee7d22408da155a935dc3c1bcec3913e2d73694d07933f946e5b4d5e681a
                • Instruction ID: 9e8019c15bb1d7b6dc78768d7052d73fa4e38179e00cfcef8603f4317d08308e
                • Opcode Fuzzy Hash: 59a3ee7d22408da155a935dc3c1bcec3913e2d73694d07933f946e5b4d5e681a
                • Instruction Fuzzy Hash: BE513B355093C69FF712CF2D9C907ABBBD9DF931C0F18856DE9C18720ADB2299498361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10013590 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • #825.MFC42(00000000), ref: 10013653
                • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,100944F8), ref: 10013667
                • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,100944F8), ref: 100135F8
                  • Part of subcall function 10012F70: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10013058
                • #825.MFC42(00000000), ref: 100136E6
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #823#825$Open
                • String ID:
                • API String ID: 2004829228-0
                • Opcode ID: 0de5211dc44e890c3dc87d3755b260a281ac556e9c1c692f8e82f94a007063dd
                • Instruction ID: 89362631d8e78c7febd73ad45292bc80626d278808fcd6d93b45305f0b436328
                • Opcode Fuzzy Hash: 0de5211dc44e890c3dc87d3755b260a281ac556e9c1c692f8e82f94a007063dd
                • Instruction Fuzzy Hash: 3C4100796042016BC708DF29C89166FB7E6FB88650F84853DF90687351DB36E989CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10006370 Relevance: 6.1, APIs: 4, Instructions: 105libraryloaderCOMMON
                Download Yara Rule
                APIs
                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,00000000,?,10006107,00000000), ref: 1000639E
                • LoadLibraryA.KERNEL32(?), ref: 100063BA
                  • Part of subcall function 10005FD0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 10005FE0
                  • Part of subcall function 10005FD0: HeapReAlloc.KERNEL32(00000000), ref: 10005FE7
                • GetProcAddress.KERNEL32(00000000,?), ref: 10006423
                • IsBadReadPtr.KERNEL32(?,00000014), ref: 1000644A
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                • String ID:
                • API String ID: 2932169029-0
                • Opcode ID: 633fddb2be50c1640b41213723373eab1b4f536cc2e1ea8b73a8a377c803b268
                • Instruction ID: a27f7b3a91ca4c6fae8aa7f8d74547ba7c7fa7db50f7c2e3242cac358f1b5b32
                • Opcode Fuzzy Hash: 633fddb2be50c1640b41213723373eab1b4f536cc2e1ea8b73a8a377c803b268
                • Instruction Fuzzy Hash: 5131A0727002169FE310CF19DC80A16F7E9FF893A4B22862AE955C7351EB31F8158B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10013320 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • LocalSize.KERNEL32(00000000), ref: 1001341E
                • LocalFree.KERNEL32(00000000), ref: 1001342A
                • LocalSize.KERNEL32(00000000), ref: 10013445
                • LocalFree.KERNEL32(00000000), ref: 10013451
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Local$FreeSize
                • String ID:
                • API String ID: 2726095061-0
                • Opcode ID: aaccef850a459a913de49db2cc7268e570c88ae9b1177bf81f9497e23b4d07ff
                • Instruction ID: edeec14e4cc59e26010fbe5352bb8f3fa6d62ab776fe34c3a72966264372e779
                • Opcode Fuzzy Hash: aaccef850a459a913de49db2cc7268e570c88ae9b1177bf81f9497e23b4d07ff
                • Instruction Fuzzy Hash: 7731CFB9104641ABD311DF24C885BAFF7D9FF84250F04CA19F8A58B291CF34E88986A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10006520 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006137,00000000), ref: 10006570
                • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006137,00000000), ref: 10006597
                • GetProcessHeap.KERNEL32(00000000,10006137,?,10006137,00000000), ref: 100065A0
                • HeapFree.KERNEL32(00000000), ref: 100065A7
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: Free$Heap$LibraryProcessVirtual
                • String ID:
                • API String ID: 548792435-0
                • Opcode ID: 4fb1001e4b1a7667773ce3d2e8efbcb68924b30b108a7091f8a1800d45f00e20
                • Instruction ID: c47dd3a19aa23738afc325b14044b90395af6d826a36c0f12a94c81f5f5cde2b
                • Opcode Fuzzy Hash: 4fb1001e4b1a7667773ce3d2e8efbcb68924b30b108a7091f8a1800d45f00e20
                • Instruction Fuzzy Hash: 74115735600B119BE720CF69CC84F57B3E9AF88691F218A18F55AC7298CB30F8418B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10004110 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10093BAC,000000FF,1001A7DA), ref: 1000414C
                • CloseHandle.KERNEL32(?), ref: 1000416F
                • CloseHandle.KERNEL32(?), ref: 10004178
                • WSACleanup.WS2_32 ref: 1000417A
                  • Part of subcall function 10004690: setsockopt.WS2_32(?,0000FFFF,00000080,00001F95), ref: 100046BA
                  • Part of subcall function 10004690: CancelIo.KERNEL32(?), ref: 100046C7
                  • Part of subcall function 10004690: InterlockedExchange.KERNEL32(?,00000000), ref: 100046D6
                  • Part of subcall function 10004690: closesocket.WS2_32(?), ref: 100046E3
                  • Part of subcall function 10004690: SetEvent.KERNEL32(00001F95), ref: 100046F0
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                • String ID:
                • API String ID: 136543108-0
                • Opcode ID: 3c31ecc3efc9b7a95a06bdecb3c519a04da91a893abd3ff5a1b2600400951ae3
                • Instruction ID: 07a29b8234a850fa379c3b3bc20d63775bdbb319667b4160076f0621524ca994
                • Opcode Fuzzy Hash: 3c31ecc3efc9b7a95a06bdecb3c519a04da91a893abd3ff5a1b2600400951ae3
                • Instruction Fuzzy Hash: E0118278108B41DFD314DF24C844796B7E8EF95660F108B0DF4AA432D1DBB8A4058B63
                Uniqueness

                Uniqueness Score: -1.00%

                Function 1000F800 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • #537.MFC42(?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F827
                • #940.MFC42(?,?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F85E
                • #535.MFC42(?,?,?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F86F
                • #800.MFC42(?,?,?,?,?,1009438F,000000FF,10007091,?,00000000,00000000), ref: 1000F885
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #535#537#800#940
                • String ID:
                • API String ID: 1382806170-0
                • Opcode ID: a67a41b0cfc148ec8c8e9a3f9276604de8997e82962922074fa98d43e7c6a1f2
                • Instruction ID: 7ef697e53fde7206ed55e2e9f33ed6a6957419e653b5ee056a74f682a86ecc0b
                • Opcode Fuzzy Hash: a67a41b0cfc148ec8c8e9a3f9276604de8997e82962922074fa98d43e7c6a1f2
                • Instruction Fuzzy Hash: B201AD795087419FE304DF14C8A0BABBBE4EB85764F408A0CF4A587391CB74A90ACB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10028240 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                Download Yara Rule
                APIs
                • socket.WS2_32(00000002,00000001,00000000), ref: 1002824A
                • htons.WS2_32 ref: 10028272
                • connect.WS2_32(00000000,?,00000010), ref: 10028285
                • closesocket.WS2_32(00000000), ref: 10028291
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: closesocketconnecthtonssocket
                • String ID:
                • API String ID: 3817148366-0
                • Opcode ID: 8db1c2852fbf6de43b2290949b5900205c27bc44c2949a0c7132525fa41f41c7
                • Instruction ID: 22dca3e1e4bfc97464a196a2ebd19a3bb14afc07c97539a9e126fe182ba36b14
                • Opcode Fuzzy Hash: 8db1c2852fbf6de43b2290949b5900205c27bc44c2949a0c7132525fa41f41c7
                • Instruction Fuzzy Hash: FEF068385146316BE700EB789C897DA77E0EF84324FD08B49F968922D1E27595044786
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00413FB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00413FBC
                  • Part of subcall function 004190C7: __EH_prolog.LIBCMT ref: 004190CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: ToolbarWindow32$msctls_statusbar32
                • API String ID: 3519838083-2050637958
                • Opcode ID: aff108c711e920eb350eb8162a27905658c12fa189059d4ac9f947bfe7b63cbc
                • Instruction ID: fc65fcf0ce57719b28ac5d9deca5836cf4aeee06c584b70b7ccd814ebac03b51
                • Opcode Fuzzy Hash: aff108c711e920eb350eb8162a27905658c12fa189059d4ac9f947bfe7b63cbc
                • Instruction Fuzzy Hash: A631E471C45248AECB01EBF888559EDBBB8EF5A300F20418FE455A3282DA745E49CB79
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004114E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: SetLayeredWindowAttributes$User32.dll
                • API String ID: 3519838083-2510956139
                • Opcode ID: b8c50c929015d896256776c1d14f10529acc58ae289994a235b140e70cd3dc9e
                • Instruction ID: f2122eaac543ee4e87c9681b6cdebff770e5921032e0c60e68518806e08118d5
                • Opcode Fuzzy Hash: b8c50c929015d896256776c1d14f10529acc58ae289994a235b140e70cd3dc9e
                • Instruction Fuzzy Hash: A4F0F43160528467CB11FB79AC99BEEBFAAFF42700F50841AF08157103D768854A976E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10020020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 100284B0: Sleep.KERNEL32(00000064,?,?), ref: 100284C1
                  • Part of subcall function 100284B0: wsprintfA.USER32 ref: 100284EC
                  • Part of subcall function 100284B0: closesocket.WS2_32(00000000), ref: 10028504
                  • Part of subcall function 100284B0: TerminateThread.KERNEL32(?,00000000), ref: 1002853C
                  • Part of subcall function 100284B0: CloseHandle.KERNEL32(101281A0), ref: 10028543
                • gethostbyname.WS2_32(10125F08), ref: 10020038
                • inet_ntoa.WS2_32(?), ref: 1002005B
                  • Part of subcall function 10028370: _snprintf.MSVCRT ref: 100283AF
                  • Part of subcall function 10028370: recv.WS2_32(00000000,?,00000002,00000000), ref: 10028411
                  • Part of subcall function 10028370: CreateThread.KERNEL32(00000000,00000000,100282D0,?,00000000,?), ref: 10028460
                  • Part of subcall function 10028370: CloseHandle.KERNEL32(00000000), ref: 10028474
                  • Part of subcall function 10028370: closesocket.WS2_32(00000000), ref: 10028491
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2738937836.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.2738921571.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100B3000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100C4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100D4000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2738995622.00000000100E6000.00000002.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.2739100520.0000000010193000.00000002.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandleThreadclosesocket$CreateSleepTerminate_snprintfgethostbynameinet_ntoarecvwsprintf
                • String ID: 127.0.0.1
                • API String ID: 4129115345-3619153832
                • Opcode ID: 3127bca142eeb0dee729590faca30ecd951611b2bafa03f8443dbabea8c94e0b
                • Instruction ID: 026e4382940332dfb88badba6c530e3eb84783eef4c7ac35e136fe66c6fb16fa
                • Opcode Fuzzy Hash: 3127bca142eeb0dee729590faca30ecd951611b2bafa03f8443dbabea8c94e0b
                • Instruction Fuzzy Hash: 6BE06DBA210100ABC304DB68D884DEBB3E5EBCC710B04C519F84AD7310C634B841C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414207 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2737120507.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.2737102467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000004FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000050D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.000000000057D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737120507.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737388952.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737411023.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737427969.00000000005F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737450603.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737470203.00000000005FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737526430.0000000000690000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737567967.00000000006D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737586151.00000000006D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737604176.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737621483.00000000006D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2737680314.0000000000731000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: H_prolog
                • String ID: Button$GroupBox$Radio$Static
                • API String ID: 3519838083-1181569466
                • Opcode ID: 36e0e9323c7946253ca7c7860a4c718b6ee46ea2b60f189a1149cb16c79b441e
                • Instruction ID: 563dbf6bdf59c30974a92fc3ca0533c7eb6812272e92fe5cefcaad2ef3dacaa8
                • Opcode Fuzzy Hash: 36e0e9323c7946253ca7c7860a4c718b6ee46ea2b60f189a1149cb16c79b441e
                • Instruction Fuzzy Hash: C431A661C46198ADDB45E7F8C855AEDBFB5DF1A300F24808EE86567282EA741D0DCB38
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:0.3%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:69.5%
                Total number of Nodes:226
                Total number of Limit Nodes:23
                execution_graph 65105 1400e73 LdrInitializeThunk 65106 145f123 65107 145f160 65106->65107 65115 145f151 65106->65115 65111 145f166 65107->65111 65116 145f579 65107->65116 65109 145f579 LdrInitializeThunk 65109->65111 65110 145f184 65110->65111 65112 145f579 LdrInitializeThunk 65110->65112 65113 145f1a0 65112->65113 65113->65111 65114 145f579 LdrInitializeThunk 65113->65114 65114->65115 65115->65109 65115->65111 65115->65115 65121 1400b73 LdrInitializeThunk 65116->65121 65118 145f5a8 65120 145f5df 65118->65120 65122 1400b73 LdrInitializeThunk 65118->65122 65120->65110 65121->65118 65122->65120 65123 1449343 65124 1449372 65123->65124 65133 1400d13 LdrInitializeThunk 65124->65133 65126 144938b 65134 1400be3 LdrInitializeThunk 65126->65134 65128 144939a 65135 1401053 LdrInitializeThunk 65128->65135 65130 14493a2 65136 1400c03 LdrInitializeThunk 65130->65136 65132 14493a8 65133->65126 65134->65128 65135->65130 65136->65132 65137 1400cad 65138 1400cc2 LdrInitializeThunk 65137->65138 65139 1400cb4 65137->65139 65140 13d5163 65141 13d520f 65140->65141 65145 13d6b62 65141->65145 65146 13d5380 65141->65146 65142 13d54c6 65143 13d56c8 65142->65143 65175 13d550f 65142->65175 65266 1484510 GetPEB GetPEB 65143->65266 65204 13d566d ___swprintf_l 65145->65204 65259 1415c0b 65145->65259 65146->65142 65161 13d570c 65146->65161 65148 13d6de2 GetPEB 65152 13d6e1a 65148->65152 65149 13d5d52 65155 13d5d7b 65149->65155 65174 13d5d93 65149->65174 65150 1484510 GetPEB GetPEB 65150->65161 65151 13d5bd6 65232 13ce5d8 65151->65232 65153 13d6bd3 65157 13d6c30 65153->65157 65158 13d6c20 GetPEB 65153->65158 65153->65204 65154 13d565e 65265 13bd215 35 API calls 65154->65265 65271 1484510 GetPEB GetPEB 65155->65271 65167 13d6c49 65157->65167 65168 13d6c3a GetPEB 65157->65168 65158->65157 65161->65150 65162 13d5999 65161->65162 65162->65151 65163 13d59e2 65162->65163 65165 13d5bbc 65163->65165 65200 13d5a06 65163->65200 65164 13d5bf6 65171 13d6b22 65164->65171 65186 13d5c26 65164->65186 65164->65204 65269 1484510 GetPEB GetPEB 65165->65269 65166 13d56bf 65166->65149 65170 13d5cf2 GetPEB 65166->65170 65177 13d6c71 65167->65177 65178 13d6c61 GetPEB 65167->65178 65168->65167 65173 13d5cff GetPEB 65170->65173 65185 13d5d1a 65170->65185 65281 1484510 GetPEB GetPEB 65171->65281 65173->65185 65213 13d6016 65174->65213 65230 13d5ddf 65174->65230 65273 1484510 GetPEB GetPEB 65174->65273 65176 13d5621 65175->65176 65264 1484510 GetPEB GetPEB 65175->65264 65176->65154 65176->65166 65180 13d6c7b GetPEB 65177->65180 65195 13d6ca3 65177->65195 65178->65177 65181 13d6c8a 65180->65181 65180->65195 65181->65195 65196 13d6c93 GetPEB 65181->65196 65182 13d5b4b 65268 13bd215 35 API calls 65182->65268 65183 13d69e4 ___swprintf_l 65189 13d6aca GetPEB 65183->65189 65198 13d6a30 65183->65198 65190 13d5d43 GetPEB 65185->65190 65186->65166 65187 13d5c7b 65186->65187 65270 13bd215 35 API calls 65187->65270 65189->65204 65190->65149 65191 13d606e 65214 13d64da 65191->65214 65221 13d6089 65191->65221 65193 13d6cc9 GetPEB 65202 13d6cd9 65193->65202 65194 13d5e2e 65194->65204 65272 13ee043 LdrInitializeThunk 65194->65272 65195->65193 65195->65202 65196->65195 65199 13d6a8a GetPEB 65198->65199 65199->65204 65205 13d5b08 65200->65205 65267 1484510 GetPEB GetPEB 65200->65267 65207 13d6cfc 65202->65207 65208 13d6cec GetPEB 65202->65208 65203 13d6d33 GetPEB 65211 13d6d49 65203->65211 65204->65148 65204->65152 65205->65166 65205->65182 65206 13d6752 65223 13d67ae 65206->65223 65225 13d6875 65206->65225 65206->65230 65207->65203 65208->65207 65210 13d6328 65227 13d639e 65210->65227 65274 1484510 GetPEB GetPEB 65210->65274 65211->65204 65282 1484510 GetPEB GetPEB 65211->65282 65213->65191 65213->65204 65217 13d669a 65213->65217 65277 13bd215 35 API calls 65213->65277 65280 1484510 GetPEB GetPEB 65213->65280 65214->65230 65276 1484510 GetPEB GetPEB 65214->65276 65217->65206 65220 13d66f5 GetPEB 65217->65220 65219 1484510 GetPEB GetPEB 65219->65221 65222 13d6702 GetPEB 65220->65222 65228 13d671d 65220->65228 65221->65210 65221->65219 65222->65228 65223->65230 65278 1484510 GetPEB GetPEB 65223->65278 65225->65230 65279 1484510 GetPEB GetPEB 65225->65279 65227->65230 65275 1484510 GetPEB GetPEB 65227->65275 65231 13d6743 GetPEB 65228->65231 65230->65183 65230->65194 65231->65206 65233 13ce602 65232->65233 65234 13ce606 65233->65234 65236 13ce648 65233->65236 65289 13d0035 35 API calls 65234->65289 65238 13ce618 65236->65238 65241 13ce6bf 65236->65241 65283 13bd1e3 65236->65283 65238->65164 65243 13ce6c9 65241->65243 65291 1400c93 LdrInitializeThunk 65241->65291 65243->65238 65288 1400c93 LdrInitializeThunk 65243->65288 65245 13ce71e 65245->65238 65290 13f0070 6 API calls 65245->65290 65247 13ce749 65247->65238 65248 1422ff1 GetPEB 65247->65248 65249 13ce770 65247->65249 65250 1423001 GetPEB 65248->65250 65249->65250 65253 13ce77b 65249->65253 65251 1423014 65250->65251 65250->65253 65251->65253 65254 142302c GetPEB 65251->65254 65252 1423057 GetPEB 65255 13ce792 65252->65255 65253->65252 65253->65255 65254->65253 65257 1423070 GetPEB 65255->65257 65258 13ce79d 65255->65258 65256 142309b GetPEB 65256->65238 65257->65258 65258->65238 65258->65256 65260 13bd1e3 2 API calls 65259->65260 65261 1415c32 65260->65261 65293 1400c93 LdrInitializeThunk 65261->65293 65263 1415c48 65263->65153 65264->65176 65265->65204 65266->65204 65267->65205 65268->65204 65269->65204 65270->65204 65271->65204 65272->65204 65273->65213 65274->65227 65275->65230 65276->65230 65277->65213 65278->65230 65279->65230 65280->65213 65281->65204 65282->65204 65284 13bd207 65283->65284 65286 13bd20f 65283->65286 65284->65286 65292 1484510 GetPEB GetPEB 65284->65292 65287 1400c93 LdrInitializeThunk 65286->65287 65287->65241 65288->65245 65289->65238 65290->65247 65291->65241 65292->65286 65293->65263 65294 13d1de3 65295 13d1e8a 65294->65295 65296 13d1e61 65294->65296 65298 13d1ed2 GetPEB 65295->65298 65302 13d1eb1 65295->65302 65368 1484510 GetPEB GetPEB 65296->65368 65300 13d1edf 65298->65300 65301 13d1ef4 65298->65301 65299 13d1e74 65300->65301 65303 13d1ee4 GetPEB 65300->65303 65304 13d1efe GetPEB 65301->65304 65310 13d1f0d 65301->65310 65303->65301 65304->65310 65305 13d2fc0 65308 13d2ff1 65305->65308 65378 1484510 GetPEB GetPEB 65305->65378 65306 13d20c3 65307 13d210a GetPEB 65306->65307 65318 13d2123 65306->65318 65307->65318 65312 13d300d GetPEB 65308->65312 65321 13d3023 65308->65321 65310->65305 65310->65306 65360 13d1faa 65310->65360 65311 13d29a7 65314 13d29da 65311->65314 65322 13d29c3 65311->65322 65312->65321 65313 13d297d 65373 13bd215 35 API calls 65313->65373 65328 13d2e3a 65314->65328 65334 13d29f0 65314->65334 65314->65360 65316 13d31ad 65320 13d2493 65318->65320 65343 13d2929 65318->65343 65346 13d21fb 65318->65346 65359 13d235e 65318->65359 65371 1484510 GetPEB GetPEB 65320->65371 65323 13d306b GetPEB 65321->65323 65326 13d3084 65321->65326 65374 13bd215 35 API calls 65322->65374 65323->65326 65335 13d30c0 GetPEB 65326->65335 65336 13d30d3 65326->65336 65327 13d2c71 65353 13d2ce7 65327->65353 65375 1484510 GetPEB GetPEB 65327->65375 65328->65360 65377 1484510 GetPEB GetPEB 65328->65377 65330 13d234f 65370 13bd215 35 API calls 65330->65370 65331 13d23ad 65337 13d23f2 GetPEB 65331->65337 65331->65359 65334->65327 65358 1484510 GetPEB GetPEB 65334->65358 65335->65336 65341 13d30dd GetPEB 65336->65341 65354 13d3105 65336->65354 65338 13d23ff GetPEB 65337->65338 65352 13d241a 65337->65352 65338->65352 65339 13bd215 35 API calls 65362 13d24f2 65339->65362 65340 13d2881 65342 13d28c9 GetPEB 65340->65342 65340->65343 65345 13d30ec 65341->65345 65341->65354 65348 13d28d6 GetPEB 65342->65348 65361 13d28f1 65342->65361 65343->65311 65343->65313 65344 13d262a GetPEB 65349 13d2637 GetPEB 65344->65349 65344->65362 65345->65354 65355 13d30f5 GetPEB 65345->65355 65347 13d230f 65346->65347 65369 1484510 GetPEB GetPEB 65346->65369 65347->65330 65347->65331 65348->65361 65349->65362 65351 13d3135 GetPEB 65363 13d3148 65351->65363 65356 13d2440 GetPEB 65352->65356 65353->65360 65376 1484510 GetPEB GetPEB 65353->65376 65354->65351 65354->65363 65355->65354 65356->65359 65358->65334 65359->65362 65372 1484510 GetPEB GetPEB 65359->65372 65379 13d31d3 LdrInitializeThunk 65360->65379 65365 13d291a GetPEB 65361->65365 65362->65339 65362->65340 65362->65343 65362->65344 65364 1484510 GetPEB GetPEB 65362->65364 65366 13d2678 GetPEB 65362->65366 65363->65360 65367 13d315b GetPEB 65363->65367 65364->65362 65365->65343 65366->65362 65367->65360 65368->65299 65369->65347 65370->65359 65371->65359 65372->65362 65373->65360 65374->65360 65375->65353 65376->65360 65377->65360 65378->65308 65379->65316

                Executed Functions

                Function 013D5163 Relevance: 4.7, Strings: 2, Instructions: 2184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: #$?
                • API String ID: 0-2193943856
                • Opcode ID: bcfa38c3409c7b858cd1f585d79c8230c2674d2ae7d7e04c4b990b792464cb7a
                • Instruction ID: 9d26cec7054c409d2f7184eb33e79fa3fff47fc0e0cb6ef5215fb052675d10ce
                • Opcode Fuzzy Hash: bcfa38c3409c7b858cd1f585d79c8230c2674d2ae7d7e04c4b990b792464cb7a
                • Instruction Fuzzy Hash: 7013DEB2A0025ACFDB25CF69D4817ADBBF1FF49308F1481A9D959AB781D730A845CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013D1DE3 Relevance: 1.6, Instructions: 1603COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 557fd95e002be5ae85579bb77ed6a08b49850f2ddf8d9112cf3ddefca6f25630
                • Instruction ID: 50efdd1fa0da1bab03d4460d8eee1995d39406a61d9551c717eba7b0af3af326
                • Opcode Fuzzy Hash: 557fd95e002be5ae85579bb77ed6a08b49850f2ddf8d9112cf3ddefca6f25630
                • Instruction Fuzzy Hash: 28E2D371A00219CFDB25CF69D880BAEFBF1FF49308F148199E949AB791D774A845CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01401053 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1113 1401053-140105f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(013FE686,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0140105D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 9c108ca8da4b7945a0a9952683abbeebe51abec1548ac5c3ebd004b90cba5b90
                • Instruction ID: f1fbd36493b9b43dd1b27881c55b4b890ae4995d64617fcdfce7fc223b740b08
                • Opcode Fuzzy Hash: 9c108ca8da4b7945a0a9952683abbeebe51abec1548ac5c3ebd004b90cba5b90
                • Instruction Fuzzy Hash: CA900231601800D245407168C8449064005ABE12117B6C121A0A98554DC959896566A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013CE5D8 Relevance: .3, Instructions: 300COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1117 13ce5d8-13ce604 call 13ce813 1120 13ce648-13ce64c 1117->1120 1121 13ce606-13ce629 call 13d0035 call 13ceca3 1117->1121 1122 14230e1-14230e5 1120->1122 1123 13ce652-13ce660 1120->1123 1133 13ce641-13ce647 1121->1133 1146 13ce62b-13ce63b 1121->1146 1125 1423102-1423106 1122->1125 1126 14230e7-14230f2 call 1465e32 1122->1126 1127 1422f81 1123->1127 1128 13ce666-13ce66d 1123->1128 1125->1133 1134 142310c-142310f 1125->1134 1126->1125 1142 14230f4-14230f9 1126->1142 1141 1422f88-1422f8f 1127->1141 1131 13ce7e5 1128->1131 1132 13ce673-13ce67b 1128->1132 1137 13ce7ec-13ce7f1 1131->1137 1132->1137 1138 13ce681-13ce695 1132->1138 1134->1133 1139 1423115-1423125 1134->1139 1137->1138 1145 13ce7f7 1137->1145 1143 1422f94 1138->1143 1144 13ce69b-13ce6ba call 13bd1e3 call 1400c93 1138->1144 1139->1133 1141->1138 1142->1125 1147 14230fb-14230fd 1142->1147 1150 1422f9c-1422fa1 1143->1150 1159 13ce6bf-13ce6c3 1144->1159 1145->1141 1146->1133 1149 1422f72-1422f7c call 147bb69 1146->1149 1147->1133 1149->1133 1153 1422fa3-1422faa 1150->1153 1154 1422fd1-1422fd3 1150->1154 1157 1422faf-1422fcc call 1400c93 1153->1157 1158 1422fac 1153->1158 1160 13ce6cc-13ce6db 1154->1160 1161 1422fd9-1422fe2 1154->1161 1157->1150 1168 1422fce 1157->1168 1158->1157 1159->1150 1163 13ce6c9 1159->1163 1164 13ce7fc 1160->1164 1165 13ce6e1-13ce6ff call 13f4a6d 1160->1165 1161->1122 1163->1160 1164->1149 1170 14230d0-14230dc call 13bdbbd 1165->1170 1171 13ce705-13ce719 call 1400c93 1165->1171 1168->1154 1170->1122 1174 13ce71e-13ce722 1171->1174 1175 13ce728-13ce74b call 13f0070 1174->1175 1176 14230cd 1174->1176 1179 1422fe7 1175->1179 1180 13ce751-13ce753 1175->1180 1176->1170 1183 1422ff1-1422ffa GetPEB 1179->1183 1180->1176 1181 13ce759-13ce76a call 13d1dc3 1180->1181 1181->1183 1185 13ce770-13ce775 1181->1185 1186 1423001-142300e GetPEB 1183->1186 1185->1186 1188 13ce77b-13ce78c call 13d1dc3 1185->1188 1187 1423014-142302a call 147d4f6 call 13d1dc3 1186->1187 1186->1188 1199 1423037-1423052 call 147d6e6 1187->1199 1200 142302c-1423035 GetPEB 1187->1200 1194 1423057-1423060 GetPEB 1188->1194 1195 13ce792-13ce797 1188->1195 1198 1423067-142306e call 13d1dc3 1194->1198 1197 13ce79d-13ce7a4 call 13d1dc3 1195->1197 1195->1198 1206 13ce7aa-13ce7b2 1197->1206 1207 142309b-14230a4 GetPEB 1197->1207 1209 1423070-1423079 GetPEB 1198->1209 1210 142307b-1423096 call 147d6e6 1198->1210 1199->1188 1200->1199 1212 13ce7b8-13ce7c2 1206->1212 1213 14230ae-14230bb call 147bfd2 1206->1213 1207->1213 1209->1210 1210->1207 1215 13ce7da-13ce7e0 1212->1215 1216 13ce7c4-13ce7d4 1212->1216 1218 14230c0-14230c8 call 147bb69 1213->1218 1215->1133 1216->1215 1216->1218 1218->1215
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52e5a72878acd0b637f53f5210760532c0103190f0d3b64bb80d60b7b35f2b0a
                • Instruction ID: c7f093f6c5248ed987718527c71e99036138dd82a84365e34838631f83515483
                • Opcode Fuzzy Hash: 52e5a72878acd0b637f53f5210760532c0103190f0d3b64bb80d60b7b35f2b0a
                • Instruction Fuzzy Hash: ACB12332600656AFDB15CB68C890BBEBFFABF48608F18056AE542873A1D734ED41DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400CAD Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1103 1400cad-1400cb2 1104 1400cc2-1400cc9 LdrInitializeThunk 1103->1104 1105 1400cb4-1400cbb 1103->1105
                APIs
                • LdrInitializeThunk.NTDLL(0144978A,000000FF,00000007,00000000,00000004,00000000,?,?,?,0144949C,00000065,00000000,?,01448A31,FFFFFFE0,00000000), ref: 01400CC7
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 0c8d8a839ae5cab81025d682d6d5e8e18988fa8771bb9019b0ad9e76903669f1
                • Instruction ID: d4a278fd16979b278c8b01ca5595476d22e36c43edc0d5a03170419f0f09bd2d
                • Opcode Fuzzy Hash: 0c8d8a839ae5cab81025d682d6d5e8e18988fa8771bb9019b0ad9e76903669f1
                • Instruction Fuzzy Hash: 24B09B71906DC5D5DA16F7648608B17790467D0741F76C076E1030755B8738C191F275
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01401083 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1114 1401083-140108f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(014983A7,?,00100080,00000018,?,00000000,00000000,00000007,00000001,00000020,00000000,00000000,76EA5A68,00000000,?,?), ref: 0140108D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 8ac549f2867562ec1500e0e04f390b73ac4eeec54055744d4b505ee26b047c0a
                • Instruction ID: 52ea3a1bfe49ca4497603a7c7aeba830978ab11dc6f7cd3ffbc77b97a477a51e
                • Opcode Fuzzy Hash: 8ac549f2867562ec1500e0e04f390b73ac4eeec54055744d4b505ee26b047c0a
                • Instruction Fuzzy Hash: 93900231211C00D2D60075688C14B07000587D0303FB6C115A0254558CCD1589616561
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400B73 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1107 1400b73-1400b7f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(0143FCE4,?,00000000,00000000,00000000,?,?,00000004,00000030,00000000,?,00100001,?,?,00000005,00000060), ref: 01400B7D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 86276baadd0a6f8d7d7dbe651620013fe57213813097658a0b9f257221dea9ea
                • Instruction ID: 12c6cba3fdbbdc8eff8bfe0daf956e4397acb8111a748b58c9dd0c2ddeca9ea2
                • Opcode Fuzzy Hash: 86276baadd0a6f8d7d7dbe651620013fe57213813097658a0b9f257221dea9ea
                • Instruction Fuzzy Hash: 3E900235211800930505B5584704507004687D53513B6C021F1115554CDA2189616161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014023E3 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1115 14023e3-14023ef LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(01474C6E,?,00010007), ref: 014023ED
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: bda0a07a9d1d617d10003eecd002a9b528813f507aae15ff61f6aca5c8a7f0a7
                • Instruction ID: 17a9d86bda039369e1dc55716b4da23c424b6a74c85100243c277696fa841cd1
                • Opcode Fuzzy Hash: bda0a07a9d1d617d10003eecd002a9b528813f507aae15ff61f6aca5c8a7f0a7
                • Instruction Fuzzy Hash: B3900231605C00A2954071588884546400597E0301BB6C011E0524558CCE148A5663A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400BE3 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1108 1400be3-1400bef LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(0141DD1B,000000FE,00000005,?,00000004,000000FE,00000000,00000001), ref: 01400BED
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 89dbe6fee2a7d5bde55e6a9cebc87a549e6907b4d2d9fa4ed4478543ed452b88
                • Instruction ID: fd162d09187195704d1a5487c24e7ee05acbcbafa838542260557f549b872b82
                • Opcode Fuzzy Hash: 89dbe6fee2a7d5bde55e6a9cebc87a549e6907b4d2d9fa4ed4478543ed452b88
                • Instruction Fuzzy Hash: 9490023120180492D50071988404706000587D0201FB6C412E062455CDCA5589517571
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400D13 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1111 1400d13-1400d1f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(0144962E,000000FF,0000001C,0000000C,00008000,00000000,00000000,?,01449472,000000FF,00000000,00000000,0000000C,00001000,00000004,76F8D260), ref: 01400D1D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: fe7a695d54c47184f6869f139371b110fb42ca037c2ef3b0bac4e3626bfa7998
                • Instruction ID: 5e4434a41b56dcab8794d83cf17c84d42851e9d31ee7a6c4386824e225b1f118
                • Opcode Fuzzy Hash: fe7a695d54c47184f6869f139371b110fb42ca037c2ef3b0bac4e3626bfa7998
                • Instruction Fuzzy Hash: 8C90023120188892D5107158C40474A000587D0301FBAC411A452465CDCA9589917161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400C03 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1109 1400c03-1400c0f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(014495FE,00000004,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 01400C0D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: dd1357673929edd627d5002cf9b22b1c21bc2a403287383c9e2e20cba39850d4
                • Instruction ID: a7c3278bab233e358864312cb0a9fac2fa44294094936769d81f40b09dbb6f4b
                • Opcode Fuzzy Hash: dd1357673929edd627d5002cf9b22b1c21bc2a403287383c9e2e20cba39850d4
                • Instruction Fuzzy Hash: AA90027120280093450571588414616400A87E0201BB6C021E1114594DC92589917165
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400C93 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1110 1400c93-1400c9f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(01449400,000000FF,00000000,00000000,0000000C,00001000,00000004,76F8D260,0000001C,01449159), ref: 01400C9D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 99d95164daa121e4aa1da014ad54696e11d4a89c828f981c5379f8b395cffda3
                • Instruction ID: f493f41ee4575846753655f81b4abaab26142dd9efb5aad95f225d96354de1fb
                • Opcode Fuzzy Hash: 99d95164daa121e4aa1da014ad54696e11d4a89c828f981c5379f8b395cffda3
                • Instruction Fuzzy Hash: 7290023120180892D5807158840464A000587D1301FF6C015A0125658DCE158B5977E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01400E73 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1112 1400e73-1400e7f LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(01417246,00000000,76FA4F4C), ref: 01400E7D
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 3311cdc1437dc7d57fc21bf6541892f70bad979a9ac821505f141b48a28c8ae1
                • Instruction ID: ba355d8e859d6816615315c8d49fa765a9c66f78f412bfb7516d1d93b4bf5fbd
                • Opcode Fuzzy Hash: 3311cdc1437dc7d57fc21bf6541892f70bad979a9ac821505f141b48a28c8ae1
                • Instruction Fuzzy Hash: 10900231242841E25945B1588404507400697E02417F6C012A1514954CC9269956E661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014026F3 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1116 14026f3-14026ff LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(01474B3D,?,00000000), ref: 014026FD
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 702c7e317ab3f53b736964da102ab380ae45d93e5f7a9feff75c1bb93bc30af3
                • Instruction ID: d3738fe992ee4f186145fced47513772438de4ca036a9cc469de244c76204be5
                • Opcode Fuzzy Hash: 702c7e317ab3f53b736964da102ab380ae45d93e5f7a9feff75c1bb93bc30af3
                • Instruction Fuzzy Hash: 6A900271601900D2454071588804406600597E13013F6C115A0654564CCA188955A2A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011EE032 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1234 11ee032-11ee051 1235 11ee059-11ee05a 1234->1235
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 473c41ff5673fa56e5c057575f8e9ff341237877b86de56b8bc45543705a2d35
                • Instruction ID: 853df4af9f930dda35d1ef40220426acafc6a2d0d0f54a63a5eb636eb6beb8bb
                • Opcode Fuzzy Hash: 473c41ff5673fa56e5c057575f8e9ff341237877b86de56b8bc45543705a2d35
                • Instruction Fuzzy Hash: DBD06C7700014DBFDF129E85EC05EDA7F2AEB58370F158201BE38451A1CA76D9B1ABA5
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 012037DF Relevance: 4.9, Strings: 3, Instructions: 1158COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: $9$B
                • API String ID: 0-1781792629
                • Opcode ID: 069c6924609680c000d3b7ebdb5eee725fc08e8509ef3aa434903e397a29de58
                • Instruction ID: 4bdb681508c35d1e30891d406fd819a744b092f35002b0d5081d817653ebf91f
                • Opcode Fuzzy Hash: 069c6924609680c000d3b7ebdb5eee725fc08e8509ef3aa434903e397a29de58
                • Instruction Fuzzy Hash: 4FB25D759106658FDB25DF18CC88BA9BBB4FF48300F0442EAEA49E7292D7749E81CF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011DDC82 Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @$@
                • API String ID: 0-149943524
                • Opcode ID: 1b90abc5e92fa64ba6e7e4503df2116b7bda8312d640ac3428d8fb2ac84fe701
                • Instruction ID: 4e01127398de6309634d5ee616c8b7eb79ef492828c5dab9edea5155dee48121
                • Opcode Fuzzy Hash: 1b90abc5e92fa64ba6e7e4503df2116b7bda8312d640ac3428d8fb2ac84fe701
                • Instruction Fuzzy Hash: E0D12C752187419FD725CF69D984AABBBF8BF88604F00492EFA95C3251DB30E909CB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014681BB Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: f2dadd03a0f1952966ab383ee6b88dcbfe2e3d5e8c1163c45762e3bd9de8fed6
                • Instruction ID: 3caa6e881925a377dacee92b0f7408ae5459c90824d8f2721b291424828e9c4e
                • Opcode Fuzzy Hash: f2dadd03a0f1952966ab383ee6b88dcbfe2e3d5e8c1163c45762e3bd9de8fed6
                • Instruction Fuzzy Hash: 8022D2702047528BEB25CF2DC050377BBE9AF45348F08845BD9868F3A6E735D892CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012286D6 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: b
                • API String ID: 0-1908338681
                • Opcode ID: fd0667ca4808c39be283fc7c1d043c500c6047f4b184a9e16f1b8eb7aef6dfff
                • Instruction ID: fd34909b7f25d253e7c6fd531e4aa493a74c325014dc25db3e6bda5dc527abf1
                • Opcode Fuzzy Hash: fd0667ca4808c39be283fc7c1d043c500c6047f4b184a9e16f1b8eb7aef6dfff
                • Instruction Fuzzy Hash: 44C18B31668712AFD7369F58D848E6BBBF4FB84714F41491DF2428B1A1DBB0C584CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0146C1B1 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 234a2ec37e52f70ab36f2184ae73dd2852c6fa0a207d18d75a329888d1c317b4
                • Instruction ID: db28bb8d867e7c9608b848b800a636576bd2d55d872be52672cf049e323e6d23
                • Opcode Fuzzy Hash: 234a2ec37e52f70ab36f2184ae73dd2852c6fa0a207d18d75a329888d1c317b4
                • Instruction Fuzzy Hash: 9691E372901209BBDB22DF99DC84FAFBB7DEF54748F00002AF945A7260D7749A42CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123D354 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 240d474a56699767363f52b3bc88fbdb7a8c44d8b4d949d849ed51e767c1dd76
                • Instruction ID: 02321c64b2f050001f4a0790a96634c20cd713c6a06eca7088d870c3cecbdc13
                • Opcode Fuzzy Hash: 240d474a56699767363f52b3bc88fbdb7a8c44d8b4d949d849ed51e767c1dd76
                • Instruction Fuzzy Hash: 6D9150B1E2020AAFDB15DFD8D841AEEBBB4EF94700F544119FA15A7241E770A941CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011ECF59 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: qrks
                • API String ID: 0-3937875505
                • Opcode ID: 34764878d4971910a495bcdbf876b4cf88a4bd38026f06c72d9062e9755caab1
                • Instruction ID: a4ab4da5e2cae0baf8e328be61083819f99f35cdfd85c77fdb200c3a976e59f3
                • Opcode Fuzzy Hash: 34764878d4971910a495bcdbf876b4cf88a4bd38026f06c72d9062e9755caab1
                • Instruction Fuzzy Hash: EC81B072708705AFE728CF65C888F6BBBE9EF88754F10092DFA4583240DB70D9008B96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122A8F2 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 656bff567101c5321c3fd3dfee73d8813b1e6674b255eac84ab4c8d977ca8145
                • Instruction ID: 8cc9568e30f1a2e0b8531e0162f2cb9f38a2a63c56c073114acefb17e3bb6287
                • Opcode Fuzzy Hash: 656bff567101c5321c3fd3dfee73d8813b1e6674b255eac84ab4c8d977ca8145
                • Instruction Fuzzy Hash: FF813676921229EFDB319F59DC4CBAEBBB8FF48700F01019AE609A7560D7759A80CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01240B7B Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 3ec80175558fb5efd80117ac3f85eec1f65e5b4c4bba6cefbe6ac84851489442
                • Instruction ID: 3aba5c0712667ce40e2c87fe82d67cb5155d98b0b0baf4f0e9673152b4edb769
                • Opcode Fuzzy Hash: 3ec80175558fb5efd80117ac3f85eec1f65e5b4c4bba6cefbe6ac84851489442
                • Instruction Fuzzy Hash: 82714B71A10219DFDB35CB28CC48B9EBBB9EF49310F1444A9E689D6250DB70A989CF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122B596 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 0215adcf5c100348a67a8f0b95c93870ee9c88bea12c6d52cc1ef391f3660292
                • Instruction ID: 4b275d51ff7304a097b72b349051767d7e37fb2ddb910d5ba54267fe20e17708
                • Opcode Fuzzy Hash: 0215adcf5c100348a67a8f0b95c93870ee9c88bea12c6d52cc1ef391f3660292
                • Instruction Fuzzy Hash: FD518275941219EFDB35DF58EC8DBAABBB8FB44700F0400A9F609D6250DB74AA45CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012366FD Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 99f5fe8d18cc861e2889fd1003a94618fadf3073e3f02b21e06a51bc8aa2521b
                • Instruction ID: c9a74adf0135fc8165db797064ded6315a03ce36012022645417b021eb4a8130
                • Opcode Fuzzy Hash: 99f5fe8d18cc861e2889fd1003a94618fadf3073e3f02b21e06a51bc8aa2521b
                • Instruction Fuzzy Hash: 934103F1E20216BBDB229E68C845BAA7AB8DF88614F058126ED05AF345E370DF048791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011ED1FE Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: 8
                • API String ID: 0-4194326291
                • Opcode ID: f39f72767adcd3c91e7aff694f60ee6a6067bd41b8bd8ce30779852163b0982a
                • Instruction ID: b52c7b70c2ddfc724f077088adf60d4edbb34d0fdf66fa1bbd4e8702baec8294
                • Opcode Fuzzy Hash: f39f72767adcd3c91e7aff694f60ee6a6067bd41b8bd8ce30779852163b0982a
                • Instruction Fuzzy Hash: 1B514675A00658AFEF269FE4ED4CF9EBBB9FF08700F104029F606AA1A4D7759905CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012344BC Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 1a2377d9813c253b764f490f6264d274507a45e6c3e565301fb56869a7a187b1
                • Instruction ID: 7e5889ccae8c4449973799ecde5e93afd55bc4b04c0935fbc6e53d2a8636600f
                • Opcode Fuzzy Hash: 1a2377d9813c253b764f490f6264d274507a45e6c3e565301fb56869a7a187b1
                • Instruction Fuzzy Hash: 6A4106B1A50244BFEB21EB94DC49FAE7E78EB94B10F000155FA01BB2C1D7B5A904CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123CCD8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: zdbf
                • API String ID: 0-2567057744
                • Opcode ID: bbbd2bc2062b7e12b9641d6eca1da85e7704e827dd4d9f168a7fdb317c9f2bb9
                • Instruction ID: 4cf77b6604143b4b7b1f3a0bf966a076b1a4e918f472a9da60f3b7236ec7d609
                • Opcode Fuzzy Hash: bbbd2bc2062b7e12b9641d6eca1da85e7704e827dd4d9f168a7fdb317c9f2bb9
                • Instruction Fuzzy Hash: 0541F8F1760305BBF722AA588C45F2B7A699BE0B44F140116FA41FB1D1E7B0EE2186A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012077A2 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: a205b546d5218423e903a6942776d44db1a7a77a4a6c1f720f0b0d75d437c05b
                • Instruction ID: c227f10e3285ccf2587de0cb977e371993babbbf5bb2919e149658869ef00ab6
                • Opcode Fuzzy Hash: a205b546d5218423e903a6942776d44db1a7a77a4a6c1f720f0b0d75d437c05b
                • Instruction Fuzzy Hash: 34419575E10209EFEB228B68D845FAEBBB8FB48750F110615FA51E72D0D734AE00DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123FF7A Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: zdbf
                • API String ID: 0-2567057744
                • Opcode ID: 443c4f691f272cc9cd39c29017844151233d80c9d3de3abd5d2c6efa493fa525
                • Instruction ID: 98a15a100c7ecc6642d4b815a0167a1cbbed7c56799dd926959c9d67f7f0a307
                • Opcode Fuzzy Hash: 443c4f691f272cc9cd39c29017844151233d80c9d3de3abd5d2c6efa493fa525
                • Instruction Fuzzy Hash: 83410A72B20305EBEB15DF99D985FAEBBB4EBC5310F104125FB01BB291C7B199408B95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01212019 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: a1a91651420e33971b85900440f673155142557c353b6986b03aa189e15f8a60
                • Instruction ID: c757c7138365b0ef90844d1c2620ee2ffe2f226598ca50d7a207a99eb60acd3b
                • Opcode Fuzzy Hash: a1a91651420e33971b85900440f673155142557c353b6986b03aa189e15f8a60
                • Instruction Fuzzy Hash: DC411A75D01229DBEB30DB54DC48F9ABABCEB44710F1141A6EA0DA7140DB749E888FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123FE4C Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: 9dd3d0bd82c7a4541386f5b16f1885a252c5286b3915fde5f3fd232c6d843192
                • Instruction ID: 3b3b43471e6c98ba6c7617e3ca317ea4abbdd0b9817dcceb2f6bb07fe7962b4e
                • Opcode Fuzzy Hash: 9dd3d0bd82c7a4541386f5b16f1885a252c5286b3915fde5f3fd232c6d843192
                • Instruction Fuzzy Hash: 164104B6E10216EFDB14DFA8DD41AFEB7B4EFD8700F104469EA05A7241E7709A01CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012036C0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: f49ddd636004a7b66e60d81423ba011c5a7a436d2a5f6c788302b55ad59fa3f1
                • Instruction ID: edb6d4f63b8366105365f2be045fb48b4ca648a8070d3586a1d23056558975e6
                • Opcode Fuzzy Hash: f49ddd636004a7b66e60d81423ba011c5a7a436d2a5f6c788302b55ad59fa3f1
                • Instruction Fuzzy Hash: 51415BB5A1020ABFDF16CF95C8849EEBBB6FB88314F104225FA15A32A2D635CD51DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E574E Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: b5ba759ba5685f616b2bd5425860c3ae8e3663da2a7544aca8f2322189ecff8c
                • Instruction ID: d1bbd2150f604270e910d0caf9b47733f3e1787d4802b5df0aea1a831f430fe8
                • Opcode Fuzzy Hash: b5ba759ba5685f616b2bd5425860c3ae8e3663da2a7544aca8f2322189ecff8c
                • Instruction Fuzzy Hash: D7318C75A01619EFEB25DFD5EC0DFAEBBB9EB44718F040029EA06A6140D3749A04CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121D89C Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: (
                • API String ID: 0-3887548279
                • Opcode ID: 6c65b8af6ce1f49bdc87f6ba4f7356f1762af0275b77a5deb7f761963443ef52
                • Instruction ID: 18b82015c2bba7ab82006dddc8900fb2cd80d124e73c6fda9f14485949ab11eb
                • Opcode Fuzzy Hash: 6c65b8af6ce1f49bdc87f6ba4f7356f1762af0275b77a5deb7f761963443ef52
                • Instruction Fuzzy Hash: 7041FFB1E0020DDFDB21CFDAD888A9EBBF6BF58314F10842AE559AB244D37858058F20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012121E5 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: W
                • API String ID: 0-655174618
                • Opcode ID: 9792d7f47c08176daf449b33dad98c8a8f242582e8eaec5cc2c5e62b1507bdfb
                • Instruction ID: daa30cfbcd4bcee37c7776b904cf8a1ab231a6a6625ee8d5f82cc1aaaf6bb16a
                • Opcode Fuzzy Hash: 9792d7f47c08176daf449b33dad98c8a8f242582e8eaec5cc2c5e62b1507bdfb
                • Instruction Fuzzy Hash: 8831CE32610605EFD722CF69DC04B6ABBE9EB94B10F154529FA04D7264D779CD10CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012264F2 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: B
                • API String ID: 0-1255198513
                • Opcode ID: 1addde8cc0ffe01f80a15f0505d543ea7bc7b31b9322f4cbb582bd3b60a993b3
                • Instruction ID: 19d80deadc02589c3d275995bcecf72ed96b034d924f806252a917ab97674f7e
                • Opcode Fuzzy Hash: 1addde8cc0ffe01f80a15f0505d543ea7bc7b31b9322f4cbb582bd3b60a993b3
                • Instruction Fuzzy Hash: 53314272D1051DAFDB11DFA8E888AEEBBB8FB04314F104529EA16E7180D7749A55CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123468C Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: \
                • API String ID: 0-2967466578
                • Opcode ID: b3a7b47c7e3692a905c287ef3156349f4d724bad1cab32be7053e91894157a52
                • Instruction ID: d69b7b9d895e1f4f73e1490ec9d5f506850ddc7ae2565faa14e030c47a3c330f
                • Opcode Fuzzy Hash: b3a7b47c7e3692a905c287ef3156349f4d724bad1cab32be7053e91894157a52
                • Instruction Fuzzy Hash: C211E4B5640600AFE325AF69DC49E7B7BBCEFC9201B014159FA86DB640EB74A901C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012347DB Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: df1e341b69d5cb0999de72c35126bcc6b047a401250f33e9d56c5bc30f7725b9
                • Instruction ID: 1fcc311a5a6f4c7f3e10e943fc4e5b66348bb68a94c218aeb99c0080daee6eba
                • Opcode Fuzzy Hash: df1e341b69d5cb0999de72c35126bcc6b047a401250f33e9d56c5bc30f7725b9
                • Instruction Fuzzy Hash: 18216FB1E10259ABDB25EFA9CC44BEEBFF8EB88710F01416AE905B7340D7749940CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011EC6F2 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 90ed4cd96feab16db1da407e68b741985b769aa7b7fc5da52a583a7b0a390649
                • Instruction ID: 18da1057cb8292ab9f8961354d64807ddb80f04cf33945a3a7d3e95cdcd4cb4d
                • Opcode Fuzzy Hash: 90ed4cd96feab16db1da407e68b741985b769aa7b7fc5da52a583a7b0a390649
                • Instruction Fuzzy Hash: 0D01563141491AEFDF2A9F99CC08AEE3BA6BF54388F058028FB15950A1DB398960DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014561FB Relevance: .6, Instructions: 617COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32b28cab6d2e28bb15fe77970879c0a2b44d8f74aaca23c41b881ed65234de92
                • Instruction ID: 4b9ee364b87e1c13b0a009e51d1ae11d3367dc4c292b47541c26dfa47cd67856
                • Opcode Fuzzy Hash: 32b28cab6d2e28bb15fe77970879c0a2b44d8f74aaca23c41b881ed65234de92
                • Instruction Fuzzy Hash: 35427F71E002198FEB64CF69C841BAEBBF6BF48304F55809AE949EB352D7349985CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122CD2A Relevance: .5, Instructions: 514COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57f472ba9da2f38845d392b991a57c896eb5f9d01f1bc65b25e0dd187d434f4a
                • Instruction ID: dca4ec41d2b5d24b5bc9bdad1d8b01f75b37df27dfc543d9bcaf24b4dce4528b
                • Opcode Fuzzy Hash: 57f472ba9da2f38845d392b991a57c896eb5f9d01f1bc65b25e0dd187d434f4a
                • Instruction Fuzzy Hash: 9E02A976E1022AAFDB25DFE8DC44AAEBBB9FB44710F054129EA05EB215D734DD01CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01229132 Relevance: .4, Instructions: 356COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 174bd2ac8bcadb8a45e01e1178ee811306e533450b109ffee2b07fbafa08dfd1
                • Instruction ID: c0eff60663ac535096ea43c31b082f7a31bef4ce77afb48cf6f3d93e36bec49a
                • Opcode Fuzzy Hash: 174bd2ac8bcadb8a45e01e1178ee811306e533450b109ffee2b07fbafa08dfd1
                • Instruction Fuzzy Hash: 3AD1B5B5E10235ABDF329B28DC48BEE77B4EF04718F408199E70997185E7B09AC1CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01223FB4 Relevance: .4, Instructions: 356COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e93948715907eefe42a9a792114688831e10dc4073e552e835b84a4ec08e39cc
                • Instruction ID: abca1d436177ab7882ce38332c960cd1382cef18f695dd66b914c53c3c391035
                • Opcode Fuzzy Hash: e93948715907eefe42a9a792114688831e10dc4073e552e835b84a4ec08e39cc
                • Instruction Fuzzy Hash: 4EE17A71D206A6EBDF29DF9DD8806AEBBB0FF48700F15425AEA04AB355D3748941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011DD2C9 Relevance: .3, Instructions: 313COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25944984a9f7bab46ce9e90bba168bc36ee29a6e215136a77e07a5a78a194ff2
                • Instruction ID: 9cd14512bae2973e97c567384bf31e5e64b927462be523cdb1b4d51174ba26af
                • Opcode Fuzzy Hash: 25944984a9f7bab46ce9e90bba168bc36ee29a6e215136a77e07a5a78a194ff2
                • Instruction Fuzzy Hash: 9BC19D74A00745EFDB29CF68C840ABABBF1FF45304F19845DDA86AB351E775A842CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01233CE7 Relevance: .3, Instructions: 271COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 308fadf7efad7e05e2a4c5dc60e943f57860726c611e51072c61ac2af2fe8f64
                • Instruction ID: 090a51ee30f8f9c738231d77ff27123323c74b7d16a779787e4c0437a2fc1061
                • Opcode Fuzzy Hash: 308fadf7efad7e05e2a4c5dc60e943f57860726c611e51072c61ac2af2fe8f64
                • Instruction Fuzzy Hash: 03A18CB1A28712ABC325DF24C484A1BBBF5BFC8B54F11492DFA9497340D774DD048BA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01444183 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d20a226107cc701a1f91ab3d6d2c6e7ba2fa8533db5db7e9ff9fb4d5b12c6783
                • Instruction ID: be1e059c21a6aa2722f42df8e7f66e2da3cc4ab822f8615b460b164ff4eba010
                • Opcode Fuzzy Hash: d20a226107cc701a1f91ab3d6d2c6e7ba2fa8533db5db7e9ff9fb4d5b12c6783
                • Instruction Fuzzy Hash: 39919871E04216AFEB15CF98D884BBEBBB5FF58714F19416AE600EB360D774D9018BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01210D12 Relevance: .2, Instructions: 235COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbddf356cff7bd844c8afdc15a8cf1ffab2fec2912b36a1306fe6789c6b69f3d
                • Instruction ID: 723053c405fd4d7524296d452e7f3bc06b4c2f6f58b4f091761e59ada00c371d
                • Opcode Fuzzy Hash: dbddf356cff7bd844c8afdc15a8cf1ffab2fec2912b36a1306fe6789c6b69f3d
                • Instruction Fuzzy Hash: A2919F31A1021A9BDB35DF55DD88BAABBF9FB68710F000199FA19A3154DB349EC0CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123FA11 Relevance: .2, Instructions: 234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cf95b379ebc0ac2e30669f88171e8ee547491b5dc5af2015e49dc5f9396f8a99
                • Instruction ID: 7f76fc091d06ad376654c9de7b868416fcf1413b77e82f1d6aaad97c0df00a65
                • Opcode Fuzzy Hash: cf95b379ebc0ac2e30669f88171e8ee547491b5dc5af2015e49dc5f9396f8a99
                • Instruction Fuzzy Hash: 8471E0F1A5020AAAEB15EA54DE45FBE77B8AFD4304F004565FD05EB290E770AE028792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01220482 Relevance: .2, Instructions: 224COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0e3adf5667096de8adad0b4cc03452ec50f0824dd7ed03790b55b282ad0b0d6
                • Instruction ID: fa335bcd86b35ae71b0a2ec9d3859b942d389f8d9e414697c5e3e416d837230f
                • Opcode Fuzzy Hash: f0e3adf5667096de8adad0b4cc03452ec50f0824dd7ed03790b55b282ad0b0d6
                • Instruction Fuzzy Hash: EE719935760622BFE732AFA9ED48F7E7678FB44B50F110024FA01DA1A5DAA4DC00CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122BF6B Relevance: .2, Instructions: 217COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 83445f7a914b77e93a59601ac371499deda4dd11a65d5e3c338b17d1b7632726
                • Instruction ID: 392567b9812181dd8d1d9a87cdb3a9fbbd605ab918f3e88e6875d639ce557581
                • Opcode Fuzzy Hash: 83445f7a914b77e93a59601ac371499deda4dd11a65d5e3c338b17d1b7632726
                • Instruction Fuzzy Hash: 4A91E271A10715AFEB29CF68C848BAEB7F5FF88300F104199E64A97251DB74E980CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120F122 Relevance: .2, Instructions: 216COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2138c9e5ed808c55863b7ddc3cbe7a148ba856f7196437f25b95c5ffdc41c76d
                • Instruction ID: 1edba7816a036d1e07b742bda2df0745f7f7439d66f090649cb797add760bdf8
                • Opcode Fuzzy Hash: 2138c9e5ed808c55863b7ddc3cbe7a148ba856f7196437f25b95c5ffdc41c76d
                • Instruction Fuzzy Hash: 5081C635E60256DFDB36DFA8C985BAEB7B5BF08724F144628EA11E7281C7749D01CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01211282 Relevance: .2, Instructions: 210COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 261ed796a4a55b73e3c3c9428ddbf6025968b8bb301141387bf94cc41a5ff116
                • Instruction ID: 9a4ee7d395da604d023b58a6290e27950c688e63f031a7a89f3e9bc02f871acb
                • Opcode Fuzzy Hash: 261ed796a4a55b73e3c3c9428ddbf6025968b8bb301141387bf94cc41a5ff116
                • Instruction Fuzzy Hash: 9381B03161121AABDB35DF68DC88BAABBF9EB68710F140198EB1993154DB30DE91CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120DEB2 Relevance: .2, Instructions: 204COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 56a514bd56800e83ebc6adcd190a116b32d28d8f2a1615d6b3c969d9049e05df
                • Instruction ID: f481eaab3a07cad7f54db69cad84f86d1a48352ffccc2a75424b938de8277fe0
                • Opcode Fuzzy Hash: 56a514bd56800e83ebc6adcd190a116b32d28d8f2a1615d6b3c969d9049e05df
                • Instruction Fuzzy Hash: DD61D571615302DFE726DF98C848B6BB7E5AF88754F014A2DFA49D72C2D770D8408B92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123EC12 Relevance: .2, Instructions: 194COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 108d1b1b3a9c1cf5aed28b967ac5eb6b9f0cf9f3b23ce0237f55687cb30ef3dc
                • Instruction ID: 2f54c49717e39bd7910bc2a936b1535ecc9170fe4f68e6d0427c08c8a2103d82
                • Opcode Fuzzy Hash: 108d1b1b3a9c1cf5aed28b967ac5eb6b9f0cf9f3b23ce0237f55687cb30ef3dc
                • Instruction Fuzzy Hash: 1B61B1B06283429FD718DF28C880A6FBBE5BFD8714F05492DFA9997290D770D905CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01240103 Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26c0e9d2463da9763840280ff6094b2a8a23ee772243b82fef5c93675853318f
                • Instruction ID: 26afbf9e95e242a2d85cfde3e30de6d738849cf69fb5930e99fd3dd87c86c092
                • Opcode Fuzzy Hash: 26c0e9d2463da9763840280ff6094b2a8a23ee772243b82fef5c93675853318f
                • Instruction Fuzzy Hash: 5C619171E102069FDB19DFA9C844AEEBBF5EF98310F144169EB05EB290D7749D80CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120CDF9 Relevance: .2, Instructions: 181COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 05c348f24d7e74cbf6f5878ac206f6b618ad2a71a8c1f9c6a9e391fcac495fe7
                • Instruction ID: 6db7ecaac4f7f1844bd3d1513f925a6e0f09ec8a5f62b312b83aa09e756afa8c
                • Opcode Fuzzy Hash: 05c348f24d7e74cbf6f5878ac206f6b618ad2a71a8c1f9c6a9e391fcac495fe7
                • Instruction Fuzzy Hash: 715104B16101029BCB27DF18C94496AB7B6EF9470071987AEEA06DB297D731ED52C780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01237E96 Relevance: .2, Instructions: 172COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dacdbadbf1d4e4c8508017f457929335936ad4caa26a2645cd3464f03eb09958
                • Instruction ID: 6d626f8910e29b3808e5f4145c8f10396789e39455fda0f6a587dd7e4066dc23
                • Opcode Fuzzy Hash: dacdbadbf1d4e4c8508017f457929335936ad4caa26a2645cd3464f03eb09958
                • Instruction Fuzzy Hash: FB51C9F1B60316ABEF219B68DC45FAEBAA8BF84710F050215FA05BF281D7709D0087A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122CA71 Relevance: .2, Instructions: 162COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 38206e06d5adeb1cf7eaaa6c88336509e34f7ccedbec9974b03a452969eb0949
                • Instruction ID: 2636a97a3763862d19652f8a1147777b72fb44410aa56c7b64d1bcd8890c778a
                • Opcode Fuzzy Hash: 38206e06d5adeb1cf7eaaa6c88336509e34f7ccedbec9974b03a452969eb0949
                • Instruction Fuzzy Hash: 1B5174B5A00229ABEB208F65DD88BAE76BCEF95304F0041B9E748E3141EB709E44CF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FF478 Relevance: .2, Instructions: 161COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3108e07c0f6d2d3df1ced5e3081e767c706b7b303bd1917f277bc2cb8eee7eda
                • Instruction ID: 2e9f1a6fe788dd1a003c04a8132092364efffc97dc48f291c4cbd5a540d9cdd2
                • Opcode Fuzzy Hash: 3108e07c0f6d2d3df1ced5e3081e767c706b7b303bd1917f277bc2cb8eee7eda
                • Instruction Fuzzy Hash: 5B51BD76500206EFDB3A8F18D808E6ABBF9FF44750F11806DFA469B260DBB4E941CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120B365 Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1dd1e277fd14acc0ca6c14fe67c5fa5d979ec7d933682fb561ad7903290200a4
                • Instruction ID: 7bfd1495eaa19f1b665855b1cbed9e99837f546eca30fd3a7b7f8681f44c3489
                • Opcode Fuzzy Hash: 1dd1e277fd14acc0ca6c14fe67c5fa5d979ec7d933682fb561ad7903290200a4
                • Instruction Fuzzy Hash: 2D51D535A50205DFDB26CF58D895FAEBBB5FF48310F164259E905AB292C770ED40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120B509 Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e9ac6945174fb9bfbdd329fd56dacbefa849cf389cd177a536057f64f3c677a9
                • Instruction ID: ab6bf8a26d0d36bcf6f580fb8be26c057e9c3ee570b68885c9bcf2b0ac842f0d
                • Opcode Fuzzy Hash: e9ac6945174fb9bfbdd329fd56dacbefa849cf389cd177a536057f64f3c677a9
                • Instruction Fuzzy Hash: 8851DE36A00205EFDB26CF58D984FAEBBB5FF48320F154259E945AB292C771ED40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123F391 Relevance: .2, Instructions: 153COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ccb64a0c197b7217e357eceee7a3eacc83decc8dd58436b2de153e4260166eb
                • Instruction ID: d002ccb96c28c84441ca72b863e422edeabcfdcfb8198f578a7ab4742adf26d5
                • Opcode Fuzzy Hash: 5ccb64a0c197b7217e357eceee7a3eacc83decc8dd58436b2de153e4260166eb
                • Instruction Fuzzy Hash: EB51B8F0B20206ABEB15DF68E951A7E77B7EBD4300F108155AA06EB3C1DB71DD118792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121FFD2 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 58870d72d7bfd6fac6583fe95f2e9b3d70152bc597c9fef105db1a8dd9b16b7b
                • Instruction ID: de531978f0309cd8f4fba35266d300a7c349d33bca27696bdd211b2b13561469
                • Opcode Fuzzy Hash: 58870d72d7bfd6fac6583fe95f2e9b3d70152bc597c9fef105db1a8dd9b16b7b
                • Instruction Fuzzy Hash: 20518475A2062AFFEB25CF58D985B6EB7B8FB04340F200469FA06EB251D7749E00CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F782 Relevance: .2, Instructions: 151COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40e829aac4637af8726cc7bd21ed763aa48c552add57148fce0e0268f677be90
                • Instruction ID: fbe0f6d8ac0c00545a81c00c6b2bf7d178a550142dc975085b25eb1d456ff4af
                • Opcode Fuzzy Hash: 40e829aac4637af8726cc7bd21ed763aa48c552add57148fce0e0268f677be90
                • Instruction Fuzzy Hash: 1551C672E10226AFEB25EB98D948A7FB7F8EB58750F110029F912E3244DB309D05CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014511E3 Relevance: .1, Instructions: 149COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25f5a8f644746be2a2f0b27e6751c10fc27cfc256ce297b4444e10819581752f
                • Instruction ID: 7eb49ed73c7e3f7bc20103934dd030a182593c6cef1c3982c73d07edf9704a7f
                • Opcode Fuzzy Hash: 25f5a8f644746be2a2f0b27e6751c10fc27cfc256ce297b4444e10819581752f
                • Instruction Fuzzy Hash: 3151BF72A04201DFE711CF18C490B6AB7E5FB88B54F05892AFD559B762C374ED45CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01210B42 Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c019114e5edb52bdd6cb502f768f9773eea67a8d36020747e7dce76b679b198
                • Instruction ID: d360646864c93e7087414b7ad39eec5be93fa87e95f04347d736bf2a560e4bee
                • Opcode Fuzzy Hash: 9c019114e5edb52bdd6cb502f768f9773eea67a8d36020747e7dce76b679b198
                • Instruction Fuzzy Hash: D551A13562031A9BDF36CF19DC45BAB7BA5FF64304F004168FA05A2148E774DAC08F94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012108C2 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b377d6323e5652c9b8cfb361f3986b18aaaf845bffc37f38ef852d9ad404fc53
                • Instruction ID: 75b8914926dafc5921b924ed1be46bc0df4746ac9e49c5eda4bb970db033b250
                • Opcode Fuzzy Hash: b377d6323e5652c9b8cfb361f3986b18aaaf845bffc37f38ef852d9ad404fc53
                • Instruction Fuzzy Hash: 0D51C17661121AABEB31DF68DD98F9A7BB9EF18740F110160FB05E2158DB70DD80CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120DC82 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 91f956ef253a1a7032850f41ff733be8fa68bf4d4578e9429eaae8ae5b24ff79
                • Instruction ID: 11a09db67ca61b8c56f7b2f3a7ce085a7a428ac58841693e9df5f71ab6064bec
                • Opcode Fuzzy Hash: 91f956ef253a1a7032850f41ff733be8fa68bf4d4578e9429eaae8ae5b24ff79
                • Instruction Fuzzy Hash: 0B41B335661A0AABCB23AFE9DD08F6F7BB9EF94750F004114F90196292DBB4D901CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120BFBA Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e29ee129ed510c624d810881c6176d90a63d27f48e549d6ee4b675f4c75a725f
                • Instruction ID: b0c0090f7be9d5375f3508493095410b3b61265ed710670ad7d4f1cdc21638f1
                • Opcode Fuzzy Hash: e29ee129ed510c624d810881c6176d90a63d27f48e549d6ee4b675f4c75a725f
                • Instruction Fuzzy Hash: FF51DBB5910602DFCB22CF6CD844A6AB7F4FF48710B1146A9E946D73A1E730ED21CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123AE90 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65d700b25535e3e8beb0403f33e1512f48ee1c6676c3b1801f5e4a1bd79feb41
                • Instruction ID: 920f20d62ae3c2cf25edfdaa2b7fa7113f08f7a95aacc0bb177357b66e33adb2
                • Opcode Fuzzy Hash: 65d700b25535e3e8beb0403f33e1512f48ee1c6676c3b1801f5e4a1bd79feb41
                • Instruction Fuzzy Hash: 304117F2A20215ABD710AF68C885A7EB6B5EFC4710F15403EFA86DB2C0E7759A008725
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E04C8 Relevance: .1, Instructions: 144COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 948c55d9727c795112abce39240abaa431cf129d27c6ccf29adfe21474e54dd9
                • Instruction ID: 97790653e5ec5c3cfc7f568fbdd5b34343c98cd2a7b450da12248905b5e69a88
                • Opcode Fuzzy Hash: 948c55d9727c795112abce39240abaa431cf129d27c6ccf29adfe21474e54dd9
                • Instruction Fuzzy Hash: 6E418C72300901EFDB299F99D848B6A7BE6FF4C710F154619F905CB1A0E7B4E890CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0124090F Relevance: .1, Instructions: 143COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 18e971854430f50db36d35ea6864992cc88514fcf844ab8936815128d5b5e6b1
                • Instruction ID: 5046b82332143f9110010079f26f33637f58d98aa6984575499462b1fa3e3d9c
                • Opcode Fuzzy Hash: 18e971854430f50db36d35ea6864992cc88514fcf844ab8936815128d5b5e6b1
                • Instruction Fuzzy Hash: 99413B366206134BD73E9F5CD894ABBBBA5EFC4A50B09062CFF4287215DB60CC818799
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01227E82 Relevance: .1, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0d56c0f900fc8aeb459c8b0ba9cc1db88340da91e0b44dba65d4a5305ecbe07
                • Instruction ID: 2101c355417c709cf005473f77fb223f76f216d706a3b1d40989ce3875a13df7
                • Opcode Fuzzy Hash: b0d56c0f900fc8aeb459c8b0ba9cc1db88340da91e0b44dba65d4a5305ecbe07
                • Instruction Fuzzy Hash: BD517A71618312AFC720CF69D888A2EBBE9BF98714F04493DF989D3250E774D904CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120C312 Relevance: .1, Instructions: 141COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24fca0f817936e128a4030d04985a70a4c3994a6924a6d9b9d3ac0dc9f44b12f
                • Instruction ID: a7420eabc0ac2eb77ad226347a67ec129e49a87bbd96912b9728ff782f83284b
                • Opcode Fuzzy Hash: 24fca0f817936e128a4030d04985a70a4c3994a6924a6d9b9d3ac0dc9f44b12f
                • Instruction Fuzzy Hash: 625192B5A20206EFDB22DF54DD49F6FBBB9FF48700F100269F601A6291DB749A11CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E04E2 Relevance: .1, Instructions: 141COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bc5ba8973cc17d513738b53cfd81c0fac3b02748ea92b5b0d400ba2abed678ed
                • Instruction ID: f3d4b172e0b1cae89e37ea54e2bdb34d4cb813fe3896e68d63a22fc9532c2b0f
                • Opcode Fuzzy Hash: bc5ba8973cc17d513738b53cfd81c0fac3b02748ea92b5b0d400ba2abed678ed
                • Instruction Fuzzy Hash: 49517872200905EFDB2A9F98D848EAA7BE6FF4C714F154614F905C71A0D775D890CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121E9AF Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d1aafc8072a57b5e018c5ec510c2356d39d3054468a936be3beab5590475f15
                • Instruction ID: d3f10e37a258cc48921adae11ac07f65023d71218eebe5131ff2ef89e56924e4
                • Opcode Fuzzy Hash: 0d1aafc8072a57b5e018c5ec510c2356d39d3054468a936be3beab5590475f15
                • Instruction Fuzzy Hash: 8C51D471610216CBDB26DF18CC84A96BBF5FF64304F1941AAEE168B259D770DE80CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120C190 Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52e5e01fe0246aa785e8d9f43378dca253b9d0b3dab04634f8b3daf575be1a1b
                • Instruction ID: 83bdc61871ded5fa49acf0b91cc78719ca648c2cb227f3475e2959ed402655aa
                • Opcode Fuzzy Hash: 52e5e01fe0246aa785e8d9f43378dca253b9d0b3dab04634f8b3daf575be1a1b
                • Instruction Fuzzy Hash: 2251BBB5620206DFDB26DFACC480A6AB7F1FF05700B1547A9EA09DB692D370DD91CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122964C Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1702e1c78a518f563dd238a744576dfd2033def0bbc548b2c05205034f17f46
                • Instruction ID: 9b66f9e777d1c1e17cbdc671a162ec9572f2f4e70712c5d0e7e7af550d2c3fe9
                • Opcode Fuzzy Hash: e1702e1c78a518f563dd238a744576dfd2033def0bbc548b2c05205034f17f46
                • Instruction Fuzzy Hash: 8D419D7AA40214EFDB219FA8EC89F6ABB78FF48710F114055FA05DB2A4DA749940DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120EBB7 Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e81c8e45b98a8a536243717a2fce156f7789d1d6a768bb26a812963f53beed2c
                • Instruction ID: 0053466c08087e3e8fecfd58a47efeeebeed8ecbbebe2de4a9b582d674f2bdd0
                • Opcode Fuzzy Hash: e81c8e45b98a8a536243717a2fce156f7789d1d6a768bb26a812963f53beed2c
                • Instruction Fuzzy Hash: B1412832A20216DBDB17CE58C480B6E7BB6BF44314F170A65EA12A72D2C771DDC18B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01237436 Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1246166c8feb621cd8fdedf6302f8483f78a9eb4845f009ef13387f300189626
                • Instruction ID: e407fe8c8d6129c714c6501f6ff1972ca79dbb9cae65cf0498a61f4d22f62f19
                • Opcode Fuzzy Hash: 1246166c8feb621cd8fdedf6302f8483f78a9eb4845f009ef13387f300189626
                • Instruction Fuzzy Hash: 8D41E1F1A10106ABDF2A9F5CDC45EBEBB75EFC4610F044168EE05AB291EB30AE01C691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01211042 Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff35b78dd72c7c7cb46fb9b44c4769d36cd0c7e5e73c1cbcc36f587006a1cbda
                • Instruction ID: bcd929e597014e4d4bb6ab052bf7c2220dad899cd80ff14991f8f871a74e1268
                • Opcode Fuzzy Hash: ff35b78dd72c7c7cb46fb9b44c4769d36cd0c7e5e73c1cbcc36f587006a1cbda
                • Instruction Fuzzy Hash: CB417C7660021AABDB31CF68DC88FAABBB9FB58750F110194FB1996294DB309D90CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122309E Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a23265bb1a4c055538123cf54d4e4d3c49185b161a1f5415f6baee2e4835e53d
                • Instruction ID: 39dbfc080e05d76e0c971fe2380a378144810379195749694ef9a66402b0e0f9
                • Opcode Fuzzy Hash: a23265bb1a4c055538123cf54d4e4d3c49185b161a1f5415f6baee2e4835e53d
                • Instruction Fuzzy Hash: 3841E575A10226FFDB21DFA8D849AAEBBB4FF4C710F114529E656E7280D7789A00CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01211552 Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e10a8b5dca70b63fa1bb42581773525f59a5b8847ff3f63cfda921e6d7d331e8
                • Instruction ID: 3b3ecf973ed56f1241ee27da5e361f2c00b48399e0783acc28182be3d1498465
                • Opcode Fuzzy Hash: e10a8b5dca70b63fa1bb42581773525f59a5b8847ff3f63cfda921e6d7d331e8
                • Instruction Fuzzy Hash: FC41BB36600259AFDB31CF68DC88FAA7BB9EB68700F140598F719A3194DB319D90CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FD5A3 Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: afae8eaab274121d72377c68b292f1de9c880f196571250222e409b28ae4c1ef
                • Instruction ID: a89accfe07bfb9af8c135aca81a9ad7d20fab922bb18c4c354327dec9c220a13
                • Opcode Fuzzy Hash: afae8eaab274121d72377c68b292f1de9c880f196571250222e409b28ae4c1ef
                • Instruction Fuzzy Hash: F341C276A00118ABEB358F58AC48FFA77B9EB98754F4000A9E78997140DBB44EC1CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FE982 Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8ae45a526a4b1baa6d480e0c798a5ca9b26e2598d654e1b4278c567de715c21c
                • Instruction ID: 213eea31c5cd5b65c0ffe375fe69f5bca35db656a12811503d803bf0af13d12f
                • Opcode Fuzzy Hash: 8ae45a526a4b1baa6d480e0c798a5ca9b26e2598d654e1b4278c567de715c21c
                • Instruction Fuzzy Hash: FB419375901519EFDB1ADFA8DD48EAE7BBCFB48344F060028FA05E6260E7359D15CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123B671 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d11f1d2890b01403d398204074b0cb5c961e63cb734141cebd665638bf351648
                • Instruction ID: ab92aa405c9665a96ab25e1eb364e91625907dc78d3d2a8c48a0409f00a33cc5
                • Opcode Fuzzy Hash: d11f1d2890b01403d398204074b0cb5c961e63cb734141cebd665638bf351648
                • Instruction Fuzzy Hash: B741C5B1940616BFDB25CF59CC49F9ABB74FB84750F014219F915AB2C1D7B0A900CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120C6CF Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68a00d4fbbf9ff0ee7fc19edfafd613e5a97b9590babc77f6e67e14ebf0e648b
                • Instruction ID: f9ae224c0c9099faa3e4d7e999abf73998c9eebc8e26581a02167ff11eef752d
                • Opcode Fuzzy Hash: 68a00d4fbbf9ff0ee7fc19edfafd613e5a97b9590babc77f6e67e14ebf0e648b
                • Instruction Fuzzy Hash: 4841B4B6620202DFD72ACF28D580B2677F9FF48750B1446A9E946CB3A2E730D991CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01228F63 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73f5759fdfaf6257d0f5cf28c081eedcaddf6539310b49c2ef603f01196e7c5b
                • Instruction ID: 79a48882b9f01edc19f712d31f2df676f73db484d82de7a2d57a8dcc85e0737a
                • Opcode Fuzzy Hash: 73f5759fdfaf6257d0f5cf28c081eedcaddf6539310b49c2ef603f01196e7c5b
                • Instruction Fuzzy Hash: FC41C335A10225ABEB219F68DC09FAEB7B8EF58714F004019F602E72D0DB78D945CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E1713 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf428971f6d8d1fae7b92506f5b58fdb8da97b794ea1e84d36d864b9ddca1aa4
                • Instruction ID: 327d566b78fd39cdfc21d94025d234dc498a40841f54d10cc7c702c1f1f0c531
                • Opcode Fuzzy Hash: bf428971f6d8d1fae7b92506f5b58fdb8da97b794ea1e84d36d864b9ddca1aa4
                • Instruction Fuzzy Hash: C6315B31F40B01BBE739AA589D48F5E76A8DB81B10F010198FA46EF281D7B4AD40C392
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F350 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ba0e3763ce38f34408126417729510c2cd04f4ec1eda92b4740a38a1991f473
                • Instruction ID: 87102c2448ff10de807218fe7b6ad47ce55144bbaf86dd2318bec049d129c64a
                • Opcode Fuzzy Hash: 5ba0e3763ce38f34408126417729510c2cd04f4ec1eda92b4740a38a1991f473
                • Instruction Fuzzy Hash: 6531EA75A50506AFDB15DFACCA849BF77FAEFD8200B158038EA15D7218DA34DE05CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E4A22 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e42d97f5b836a04aa78b53b2172b79b253a4b6d688ba5e51bcfe685760300c24
                • Instruction ID: 9da13dece3364c9f9aaddd6ee914055a74c734b61152e3246ca34069aa7c15f4
                • Opcode Fuzzy Hash: e42d97f5b836a04aa78b53b2172b79b253a4b6d688ba5e51bcfe685760300c24
                • Instruction Fuzzy Hash: 82410832B00A058FEB6CDEADC889BAE77D2AB80374F15423DD766C7194DF7494418644
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01219AB6 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92697edd1913f9a0057d7659dfd528dc1e1f0b6404efa660333a3356b57208d6
                • Instruction ID: 63b3e410b7424b42cbd18f5eb4562dccc48c0d05531ec21748e017ab424343cd
                • Opcode Fuzzy Hash: 92697edd1913f9a0057d7659dfd528dc1e1f0b6404efa660333a3356b57208d6
                • Instruction Fuzzy Hash: 1B41A931A10616EFDF20DF6CC594A69BBF5FF14314F444169EA05E7688E770BA40CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01236B2A Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b42cc2a4a62093d318971499f3eb1a9631bd66244b9260bb9d21cb29b7ed6e2a
                • Instruction ID: 1ae75f8a775c845ca5da202e75c32a8ca293a5cd764528da8a3ee0348040dc0d
                • Opcode Fuzzy Hash: b42cc2a4a62093d318971499f3eb1a9631bd66244b9260bb9d21cb29b7ed6e2a
                • Instruction Fuzzy Hash: 81413775A10506FFCB1ADF68D58496AF7B9FF88300B10856CDA4297750D730AE51CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012247D2 Relevance: .1, Instructions: 115COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aefcc86690199bed3af1c97f4e7df841e3562e6bdfe14e04499b40acc104f5a4
                • Instruction ID: 2db33ec96515c77ae97a75d473be46bf64bd530dabef956e8bc9254f391898fe
                • Opcode Fuzzy Hash: aefcc86690199bed3af1c97f4e7df841e3562e6bdfe14e04499b40acc104f5a4
                • Instruction Fuzzy Hash: B0414931A202A9EFEB21DF1CDC88BAD77B4EF45300F1100A5E519D7191D6B49E85CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123CF6B Relevance: .1, Instructions: 114COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a4a8559ff39396b04b498d9b33e7436a75ebbdbde3cd8e068cbf27f1df5b46e
                • Instruction ID: 27554daeb85a8550a4e8e2ce98232cba805a4e41daa49e61dd30814428f0bf06
                • Opcode Fuzzy Hash: 0a4a8559ff39396b04b498d9b33e7436a75ebbdbde3cd8e068cbf27f1df5b46e
                • Instruction Fuzzy Hash: 8D317FF6A202065FD725AE6CCC42B3BF764E7D0B90F944166EE02EB281F77099428640
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01465101 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f546c8b09b78fa1384d3a53a827ba92d0e1071932504fe6e9b663e0d75a817e0
                • Instruction ID: 00cd229b7647ff97f73cd5b72c4bf7e43952ad2ae0e06209593d32ba2fb14619
                • Opcode Fuzzy Hash: f546c8b09b78fa1384d3a53a827ba92d0e1071932504fe6e9b663e0d75a817e0
                • Instruction Fuzzy Hash: A5414F3390135187E721AB7AD9447A63F9AA7127ACF38021EEF516E2E1C7744485C7A3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014951C3 Relevance: .1, Instructions: 110COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8ae1ccfab7d8ad6ccc193be1c4a1f941b3e2b80b1ad515eff39a62f0c165cb85
                • Instruction ID: 26b53f8854aacb7dedc77b6b65f40ff210d99ea650a1ac970381155529893bd6
                • Opcode Fuzzy Hash: 8ae1ccfab7d8ad6ccc193be1c4a1f941b3e2b80b1ad515eff39a62f0c165cb85
                • Instruction Fuzzy Hash: 50417171600B01ABDB22DF6AC940F9BBBECAF50650F10452FF5A6D72A0D730E600CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012340D0 Relevance: .1, Instructions: 109COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 658f939076bf76904264f2e5e2e85cb769bf06e3222d64df51915fddac4e52ec
                • Instruction ID: 52b59569a2695a1d4ff715592c359a3653017e0dc12b6abec0dae66643a9b4a9
                • Opcode Fuzzy Hash: 658f939076bf76904264f2e5e2e85cb769bf06e3222d64df51915fddac4e52ec
                • Instruction Fuzzy Hash: 1831E172210A46BFDB32AF94CC44F6ABBBAEFA4B04F144468F6419B160C770ED01D750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FE712 Relevance: .1, Instructions: 109COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5730ddd7e485c88a876c0d443edce0c7aee4940f2fa8290ef98ebe7863ccb1f
                • Instruction ID: 4abcfabc33529611d84c56610fadd419e944aa210a38b161033c395f36c9c004
                • Opcode Fuzzy Hash: b5730ddd7e485c88a876c0d443edce0c7aee4940f2fa8290ef98ebe7863ccb1f
                • Instruction Fuzzy Hash: E2416639901149EFDB25AFB8D84CAAE7BB8FF08341F02446AF606D7260D734DA40CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01213530 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de54755fa93f0d75e42b1a984281c98cd4890e30c187986704976eb63f248411
                • Instruction ID: 151cc017ebfcf569f8cb9cbf2f16c3cb72ebf43afca4b3875f761b6d0d8c87e2
                • Opcode Fuzzy Hash: de54755fa93f0d75e42b1a984281c98cd4890e30c187986704976eb63f248411
                • Instruction Fuzzy Hash: 5C310331A20142AFDB25DF6CC841A6EBBF6FFA8710F150429E606D7358EB709D41C794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01224682 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 924987a41cd501ba1f52f21862ddeb21a4b747b3219ba790bc07a52f8800cd36
                • Instruction ID: 7806ea8d2e4e7ea133ffffe9c3bde5fc2a53231628e175137935686ae5b2761b
                • Opcode Fuzzy Hash: 924987a41cd501ba1f52f21862ddeb21a4b747b3219ba790bc07a52f8800cd36
                • Instruction Fuzzy Hash: 8F314835E10269EFDB25EF6CDC85BED7BB4EB1A304F000065E66997240D6B09D81CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123BB6A Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e12e3b22be0b5c8d330d318cca98b727e05a9d24f55c4f22f7c1891ae246e04
                • Instruction ID: 24905c045f3968f1ed9a55b01fb46e328d46224d4007218d1e5410697810f19e
                • Opcode Fuzzy Hash: 6e12e3b22be0b5c8d330d318cca98b727e05a9d24f55c4f22f7c1891ae246e04
                • Instruction Fuzzy Hash: 9631B4B1610205AFEB25EF54DD99FAB7674EFD4700F004169EA0A9F191DB70AE00C761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011DDB30 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d252d607797a1d340657c74fef1c7436c8293e30a01df461cb629b790bf1a68
                • Instruction ID: b0a91b0a1919c67c1234b1b96bda6620caa068b2a40a0fbd61b7c5368c8069de
                • Opcode Fuzzy Hash: 9d252d607797a1d340657c74fef1c7436c8293e30a01df461cb629b790bf1a68
                • Instruction Fuzzy Hash: BF418F71A00606FFEB19CFA8DC45EAABBB8FF49314F044229E25592590D774F950CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01224BA2 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49431eb976b5db19d4bae1a1a6ff047d0b525daaf070ec19dd31725315206526
                • Instruction ID: d814a1763c55a6e335a89ebb404b2b36323f1ba1c4f69f236ec7fc4042865f90
                • Opcode Fuzzy Hash: 49431eb976b5db19d4bae1a1a6ff047d0b525daaf070ec19dd31725315206526
                • Instruction Fuzzy Hash: 41315B75A616AA9FDB12EF28CD48BAEBBF4FF54300F0440A9E516DB201D634EA41CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01232E79 Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df1df39e2bebeee3c5990b18d9ea2743062983eb8510dfe3053bdb42453713e5
                • Instruction ID: 083291a4cdc659d8cf1d10be5477d478239f61c2e6f610be45cc2331288566ed
                • Opcode Fuzzy Hash: df1df39e2bebeee3c5990b18d9ea2743062983eb8510dfe3053bdb42453713e5
                • Instruction Fuzzy Hash: 6931D4B3A20126EBDB258A9D8846B7EB7B4EFD4B44F04406AF601DB294E774DD41D360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013B71EB Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a923127bfa1d19d3bb6850bc5741acb88c5057c0bb1aefed2860b12460c929a8
                • Instruction ID: d8fb7a4e50517a3166f41d9c62175fa053e8203bf165f37fa7f448ea94d116dd
                • Opcode Fuzzy Hash: a923127bfa1d19d3bb6850bc5741acb88c5057c0bb1aefed2860b12460c929a8
                • Instruction Fuzzy Hash: E431F472A00115AFDB11DB49C8C4FEABBB8FF44728F554156FA14AB6A1EB30E900CA60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123F82F Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ca1447021595a39e5cad623caa5b73bec3c3827a29ed14ed1fe5fab34cce468
                • Instruction ID: 4b89e506fe733be65f97ebba6066e8603acae257acc00d455df30d46ceb4df57
                • Opcode Fuzzy Hash: 5ca1447021595a39e5cad623caa5b73bec3c3827a29ed14ed1fe5fab34cce468
                • Instruction Fuzzy Hash: 873102B1F10613BBC72CAF6CDD81A66B7A4FF94304B044639DA0197641EB70F952C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01224A52 Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b74caf94f1884d8946bf83d2a5f99944e298f3befe1760ef0377b0e908c59222
                • Instruction ID: 807f0a0c321eb2697141044a4ea7298ba8ee92dbcbb6d64ba581283e1bb7f9f2
                • Opcode Fuzzy Hash: b74caf94f1884d8946bf83d2a5f99944e298f3befe1760ef0377b0e908c59222
                • Instruction Fuzzy Hash: 3E316831A142A99FD726DF288C11BEABBB5EF15300F0440D9E5859B301D670D941CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012116EE Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a531882fae5abcafb43b38655cf2e549588b07c2352aaffd38b6ddce9f8d93de
                • Instruction ID: d32a709dd6eaa44e72e022513679b37c09472ba06e8845786603121308d2aec4
                • Opcode Fuzzy Hash: a531882fae5abcafb43b38655cf2e549588b07c2352aaffd38b6ddce9f8d93de
                • Instruction Fuzzy Hash: 9A31B036620606AFDB2ACF28D844B6A7BF4FFA5750F154464EB16DB358D7309822CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01207B10 Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1570259ed89b3098b5ea4e96fdad9f7f28cacb4dc1dc7554a4308e4aa65d3d40
                • Instruction ID: f87e8e9ba5e4f2fec147b52fb4e286c26160333baf3c66dda760ca500b79456b
                • Opcode Fuzzy Hash: 1570259ed89b3098b5ea4e96fdad9f7f28cacb4dc1dc7554a4308e4aa65d3d40
                • Instruction Fuzzy Hash: F231A536910545DFEB228FD8D848FADBBB5FB44711F110125FA419B2D5EBB4AD04CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F4D0 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eecce8dbc332a69094ffb984528738712301ad5e57856f3ca88505e4f34faf06
                • Instruction ID: 5e4995a5f0d7ff71fca48a380ba62615056ca5ee89e73860d66affc91c58c83b
                • Opcode Fuzzy Hash: eecce8dbc332a69094ffb984528738712301ad5e57856f3ca88505e4f34faf06
                • Instruction Fuzzy Hash: 9C313A39100002ABC729DF1CD9559BBB3BAEF94704B59812DED06C3654FB71AE06C794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0148415B Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af9aa1f412b4eb9e95f2a1ec6c34443b403e74927689c5f28bd0778be0ce5d9e
                • Instruction ID: 0aa1a34f455c537c1c4c3fd4cc7eeab53a0abf11a61a98c91cfd9b8c850789c6
                • Opcode Fuzzy Hash: af9aa1f412b4eb9e95f2a1ec6c34443b403e74927689c5f28bd0778be0ce5d9e
                • Instruction Fuzzy Hash: 63313572B04613EBCB12FB9DD840B6EB7A9EF54714F19006AE945EB360DB70EC018B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FDF32 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ce2b71d174a9cc87d1a17013ded3e3dde1683d2f87cda6a21ebeab19688cb71
                • Instruction ID: 77d219a41edd5c0a41bd4bd64664ccbb38f7e09f6aceac48d05391ba8236f8ce
                • Opcode Fuzzy Hash: 1ce2b71d174a9cc87d1a17013ded3e3dde1683d2f87cda6a21ebeab19688cb71
                • Instruction Fuzzy Hash: 7021EB3A200500EFDB3AAF68EC58EBB7769FB84704B06442CFE43CA155D7759902C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120EEA2 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1658396d5f7f5e5200ca3e4982e1b1a32b1c0279dd91562b79df19c7643db74d
                • Instruction ID: e99c474e87f1fa19647c5483b84afdae63119020fa64e04eb493bffaa4f65d9f
                • Opcode Fuzzy Hash: 1658396d5f7f5e5200ca3e4982e1b1a32b1c0279dd91562b79df19c7643db74d
                • Instruction Fuzzy Hash: 6631DB313206068FD7668E6DC499BAAB3D5AB44714F160F3DEB66871D2CB74E8C1C640
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122B382 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ea6a84a0114879c9cf93d7d1cbea4aa1874ded872af8cf0710db3c9efda34c3
                • Instruction ID: bb912bf599bfef4b287466f0b68db7faedc9084d4ad075bdf855a8bb4c907e79
                • Opcode Fuzzy Hash: 4ea6a84a0114879c9cf93d7d1cbea4aa1874ded872af8cf0710db3c9efda34c3
                • Instruction Fuzzy Hash: 8D31B172661266FBEB229F99DC94FAE7BB8EF48740F104129FB05E6140CB70D900CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121DA77 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: effc4defe2ba310a7800cfac8bdce8c8fdebc2a0e827972aa1771f2aaab39603
                • Instruction ID: 500382c77c7464da86c32ee891d102ac5ab38bf656cc7e8cac1c25c59fa8f6c2
                • Opcode Fuzzy Hash: effc4defe2ba310a7800cfac8bdce8c8fdebc2a0e827972aa1771f2aaab39603
                • Instruction Fuzzy Hash: 63315476A1020DEBDB19DFD4D984AAEBBB9FF54350F144069EA06A7244E770AF40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121FA94 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 82497de925189bf600e1e48ab922628a925915ef26e9b764cf402c1cdaa7f789
                • Instruction ID: 49e97fd9d73cd483db13352ad2befe25a69ac6069f54a506aa6a252f2b24f468
                • Opcode Fuzzy Hash: 82497de925189bf600e1e48ab922628a925915ef26e9b764cf402c1cdaa7f789
                • Instruction Fuzzy Hash: 5821D531A1001AEFDB11DF98DA88EBFB7FDFB98240F114069E911D7254EA749E058BD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121EC32 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21dba4f73d8b20605004bd8ea3d93342a2dcc25b592e894d1155856e6968139d
                • Instruction ID: 2d990d2f290fca6abe0a2d8d12a43390aa10ca96bf2dcf4529db871a81d6b83b
                • Opcode Fuzzy Hash: 21dba4f73d8b20605004bd8ea3d93342a2dcc25b592e894d1155856e6968139d
                • Instruction Fuzzy Hash: 15316D7591020AEFEB22CF88CC89B69BFB8FF54354F164069EE06A7255C7719D40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01220322 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2dc41de05990c38cdbc9520c87832f56eb16a40c530be2c5dcdd58917907d76
                • Instruction ID: fde894fe32f0e7bf992e79ea2b42a1e7904ed4061e80ec46aa22838ad57ba438
                • Opcode Fuzzy Hash: c2dc41de05990c38cdbc9520c87832f56eb16a40c530be2c5dcdd58917907d76
                • Instruction Fuzzy Hash: 19210836220622BBD736AB189848F7F77ACEB94660F018528FD55D7241DB78DC01C7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01225342 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a2be753a4a028604a2be5b223ca52184605d26bc856315144716fafbde0d7183
                • Instruction ID: fd7f718a95992044c2ac8b3f382807c8eb0fa97fde5d0d7965670fabd11f8d9b
                • Opcode Fuzzy Hash: a2be753a4a028604a2be5b223ca52184605d26bc856315144716fafbde0d7183
                • Instruction Fuzzy Hash: 24310C3562011AFFDF159F94E809BED7BB9FB08701F018464FA41E6160DB749A50DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F262 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7342fcf441f832ce558ad47247b282e50e73290b7d2dcea18b46d54f75756977
                • Instruction ID: e50e09a37a50e7e297ca644b82998af27d5027d00a5bd6c9f581716af82bb8dd
                • Opcode Fuzzy Hash: 7342fcf441f832ce558ad47247b282e50e73290b7d2dcea18b46d54f75756977
                • Instruction Fuzzy Hash: 43210676220656AFE732EB18DA48B3BB7ECABA4660F004028FD65D7184DB74DC0487A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121DB63 Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b995e83c30463177c470adde24b2ad64d1340c2a1ad5190a0d58fa959cccab6a
                • Instruction ID: a67d800e9ffbdc6ebeef469b135d9284fbf6478f125743c0e79aaf35438f4b7a
                • Opcode Fuzzy Hash: b995e83c30463177c470adde24b2ad64d1340c2a1ad5190a0d58fa959cccab6a
                • Instruction Fuzzy Hash: 9E217F76610109EFDB11DF99DD48EAEBBF9FB98750B004065B906D7260DB70AE40DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01236FE5 Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f4971216d0a0b633c6790533f3c707f970f59248f337714f0742e55042712b7
                • Instruction ID: 5190d3902f30a2b272e1f5598f2a3dfc46e92d365b995d05d70f2d89b963e405
                • Opcode Fuzzy Hash: 3f4971216d0a0b633c6790533f3c707f970f59248f337714f0742e55042712b7
                • Instruction Fuzzy Hash: AF2122FB2105A17ED7724B598C00F37FAA8ABC9611F054141FAACCE281D359D910C3B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01241133 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 585e31665cb30ca968f0648be3c5adf199ef0466299666ed638b9b11529751e8
                • Instruction ID: 26f0c55f933bcfd94ea192d5932d56c3fa4df9b758ac91971adbc4f0c0b9af4d
                • Opcode Fuzzy Hash: 585e31665cb30ca968f0648be3c5adf199ef0466299666ed638b9b11529751e8
                • Instruction Fuzzy Hash: 03210831A10211ABD7259F6DEC45F6EBB74EF44760F114229F619A72D0DBB05990CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01241066 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39942ead7f333a5bebab9382187d4e6ce0506584e79406595bd338f4121d6310
                • Instruction ID: b7def682d129c06edf35959d3314a658c31cc6258bdf8128bf96097cd7e6ecc5
                • Opcode Fuzzy Hash: 39942ead7f333a5bebab9382187d4e6ce0506584e79406595bd338f4121d6310
                • Instruction Fuzzy Hash: 3B212831B10611EBD7399F6CEC49A6EBB74EF44720F114228FA26AB2D0DBB05D90CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123E7F2 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4a8474382995b35c29bc596c5a587796a25787a2161288740d1f22b6a9ddaf67
                • Instruction ID: 433b025a8d4b3b05565dfe6301e9125a3ea15f83f9d15daf97dab69f7340caed
                • Opcode Fuzzy Hash: 4a8474382995b35c29bc596c5a587796a25787a2161288740d1f22b6a9ddaf67
                • Instruction Fuzzy Hash: 443189B6E0024AEFDB11DF96C880EEFBBB9FFD4300F104166A915A7250D7709A45CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01240AA5 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c04170b0c87e500ce068a1cb374c2dc8ae72c6f5fcebfdf26d885c9adaa975d0
                • Instruction ID: 591b96082410ebb3e2bbfb90f8ce30a5278893e66316759040bf5869ed974633
                • Opcode Fuzzy Hash: c04170b0c87e500ce068a1cb374c2dc8ae72c6f5fcebfdf26d885c9adaa975d0
                • Instruction Fuzzy Hash: 1B21EE327605116BD76D9E2C89589BF7AB9EBC8200F654114FB06D7320EB70DD81C79D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012370C4 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3963af8c1f6fc2cbed9425b7c27ae494305be9204dde7e0fbc3fd41f8bc4e6c3
                • Instruction ID: 83faeb613847dac5aab72494e72e4d87949f44133084d81e48e3422b023a7da8
                • Opcode Fuzzy Hash: 3963af8c1f6fc2cbed9425b7c27ae494305be9204dde7e0fbc3fd41f8bc4e6c3
                • Instruction Fuzzy Hash: C221F5B2A10219FBDB229B98DC49F9E7BB8EF84754F010062F505BB280D7B09E01CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F9B6 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de61a19ad1caf55260d6f989580c9b9d79e994564f6ac47aa3b39558cb73ece4
                • Instruction ID: d94e01d3a92e93d1f68391721082833c3812dadb9d7cfcb8a12ecf13666624d0
                • Opcode Fuzzy Hash: de61a19ad1caf55260d6f989580c9b9d79e994564f6ac47aa3b39558cb73ece4
                • Instruction Fuzzy Hash: 0C216D37210103AFDB29DB9CEEC997B7BE8EBD4210B15012DE9179320CEA75AD09C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01204873 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25eec42e40e9e8dcf87edfb98448524378299874c0e529d343e8bb684d96a587
                • Instruction ID: 6d90960b2396f7e313e40f40bf63ddbcdcb15676142d9c900be0bcc363cb1e89
                • Opcode Fuzzy Hash: 25eec42e40e9e8dcf87edfb98448524378299874c0e529d343e8bb684d96a587
                • Instruction Fuzzy Hash: EE314C75911169DFEB36EF58ED4CB9ABB7CFB04701F4545A4E609A20A1CB389E80CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01240DF8 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac2a5b47ab21abc4d8ef2932567dba826746a0a08dd80162d60e1d9d9ad715c7
                • Instruction ID: b7f557c526deda2d636d6bcbadeabdd738dde01151120c6177456d17816025da
                • Opcode Fuzzy Hash: ac2a5b47ab21abc4d8ef2932567dba826746a0a08dd80162d60e1d9d9ad715c7
                • Instruction Fuzzy Hash: A521A936A41500FFD7369BA9ED0CE9BBF79FF89B50F120014F60597260C6758A51DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120CC6F Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b4eadacf047556ed1b0b08ed31a24785267acc5e23a2490b2a537a47864e7c0
                • Instruction ID: 32820c086c54754418658a78b7906f6f0158245d67226ff906996eabb64d5fd7
                • Opcode Fuzzy Hash: 4b4eadacf047556ed1b0b08ed31a24785267acc5e23a2490b2a537a47864e7c0
                • Instruction Fuzzy Hash: 2D2124B2A00044BFDB279BACDD48F6EBFB8EB84790F150268FA01A7391C6749D10C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0143B163 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15c5c608f1dbad1c60aef80dec4e976da7813e18dbb77542e2169a8beed57752
                • Instruction ID: 2e2cbe9821152da277e8d171cd9d779931e1e9beeb08872a3307db2f1f5e2605
                • Opcode Fuzzy Hash: 15c5c608f1dbad1c60aef80dec4e976da7813e18dbb77542e2169a8beed57752
                • Instruction Fuzzy Hash: 2221C2726447059BD3219F1DD841B5ABBA4FF9C760F00062EF945DB3A0D330E90087A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121FF22 Relevance: .1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d610d81ba6336f08eb597b82bb1429d1783f60cff392d861c9fd37ba3f7c547b
                • Instruction ID: c9adfb8f5a19a8d66accd252d5e8ff349831c894e3ddf0be142c26547c939378
                • Opcode Fuzzy Hash: d610d81ba6336f08eb597b82bb1429d1783f60cff392d861c9fd37ba3f7c547b
                • Instruction Fuzzy Hash: E611C877150616AFEB32CF58ED88E277BACFB567A0B050124FA1586298D6F0DC04C7E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FD7B2 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 638552091a03397b005aa975c65394c178e3ccedeb8001131b46fa391aee8df7
                • Instruction ID: a6b82305370ac0ae4ee3d418c5ded7e8fe0869a36ca000894a46b55f9445ac44
                • Opcode Fuzzy Hash: 638552091a03397b005aa975c65394c178e3ccedeb8001131b46fa391aee8df7
                • Instruction Fuzzy Hash: 24118176640544FFEB2AABE8ED8CF7B7BBCEB48694F120468F64AC6050D7648D00D760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012368BE Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aaf197e38330390a5240cc420a0553a9e726a3394de13b2b4962ab1dbb0afe76
                • Instruction ID: 76e2cc7f8d4e706da01c5778f752d5c477ede1e87bfa7edb17c174f2c1814461
                • Opcode Fuzzy Hash: aaf197e38330390a5240cc420a0553a9e726a3394de13b2b4962ab1dbb0afe76
                • Instruction Fuzzy Hash: D6217F72220702AFEB368F59D944F67BBFDFB84715F044828E24697550CB70EA55CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0145614B Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8236654c6d7df1e2bb72b84e45792e5f5db7c78219172467a6984daf08290f56
                • Instruction ID: 906be676d2619e92c35a4b07a007e7f84736ef677b222fc44443534ce3ab6d44
                • Opcode Fuzzy Hash: 8236654c6d7df1e2bb72b84e45792e5f5db7c78219172467a6984daf08290f56
                • Instruction Fuzzy Hash: 86215872A00209ABDF529F98CD40BAEBBB9EB48310F21445AF941A7262D774DE51DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01214755 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd09a4764d4bf81f5a952c7d1421eceb844830a899bdba2bcddc881fb6a53888
                • Instruction ID: 39c1260baa0b50f747ff90e5f7dcb2fc4fe523fdce86e3470d54557e40ac9609
                • Opcode Fuzzy Hash: fd09a4764d4bf81f5a952c7d1421eceb844830a899bdba2bcddc881fb6a53888
                • Instruction Fuzzy Hash: 4D11E236720151ABEB29EB5CD888F3A76E8EBA6751F010021FA09D7598D771DC028B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013EE1C7 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ec65b0c45d104c8884d756fc4bedcfead1f3db6622934cbf390afdcadbf435b
                • Instruction ID: b8ed42eebf601176b1d342fdcc843e19ad887bb175f31537bd270730c965943c
                • Opcode Fuzzy Hash: 6ec65b0c45d104c8884d756fc4bedcfead1f3db6622934cbf390afdcadbf435b
                • Instruction Fuzzy Hash: C311E27360071AEFE7229F99D844F9ABBB8EB90B58F10002AF6058B190D671EE448B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123CE89 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b2a6f2a43d6012e098ce8c18f13defa785cb004ef91aee90bfb4ae499187842
                • Instruction ID: c10a8e48f36081badaa34159397ccdc469458949e4d8e7968b97bdb612d32342
                • Opcode Fuzzy Hash: 2b2a6f2a43d6012e098ce8c18f13defa785cb004ef91aee90bfb4ae499187842
                • Instruction Fuzzy Hash: 5C113AB1725741ABF725BB788C45B3ABB60DFE0710F10011FE62A6A1D1DBA05D12C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0144B123 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4d32b8a974ae6054cafe355be1965a57291e44b838fff14ff3b46684a9c67cd
                • Instruction ID: 1e3270e98e352c4536beeb3b6278a73b8fc52e241bb0dcd6398fa7d2966fd605
                • Opcode Fuzzy Hash: e4d32b8a974ae6054cafe355be1965a57291e44b838fff14ff3b46684a9c67cd
                • Instruction Fuzzy Hash: F7112933140251ABD323AB2DDD54F227779EF86AA8F214429F9049B6A1DA34D801CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013C618C Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f45d47f30c1ccf4ed0972b734b53a76e87a6efb929b09954095f6c3c705ceab8
                • Instruction ID: 6deea9e20515175d22513ebef28c6f64745c13b313c98151ad693da4efd5e1ef
                • Opcode Fuzzy Hash: f45d47f30c1ccf4ed0972b734b53a76e87a6efb929b09954095f6c3c705ceab8
                • Instruction Fuzzy Hash: B3215EB5A00209DFCB14CF98C591B6EBBFAFB89718F20416DD505AB351DB71AD06CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F6D6 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4e26cc114f2b3ff373a06e3a21b0976397b4e61b65677e565cb28a7185308cb7
                • Instruction ID: 1a0fa9cf04c7ea5a4e2193586df658643c6dfa638ee48b61edef17976f221174
                • Opcode Fuzzy Hash: 4e26cc114f2b3ff373a06e3a21b0976397b4e61b65677e565cb28a7185308cb7
                • Instruction Fuzzy Hash: 5311CE72610114AFE729EB5CEE48E7BB6FDEBD8601F200969F506E3211DB30AD0187A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FF882 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f5b43a940f43c66468414ab8e1f32870c8aace858420e9febee8cf46d06d8fa
                • Instruction ID: 14e4e7ffd9cebecbe35c05a1c320d54bd5ae0e8c4c9e742707c8145f63ab1cca
                • Opcode Fuzzy Hash: 0f5b43a940f43c66468414ab8e1f32870c8aace858420e9febee8cf46d06d8fa
                • Instruction Fuzzy Hash: BF21A276A00605EFE7119F69D88CFBEBBB8FF84705F114025FA01AA184DB749905CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012076AF Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a97ac698d4414ce22b4b53aea7e32451a52e4fde96b929ce06a549c982ceba9d
                • Instruction ID: c829ec5603132bd129f446b501eb1f6f32b2bbb23d8a065ec496e9d6255e32cf
                • Opcode Fuzzy Hash: a97ac698d4414ce22b4b53aea7e32451a52e4fde96b929ce06a549c982ceba9d
                • Instruction Fuzzy Hash: B311B175A10116EFC71ADF8DC480DA9BBF9FF48380B05416AEA8597362D770ED41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014961E5 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 64e1ac905e59627fa61e9e9c9afc863b1cfe15d447257a4c269b073bb7c48e0c
                • Instruction ID: b991e1367912890ebae1ffdb9de1cd2fbe67fffde3ebbf45cfd802551baa226b
                • Opcode Fuzzy Hash: 64e1ac905e59627fa61e9e9c9afc863b1cfe15d447257a4c269b073bb7c48e0c
                • Instruction Fuzzy Hash: 75118675E0021A6BDF019F99CC40EFF7F69EB94750F15816BB920A7290D770994187A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123D0FC Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a09f147938a638c5d92a813d2e339d01704f096b9c9261c2b8dcf333783384a2
                • Instruction ID: 82b0690e007ca76d33c87a4b652b8102ea6a67b4a1d2d72adb21ad3fb153c827
                • Opcode Fuzzy Hash: a09f147938a638c5d92a813d2e339d01704f096b9c9261c2b8dcf333783384a2
                • Instruction Fuzzy Hash: 081140F17607056BF3317B59CC06F2B77B4EBD0751F404514F686E6181EBB4D9018691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F931 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 719b1fdf87456d51335e2d689aa087b6a5ab21013c9dc4a4c8d6768f782bcd9f
                • Instruction ID: 9c8b8c3994f8b6894a03e0d68759f3783a74ea4cd369641a9e3f61c1a87bbe99
                • Opcode Fuzzy Hash: 719b1fdf87456d51335e2d689aa087b6a5ab21013c9dc4a4c8d6768f782bcd9f
                • Instruction Fuzzy Hash: 25116676224207BFEB26EF68DE0DF767BEEEBA8290F000454F612C6045D7A188098730
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01211912 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 323920ddc0f6747a5c1f9edf2251238ec6525297b870dba90464412c6965537c
                • Instruction ID: fb4f9e0ccf784f30ece86e4e461a2ac6eaa79e42560880479c6983452261e0ec
                • Opcode Fuzzy Hash: 323920ddc0f6747a5c1f9edf2251238ec6525297b870dba90464412c6965537c
                • Instruction Fuzzy Hash: 9911DF36620019ABDB31DF38CC44AEE7BA6EF64360F104265EA65972C4DA70DE90CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0143F111 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aa74bf3ccd5530dfee28a90771a9cbedea3b184244cf4ba2868dd4da5580d612
                • Instruction ID: ef8918458f0677cb7223d357d63d0ca0753c08af14914f9289716d67bde4f3f9
                • Opcode Fuzzy Hash: aa74bf3ccd5530dfee28a90771a9cbedea3b184244cf4ba2868dd4da5580d612
                • Instruction Fuzzy Hash: 622128B19083449FC310DF1AC845A9BFBE8ABD6740F10091FF99187360DBB09808CB93
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01236549 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 95436616023450c6b79d9e626d58b2203d69cb32ce08a01a0b9ebf8a02ae996b
                • Instruction ID: 2404c41e3a2e258aad2685b16ed770a0a9e43d81b60b606595c77a747466034d
                • Opcode Fuzzy Hash: 95436616023450c6b79d9e626d58b2203d69cb32ce08a01a0b9ebf8a02ae996b
                • Instruction Fuzzy Hash: F41186B5A10A16ABC3329F19D040A1BFFEADFD4B607118429EA458B344DE70ED018B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01204FE1 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10efa54d7ea122875e72c56fbd884324ad56c8ef638fb67440919a20567cbeb4
                • Instruction ID: 91a1f48f4aa796cf7858c4956910dacd66bba7138416ccbecfb788f5cc178cb8
                • Opcode Fuzzy Hash: 10efa54d7ea122875e72c56fbd884324ad56c8ef638fb67440919a20567cbeb4
                • Instruction Fuzzy Hash: F4117079600601FFE7268B48ED98F6ABBA9EB48750F100128F60697291CA75AD00DB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122DAC2 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b67167286c5d6ece07f42f9c110ae92e80f2372d433d40eea03dfd6e41037ea9
                • Instruction ID: 7d313eb0c145ed6d49e53b2f879e65c04daef04926f66f6d2b4c09605dc24f52
                • Opcode Fuzzy Hash: b67167286c5d6ece07f42f9c110ae92e80f2372d433d40eea03dfd6e41037ea9
                • Instruction Fuzzy Hash: F711E175264305BBD304EFA4DC6AFBB77E8EB98710F000819F996CB680E6B0E800C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01211F12 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7953ad924fac9152be3b54261cf90e943ea830a652d2c57f5daf306eeece1d08
                • Instruction ID: 198caa6359e04696bb46917e033a90e6711cfe07a6323f12f84f8faff101758d
                • Opcode Fuzzy Hash: 7953ad924fac9152be3b54261cf90e943ea830a652d2c57f5daf306eeece1d08
                • Instruction Fuzzy Hash: BA118276D0021DAFDB20DEA89848AAEBBFCEB69720F150465FB15E3248D3748E048B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01211862 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee60e255cf607a2c2608989400755c20ff6d0dca083519264584da6c57cb2714
                • Instruction ID: 8b994e4022cda78748f40e64694c26fdbe1131abca0ef8be98f7a80fe3310309
                • Opcode Fuzzy Hash: ee60e255cf607a2c2608989400755c20ff6d0dca083519264584da6c57cb2714
                • Instruction Fuzzy Hash: 66110436A10119ABDB25DF64CC08AEE7BB5EF68300F014168FA55A72C4DB70DD91CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123CA86 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d437ca6b2d3e707b303f43c950e5fd61387d5dd69fd1a501b00f5dce5b896bc
                • Instruction ID: 5e9b57141751b3867a176436b6b2effa00279831a34526293a9092a7923b4d56
                • Opcode Fuzzy Hash: 0d437ca6b2d3e707b303f43c950e5fd61387d5dd69fd1a501b00f5dce5b896bc
                • Instruction Fuzzy Hash: 5A119AB1210A418FE73A8F2AD908F63BFF8FF80A41F04441EE65697A60C774A851CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122DC02 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d67041458ceca03f40ae0849659cd101294e48663a7000ff96339efb4b41e3c
                • Instruction ID: 0ee13e1e03c6fbb211fc53293a16cb7714e3f71f7376e2f7c478b39072da2f81
                • Opcode Fuzzy Hash: 3d67041458ceca03f40ae0849659cd101294e48663a7000ff96339efb4b41e3c
                • Instruction Fuzzy Hash: 6A01AD3225834AAFD710DFA8EC09F6BBBA8EB94710F004909F991CB181E6B0E504CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01240822 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8fb04bd1b181f2c5915d2f3368da0bbed65e8264e45db344b695d4628d85e14d
                • Instruction ID: 948523f47e8ce94c36d673007c079f1ad65b71d2040490017e7d4318f5c1a013
                • Opcode Fuzzy Hash: 8fb04bd1b181f2c5915d2f3368da0bbed65e8264e45db344b695d4628d85e14d
                • Instruction Fuzzy Hash: FC019E36611010EFE735AB59E90CEABBABCEF49A51B010024F601D6124E6649D00C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01241200 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e51b58db69d65068056f49293f7028e2d83046dd55d08873efb6d25f56e3714
                • Instruction ID: ee4930dc9ff5afc2471a1a22bf7c21f6c0d6952ef5566fd5fb254e957874fa9c
                • Opcode Fuzzy Hash: 1e51b58db69d65068056f49293f7028e2d83046dd55d08873efb6d25f56e3714
                • Instruction Fuzzy Hash: EF01717A3505629FD73ACF5CD894F26B769FB84B50F150028B601DB6A4CB60FCA1C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012236C8 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68d65a72e6c2d1dd4072069dd02e5b54d6564755c14cc278b89fd35a2eac09d1
                • Instruction ID: 324d4da527960f5fc033b9a87410b0ebea09a18470682cca5c02fa33cd4c926d
                • Opcode Fuzzy Hash: 68d65a72e6c2d1dd4072069dd02e5b54d6564755c14cc278b89fd35a2eac09d1
                • Instruction Fuzzy Hash: FD0188B5110951AFD735DF2DDCC4E57BBA8FB48260F150618F665C71A0CB349C41CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01229C42 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79ded618d490072428315b86d02fb8938a4caf9cb95e529b3d77fea713dac451
                • Instruction ID: a21e814293f93c32e6e3602766e78f2f147f5e601373b33ab041dd7a19ecc376
                • Opcode Fuzzy Hash: 79ded618d490072428315b86d02fb8938a4caf9cb95e529b3d77fea713dac451
                • Instruction Fuzzy Hash: 9601AD3451023AFBDF249B69C5057BDBBF4FF48219F4480A5E9829B484E774DA80DB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013EA116 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction ID: 882b2509bc9481799698b1e0d29b0191859a0ef433abb93546c21181456f3716
                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction Fuzzy Hash: B4F0C2B2A00A15ABD334CF4EDC40E57FBEEDBD0A80F048129E545D7260E630ED04C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0149317C Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bbbf9383e9bdd4f93ddb1c6600d010423d097e5d2de59b5ba3feef752476924f
                • Instruction ID: e3376582e5c832521016df246be8c97841650bfe534f7ddd0e4d4f194c64ee4c
                • Opcode Fuzzy Hash: bbbf9383e9bdd4f93ddb1c6600d010423d097e5d2de59b5ba3feef752476924f
                • Instruction Fuzzy Hash: E0012CB1A00209ABDB04DFA9D945AAEBBF8FF59714F10406AF901E7391D774E9018BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01493103 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c7d3e66ece178d853728cc2e5b6a64f5642a353edadc34e709d8f5f1af702c63
                • Instruction ID: d7d0260dbad67bc875a7eafc1bc94d18730b33ea333ce223cf90267529c4b32f
                • Opcode Fuzzy Hash: c7d3e66ece178d853728cc2e5b6a64f5642a353edadc34e709d8f5f1af702c63
                • Instruction Fuzzy Hash: 740121B1A00249ABCB04DFA9D945DEEBBF8FF59714F10406AF905E7391D774E9018BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014931F5 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba8322dcde883230f10b2e36611a01c5bf60a9aa5625cd6dc6fecc5f430f1636
                • Instruction ID: 95cf0853bc75614e66a3104592df79c8759c91910dedaedc577e48d1e8c2ad04
                • Opcode Fuzzy Hash: ba8322dcde883230f10b2e36611a01c5bf60a9aa5625cd6dc6fecc5f430f1636
                • Instruction Fuzzy Hash: 5B012171A00249ABDB00DFAAD9459EEBBF8FF59714F10406AF501E7390D774DA01CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D6A2 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b94e983a7aad8d3b355514d8d2df3de1bd523be973f99029fac4bdf7bb77e65
                • Instruction ID: be03e2afd0b05cb1cad2ffa187b994ff8bf1ed504c0a5b82f640b7af42d1beb4
                • Opcode Fuzzy Hash: 2b94e983a7aad8d3b355514d8d2df3de1bd523be973f99029fac4bdf7bb77e65
                • Instruction Fuzzy Hash: A701A27126838AAFD714DF68DC4AF5B7BE8FB84700F004958F8A5CB181E670D900C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011EBB1D Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e04e0e54af3871c4521197e86c4e702e8f73d7db3fbec67d470433897e08c959
                • Instruction ID: c6ac6d3f09a21756c442d398b3d4c4e0d1019a684d188c2fe708f8e0aa538c09
                • Opcode Fuzzy Hash: e04e0e54af3871c4521197e86c4e702e8f73d7db3fbec67d470433897e08c959
                • Instruction Fuzzy Hash: FEF0E272704E11BBCB2F9A9E5848D5BB6EFAFD9710F084024B505A7254DBB69D0082A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011ECA3F Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 550a2e75d2833f4bb02760ce3dff197a45741626f57824a5a1b717df91859497
                • Instruction ID: e03e3f3e4b8d046631ba3411ef17c6e8f877c7a9787524b385e66e019ea778bc
                • Opcode Fuzzy Hash: 550a2e75d2833f4bb02760ce3dff197a45741626f57824a5a1b717df91859497
                • Instruction Fuzzy Hash: D1018F792409419FD219DFA8DCCCF5A7BADEB90648B054124F60147215E738DD00CA90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01440181 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 95a6beb9c530f7594ef2c12438ee20b35adc8fa6eb047ef9f57c8e8748d5783e
                • Instruction ID: f190f73ddb1d8392b76fbd4f2eb35a0f97dcb516b5a7026c7162e9dd67f4a25e
                • Opcode Fuzzy Hash: 95a6beb9c530f7594ef2c12438ee20b35adc8fa6eb047ef9f57c8e8748d5783e
                • Instruction Fuzzy Hash: 3DF02232640308AFEB24E60DCC42FEA7769DB41714F15016AFF40BB291C7B0A901C6A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012364DB Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba65c41b40898b77bd799d31f3de06c528d89d3fda8ee104477f1774767bfb75
                • Instruction ID: 94e81082043096fd454735286c9ed0b799f4092b10b6fddf952e9b6b7c22f175
                • Opcode Fuzzy Hash: ba65c41b40898b77bd799d31f3de06c528d89d3fda8ee104477f1774767bfb75
                • Instruction Fuzzy Hash: E1016276250A41EFE7375F08E888F12BB79FB88B21F150164FA105B9A9C7B5D961CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122144D Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d22b0b250f5e70e9ae00c2f5f3fa4d22e08dabf5b0994502e742e294a7d07c5
                • Instruction ID: 413ab406e0b36203efef5ba1fae1eb4bd17a05a31cbecc482f5de825dda86e8e
                • Opcode Fuzzy Hash: 1d22b0b250f5e70e9ae00c2f5f3fa4d22e08dabf5b0994502e742e294a7d07c5
                • Instruction Fuzzy Hash: 61F0BB72E115317BE336561CAD54F6FAA59DF94A64F060024FA0D97291DB589C11C2D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01236623 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d57e44bb0ed717b12ee8dd768eaa5565f41c53c2877458390638d7d5180939fb
                • Instruction ID: 7a7ff1e6ce169335e32269d6bf17c26a3107f3f7d185a094552e3272c25ff38a
                • Opcode Fuzzy Hash: d57e44bb0ed717b12ee8dd768eaa5565f41c53c2877458390638d7d5180939fb
                • Instruction Fuzzy Hash: 2F01F6B16557009FD3298F19E505A16BBE8EF99B60B06C0AAE109DB261DA74D900CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01202F62 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 355d92bea7c416a0df3784e48c85e8fb7bd124693c8feaf9f10f67a67726c0ee
                • Instruction ID: 659df5f47e6f635c28522deb8d392261186c71d0827895fb96dd08eac9380289
                • Opcode Fuzzy Hash: 355d92bea7c416a0df3784e48c85e8fb7bd124693c8feaf9f10f67a67726c0ee
                • Instruction Fuzzy Hash: F5F0AF36110685EBD7229F69E90DE5B7BB8EF8A754F01402AF60287621D235D814CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013BA193 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0ecd178737126e2168e04b07b739c25b5cad9381ad749f55a91b92dcf245f09
                • Instruction ID: a46d19baf395e8e86ee74c98396ca9dca8ae8bd6d2ec33f3a3c6b27ca77938ec
                • Opcode Fuzzy Hash: f0ecd178737126e2168e04b07b739c25b5cad9381ad749f55a91b92dcf245f09
                • Instruction Fuzzy Hash: 6FF0F6713047465BF794960D8C81BA6329AE7D0794F698026EF098BED1FA70DC408290
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D822 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5677fd9fa9088aa191529868b703a2b046180a330e48ef368fe8511c361b303e
                • Instruction ID: ac17587d9bee871f0a314b7a69df0959a587fe673d5b1675c2ca1a9045428f97
                • Opcode Fuzzy Hash: 5677fd9fa9088aa191529868b703a2b046180a330e48ef368fe8511c361b303e
                • Instruction Fuzzy Hash: 2B016D75660309ABD709DFA8D881E9E77F5BF4C700F108529F41ADB281EA70E900CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D892 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d1e1061086379d4e8dbed8c6de5763aea66ad426efc81d0d98776ab6a609e901
                • Instruction ID: 8b0782b4bd301af02fc43e39cebcbe5bf2eaadf38add9aff1b8e1d2c11914445
                • Opcode Fuzzy Hash: d1e1061086379d4e8dbed8c6de5763aea66ad426efc81d0d98776ab6a609e901
                • Instruction Fuzzy Hash: 3E016D75620308AFD709CF68D891E9E77F5FB48700F008528F80ADB281EBB0E900CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01223753 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2ea7ef9d81ece124eb6479585a1282389334a56759a944d7270085a9465b5ac
                • Instruction ID: ffd11b924f71b44f95737835d68fe05e2ac46f69125899f0460486f006d18d81
                • Opcode Fuzzy Hash: c2ea7ef9d81ece124eb6479585a1282389334a56759a944d7270085a9465b5ac
                • Instruction Fuzzy Hash: 7CF0B4B5210611AFDB269F69DC84A26B6E9FF98211F10482DE19AC6620DA789850CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120C621 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 051a654a8e59c7f54dedace2fd7a707a0177515a670c498e246366c088ad7e18
                • Instruction ID: bb1b14aeddd8e7df655ec60abcc6229630046cbce8b1b0f795b3561897f8fc2f
                • Opcode Fuzzy Hash: 051a654a8e59c7f54dedace2fd7a707a0177515a670c498e246366c088ad7e18
                • Instruction Fuzzy Hash: D601FB76240940EFC7379F0ADD08E03BBF9FB95B10B014569F10687971C774A851CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01238BB3 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cc3c4711c6c683531491b8f218358f042b2bc1e72c3bf3756b75e238d2f4bfdb
                • Instruction ID: 48d2cb7f4f6b21e6c45b8ce3f96370ca187418219023ca1e3dffe6038097b351
                • Opcode Fuzzy Hash: cc3c4711c6c683531491b8f218358f042b2bc1e72c3bf3756b75e238d2f4bfdb
                • Instruction Fuzzy Hash: A7F0BBF3104703AFEB3B060CEC48B52FF95EFC1B18F150519F744955A1D762A880C150
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01238088 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eae2906bbb55875c2e9078e6d78a277d3d409aa36362caf35c3b59927e496a0f
                • Instruction ID: 4b678a7f7fe4e18c61091d69038cc8fdbbc2f3e8258de2fee69a9c17d8639a43
                • Opcode Fuzzy Hash: eae2906bbb55875c2e9078e6d78a277d3d409aa36362caf35c3b59927e496a0f
                • Instruction Fuzzy Hash: 56F03776110941DFC3375F19E808D13FBB4FBD8B10B050629F6864AA24C6759892DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121F202 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71ba3ce73d926b533d35ae577502ef40221611bd6d7d68ff1c62de6fd429ad4b
                • Instruction ID: 339d67b4cdffaf56efb11785c366724efe6d490ecb9ebf6ed2acef83774a6d91
                • Opcode Fuzzy Hash: 71ba3ce73d926b533d35ae577502ef40221611bd6d7d68ff1c62de6fd429ad4b
                • Instruction Fuzzy Hash: 51F0B43A250105FBDF12DB44DA05BDE77B2ABA0751F204014E911A71A4C774CE05DA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012202C2 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71ba3ce73d926b533d35ae577502ef40221611bd6d7d68ff1c62de6fd429ad4b
                • Instruction ID: a61a26e88ed32f77eede21ea33747c1543ff87e0c7aca8d3746ee33bb9b6fda4
                • Opcode Fuzzy Hash: 71ba3ce73d926b533d35ae577502ef40221611bd6d7d68ff1c62de6fd429ad4b
                • Instruction Fuzzy Hash: 87F0BE36260109FBDF229B48DD05F9E77B2AB84751F200024F501AB1A0CBB4CE40EB04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01220422 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71ba3ce73d926b533d35ae577502ef40221611bd6d7d68ff1c62de6fd429ad4b
                • Instruction ID: e9997cca7b4fd50cdc17f4559d37841f61744fb3e2bf17303a50ea4f25f0b351
                • Opcode Fuzzy Hash: 71ba3ce73d926b533d35ae577502ef40221611bd6d7d68ff1c62de6fd429ad4b
                • Instruction Fuzzy Hash: BDF0BE36210105FBDF22AB58D905B9E77B2EB90355F208028FA01AB1A0DB74CE40EA14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0143B113 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 26341ddda219a7548f5af24c28c6fa0372e81cfe437015e2b8d6208238fb6c7e
                • Instruction ID: 665c0a7c16bc4c032ab26c8248f0a92566471b0be2b5f16f9c67de07d828b9e9
                • Opcode Fuzzy Hash: 26341ddda219a7548f5af24c28c6fa0372e81cfe437015e2b8d6208238fb6c7e
                • Instruction Fuzzy Hash: CCF0E53390461467C231AA5D8C05F6AFBACDBE4B70F10432ABA249B1E0DAB0AA01D7D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01228B42 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd44f71bd99c4d1ee60012d17ee5fbe0c2731c6dd3ee1c12c44023691fd545e6
                • Instruction ID: ea9a6edaf809af7a3e0e9f40e885052e58ddec8be2d6e17e93a6e8439c2b0551
                • Opcode Fuzzy Hash: dd44f71bd99c4d1ee60012d17ee5fbe0c2731c6dd3ee1c12c44023691fd545e6
                • Instruction Fuzzy Hash: B8E0E537210620BBE3325B1CAC0CE5A7FA9EBC07B0F260128FA15D7190EA61CC01CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122B4A2 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2142109e8961cfe77b5c14b2ae126c0f93587ccbb25757e9bda370444ba250cb
                • Instruction ID: ced2fa32a15eaf48359a1fbee18f3a1c09b2c3483138a2a397b3fc5923ba20b3
                • Opcode Fuzzy Hash: 2142109e8961cfe77b5c14b2ae126c0f93587ccbb25757e9bda370444ba250cb
                • Instruction Fuzzy Hash: 98E09236660625BBD7326FA9EC5CF1B7B9CEF44651F024420F606DA520D664E800D790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123B7DA Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f120bc286dcc4f39579097b259ecd53aadf1336debc4eb3b57c80da17c2ae1a5
                • Instruction ID: d54a346ecfe9580922ea040806820953c1fa3e85a071263000166a2d9906664b
                • Opcode Fuzzy Hash: f120bc286dcc4f39579097b259ecd53aadf1336debc4eb3b57c80da17c2ae1a5
                • Instruction Fuzzy Hash: 39F065365216129FE735AF0CD808B66FBB4FFD0B11F254029E616575A4CB74A851CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0120C689 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb330cf5dd18d9b6a4bff239376c6637792636af823824c39ce4fc10143abf88
                • Instruction ID: fb336621f12ddc4ded134edd7a7944f5fe93861e7a477f593af3c0b7e5cad5ee
                • Opcode Fuzzy Hash: eb330cf5dd18d9b6a4bff239376c6637792636af823824c39ce4fc10143abf88
                • Instruction Fuzzy Hash: A4F08C322506109FC7374F04DC04F22BB74FB81B20F160658E5051B5A1C775B852CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E20C1 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f6acf380ab38bf84f3b107bdd11aabb40b440396328f404a8eba358c959e225c
                • Instruction ID: 8c54c460bfebd3cc8c21488618f2c216b3e6837beb5023896c599941126ce9eb
                • Opcode Fuzzy Hash: f6acf380ab38bf84f3b107bdd11aabb40b440396328f404a8eba358c959e225c
                • Instruction Fuzzy Hash: 35E06D32640A46CFEB3A9FB8D428B1A7BE6EF15224B110175D811CA1D5DB758991CB01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012373F2 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 70f039d36e657b2499340febf03b3421a66fb355d3f2e71a1e0a11c19629e08c
                • Instruction ID: 887937ac4712c0bba0ca1e02566d393c67bf0d08e2badf50252f3dc1b048ae83
                • Opcode Fuzzy Hash: 70f039d36e657b2499340febf03b3421a66fb355d3f2e71a1e0a11c19629e08c
                • Instruction Fuzzy Hash: E5F065F2511B11DBEB360B08E909B62BAF0EB54B12F05841DF799565A0C374E890CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123696C Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f4ccd0d1b31f94e15a2eea22efb7b640a4d5bad7409bf9579609d8b64ddb296
                • Instruction ID: db6218df74b1fb0b5900a91440a4f04df383430bd39d5397926364e615005668
                • Opcode Fuzzy Hash: 7f4ccd0d1b31f94e15a2eea22efb7b640a4d5bad7409bf9579609d8b64ddb296
                • Instruction Fuzzy Hash: 75E06D79511A01EFC7324F0AE904853FBF8FFC0B21305C52EA66A83A24C6359841CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121D862 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c152fc30842f137f209999427b6859420c317aec53effeab2490dc1d08cccfa5
                • Instruction ID: 29db2cfa6c56ee84d6bffddbd2b9f5d105dcb714dab6574b40951c83b4cfe41e
                • Opcode Fuzzy Hash: c152fc30842f137f209999427b6859420c317aec53effeab2490dc1d08cccfa5
                • Instruction Fuzzy Hash: BFE01A37610154ABC7229F59D80CF4ABFA9EBC8B61F168065FA0997220CA30EC11CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123DDB4 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a76fb3f8742e80188c27f8caf54dab6252ee8262de23448896ddd3c9ffeec4e7
                • Instruction ID: 27439c0578b442c33f823547ad3e0f4fdc96c46e3d1a71a96e637a29033e044e
                • Opcode Fuzzy Hash: a76fb3f8742e80188c27f8caf54dab6252ee8262de23448896ddd3c9ffeec4e7
                • Instruction Fuzzy Hash: 09F0F8B6612106DFD721DF08D548B91FBB0FF9A314F1A81A9E1589F212D371AC82CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01229C02 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d26d6ad77ef671f7028d7601c4e6741c8b3e1d6e65ce1d3d143a6101db1a99e
                • Instruction ID: df8b4242dd70958bb15a5e7fe0b4c701e3131076cbd0336e12ea0b83fd248b23
                • Opcode Fuzzy Hash: 2d26d6ad77ef671f7028d7601c4e6741c8b3e1d6e65ce1d3d143a6101db1a99e
                • Instruction Fuzzy Hash: 27E0DF76200025BBDB1DDB81C809EAAB7B8EB8064CF100058E90217590EAB1EE42DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01229CD2 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a77b0a2dbc1a63286e9f71ba547beda83de9d4cc10ae14362e6522f2c9bcdc7b
                • Instruction ID: f38a9ab5fb7cba7d82beb7e902447bb11b6c018c4bb3b3a8607f3816bc498916
                • Opcode Fuzzy Hash: a77b0a2dbc1a63286e9f71ba547beda83de9d4cc10ae14362e6522f2c9bcdc7b
                • Instruction Fuzzy Hash: C9E0DF76200125BBDB29DB81C819EAAB7B8EB8065CF100058E90617580EAB1EE42D7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121ED32 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 298bca9c399dfb972e44f089d48851a2a2393fb41a3a272be67e777947dccf4d
                • Instruction ID: b1573c4ed71ed34f8a85d6e0255cf53d64e65fc330bebeec3469d16135bee4dd
                • Opcode Fuzzy Hash: 298bca9c399dfb972e44f089d48851a2a2393fb41a3a272be67e777947dccf4d
                • Instruction Fuzzy Hash: 0CE04632111720EFE7329B49E808F93BFA8FB10B61F468029FA095A464C779A850CFC4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122DF3E Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                • Instruction ID: 040e38b082a48f7e6f4bbd08b15103a3a7de6eedb06adad622f915c9a0b4b9cf
                • Opcode Fuzzy Hash: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                • Instruction Fuzzy Hash: 1FD01733222128BBC725AE8ADC04DD7BFADFF89AA0B018059B61C875208530E810CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E0449 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6af9fd2ac57b415b3ef657ed1aa01420e380b067c18e4e1da093e5e765952da4
                • Instruction ID: ad1ce617235ba8d492af757689a34f074d10e335f760bd54fec669c649a316d6
                • Opcode Fuzzy Hash: 6af9fd2ac57b415b3ef657ed1aa01420e380b067c18e4e1da093e5e765952da4
                • Instruction Fuzzy Hash: 27E08631201A40CBDB7D9B58E608B6276E0EF84710F05441DF29612860CBB49880D600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012243DE Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 83dad9371d5e7ee710eecaca921dd910cd11300384a52b5e2dec705cdec14fa0
                • Instruction ID: 5c938a4a56a84847007d528ee9d94970439a90567bfc5aaa1c4e8cc8cec4fdaa
                • Opcode Fuzzy Hash: 83dad9371d5e7ee710eecaca921dd910cd11300384a52b5e2dec705cdec14fa0
                • Instruction Fuzzy Hash: 35E0EC31250481AFDB2A9F58FA48F2ABBB9FB48B00F160128B106E7570CB25E850CA14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E1455 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27ed15e8ebd261a986b18739fd87f69064e5f4c341f4740d4a130b88b50e07ab
                • Instruction ID: bc3e824b820e10105742453f43aaa6111e71146f6790109197b51a68f68d0e33
                • Opcode Fuzzy Hash: 27ed15e8ebd261a986b18739fd87f69064e5f4c341f4740d4a130b88b50e07ab
                • Instruction Fuzzy Hash: B6D01731700615DFCF06EF98D991A9DB3F0FF58654F100065E902A72A0CB35AD02CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01215B42 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb7f224301d26af4e6e96c6439ca6049b51fc81db2d990997314d5fa1097ccb6
                • Instruction ID: 57deae93df6ce329488254b44cc6daa58199c3c3c95ae47c1ce244886fcaefbf
                • Opcode Fuzzy Hash: fb7f224301d26af4e6e96c6439ca6049b51fc81db2d990997314d5fa1097ccb6
                • Instruction Fuzzy Hash: 85D05E72251258A7D7355B49A808F82BFE8EB55B60F294065BA04976A0C6B4A850C7D8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E54A3 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d79b4b9385bb34c374dae32fc7f6d59ba88ca4b053b9d620c1b629d5fb575e66
                • Instruction ID: f08acafbceb44abe107a7014f3492c180b56f59f121f1dd37263de77c415c059
                • Opcode Fuzzy Hash: d79b4b9385bb34c374dae32fc7f6d59ba88ca4b053b9d620c1b629d5fb575e66
                • Instruction Fuzzy Hash: BED0C772A04B90CBDB289F88A40138CB7B4F780A20F10022BC012A32C0C3791A008B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121ED72 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                • Instruction ID: bf55b6b590ee803d73faf0a95ff86fc162d592a87d7c3f8bbba809d4ad5add3a
                • Opcode Fuzzy Hash: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                • Instruction Fuzzy Hash: CDD05E32234289AADB23CE1DCC44F52BFEC9774A90F8A8431EE148B10DC624E840C620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 013B8186 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96090956286639d0767e25f09ad2fad010a8d22d38cfcaee35465fce9e132641
                • Instruction ID: 4f5e3dc43a2e0339f8feab4cd809a7d18df3f58ba001e9dd94921a1dd42c26ee
                • Opcode Fuzzy Hash: 96090956286639d0767e25f09ad2fad010a8d22d38cfcaee35465fce9e132641
                • Instruction Fuzzy Hash: 47D02233207030A7EB282658EC00FE3A90CDF80A58F0A00ACB60993C0081208C02D2E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012214B3 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 559e68392dcda0140c777f61419e08fb5ca07d668a39c0df6842fdf0e56b9c94
                • Instruction ID: de0de1a9746ed4dae5592453f7ddfa1b639d6cffd676b51028c2d8df080707e2
                • Opcode Fuzzy Hash: 559e68392dcda0140c777f61419e08fb5ca07d668a39c0df6842fdf0e56b9c94
                • Instruction Fuzzy Hash: 0DD0C932051050AFC7219B5CF90CF8637A8EB8D211B050461B105D3224CA75DC01CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 012250B6 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 93e4303cdc379edda2c49450d302d2cb1e570a7d7ac031ee1dad9524d124fbcb
                • Instruction ID: fc31cc3c9e63189e7bc40964676f3bb82f8ced1278a2029a24ed0f801de38e85
                • Opcode Fuzzy Hash: 93e4303cdc379edda2c49450d302d2cb1e570a7d7ac031ee1dad9524d124fbcb
                • Instruction Fuzzy Hash: 21D06C35811108EFEF269B88DA4DBDCBBB6FB08312F5900A4E201B14B4877A4E94DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011E6902 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6e5337816cb84fded3fa83b1f1150d473681765096b006c8f3105cbdfad361b
                • Instruction ID: 764f2f345dc5c25959a0bd14ee328b69c20dbb39426823416271eae98cb06f6c
                • Opcode Fuzzy Hash: b6e5337816cb84fded3fa83b1f1150d473681765096b006c8f3105cbdfad361b
                • Instruction Fuzzy Hash: 01D01232140A48EFDB265F84E94CF957FA9F754B50F554020B7080A5B0CB75D9B0DA84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0121D9D8 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5178e09796ac65efa01f5d468cd1086c86df34202feee20877f25824524c069
                • Instruction ID: ec26261f983a89823dedaa64932a799eda14fa78c5e4128467f732a0728ad462
                • Opcode Fuzzy Hash: b5178e09796ac65efa01f5d468cd1086c86df34202feee20877f25824524c069
                • Instruction Fuzzy Hash: 6FD0C971C5152ADBDF32DE99C64CB6ABAB6FB24716F014129E6106512986394441CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011ECBDC Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 69d9070fe0412f09ef3c1ecfad1ed809c00623120c693a73813b055cc541b9fc
                • Instruction ID: 920d2104f8ba91594e48e1c9a9ff2297f2008030348a6e0e0bc1694750431cfe
                • Opcode Fuzzy Hash: 69d9070fe0412f09ef3c1ecfad1ed809c00623120c693a73813b055cc541b9fc
                • Instruction Fuzzy Hash: 42C01231211D82CADF2A9B75CC0C71177F4A700646F090464A003D1065D769C8D1E640
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122ABD8 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2765864348.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_11dd000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bbd0056445f94b7c9b089922aec0a2c0dcb42dbb5b23b3e5117d8a5560d5e94
                • Instruction ID: dbf58609a022a5d1b09cf32d009680548d20f376b054d312b12c9a42c51f1da3
                • Opcode Fuzzy Hash: 5bbd0056445f94b7c9b089922aec0a2c0dcb42dbb5b23b3e5117d8a5560d5e94
                • Instruction Fuzzy Hash: 2DC0123A111450EFDF329F08ED0CE0ABA3AFB8AB00F060498B101828348E398990CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412DFE Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 383COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1236 412dfe-412e3f call 42e744 call 6968f5 call 6a9098 1244 412ea1-412eb1 1236->1244 1245 412e41-412e50 1236->1245 1248 412eb3-412ecd call 698bf8 1244->1248 1249 412edb-412f10 call 6a91af call 6a93b2 call 6a94c1 1244->1249 1250 412e52-412e57 1245->1250 1251 412e59-412e61 1245->1251 1273 412f3f 1248->1273 1274 412ecf-412ed4 1248->1274 1271 412f62-412f67 1249->1271 1272 412f12-412f38 call 413b62 call 6a91af 1249->1272 1254 412e94-412ea0 call 697fe1 1250->1254 1255 412e63-412e6b 1251->1255 1256 412e8f 1251->1256 1254->1244 1255->1256 1260 412e6d-412e75 1255->1260 1256->1254 1260->1256 1263 412e77-412e7f 1260->1263 1266 412e81-412e86 1263->1266 1267 412e88-412e8d 1263->1267 1266->1244 1266->1267 1267->1254 1278 413144-413147 1271->1278 1279 412f6d 1271->1279 1272->1273 1316 412f3a-412f3d 1272->1316 1276 412f41-412f4e 1273->1276 1274->1273 1277 412ed6-412ed9 1274->1277 1277->1276 1282 41314d 1278->1282 1283 41326c-41326f 1278->1283 1280 412f73-412f7b 1279->1280 1281 41311a-413133 call 691263 1279->1281 1285 412f81 1280->1285 1286 413308 1280->1286 1281->1286 1317 413139-41313f call 420d9d 1281->1317 1287 413153-413156 1282->1287 1288 413242-41325b call 691263 1282->1288 1291 413271-413272 1283->1291 1292 4132e9-4132fe call 691263 1283->1292 1293 4130f0-413109 call 691263 1285->1293 1294 413030-413049 call 691263 1285->1294 1295 413080-413099 call 691263 1285->1295 1296 412fb2-412fcb call 691263 1285->1296 1297 4130d4-4130eb call 691263 1285->1297 1298 413006-41301f call 691263 1285->1298 1299 412f88-412fa1 call 691263 1285->1299 1300 4130aa-4130c3 call 691263 1285->1300 1301 41305a-41306f call 691263 1285->1301 1302 412fdc-412ff5 call 691263 1285->1302 1307 41330a-413317 1286->1307 1303 41321b-413231 call 691263 1287->1303 1304 41315c-41315d 1287->1304 1288->1286 1349 413261-413267 call 41e84a 1288->1349 1310 413274-413275 1291->1310 1311 4132c6-4132df call 691263 1291->1311 1292->1286 1347 413300-413306 call 41dff9 1292->1347 1293->1286 1357 41310f-413115 call 421234 1293->1357 1294->1286 1360 41304f-413055 call 422600 1294->1360 1295->1286 1369 41309f-4130a5 call 421a2b 1295->1369 1296->1286 1371 412fd1-412fd7 call 423827 1296->1371 1354 4132ba-4132bc 1297->1354 1298->1286 1356 413025-41302b call 423542 1298->1356 1299->1286 1365 412fa7-412fad call 423b38 1299->1365 1300->1286 1372 4130c9-4130cf call 4214c4 1300->1372 1301->1286 1363 413075-41307b call 421deb 1301->1363 1302->1286 1352 412ffb-413001 call 4237d4 1302->1352 1303->1286 1364 413237-41323d call 41eef6 1303->1364 1322 4131f1-41320a call 691263 1304->1322 1323 413163-413166 1304->1323 1330 4132a3-4132b3 call 691263 1310->1330 1331 413277-41327a 1310->1331 1311->1286 1362 4132e1-4132e7 call 41e224 1311->1362 1316->1276 1317->1307 1322->1286 1380 413210-413216 call 41f370 1322->1380 1345 4131c7-4131e0 call 691263 1323->1345 1346 413168-413169 1323->1346 1330->1354 1331->1286 1333 413280-413299 call 691263 1331->1333 1333->1286 1395 41329b-4132a1 call 41e600 1333->1395 1345->1286 1396 4131e6-4131ec call 41fc04 1345->1396 1366 41316b-41316d 1346->1366 1367 41319d-4131b6 call 691263 1346->1367 1347->1307 1349->1307 1352->1307 1354->1286 1379 4132be-4132c4 call 41e5b1 1354->1379 1356->1307 1357->1307 1360->1307 1362->1307 1363->1307 1364->1307 1365->1307 1366->1286 1386 413173-41318c call 691263 1366->1386 1367->1286 1409 4131bc-4131c2 call 4204b6 1367->1409 1369->1307 1371->1307 1372->1307 1379->1307 1380->1307 1386->1286 1418 413192-413198 call 420657 1386->1418 1395->1307 1396->1307 1409->1307 1418->1307
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.2765194502.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.000000000057D000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D7000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D9000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765410200.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765429418.00000000005EF000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765443358.00000000005F0000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765458671.00000000005F8000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765472870.00000000005FE000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765521155.0000000000690000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765549400.00000000006D1000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765565125.00000000006D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765579772.00000000006D6000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765616553.0000000000731000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_Dtldt.jbxd
                Similarity
                • API ID: H_prolog
                • String ID: Button$CheckBox$ComboLBox$GroupBox$Radio$ka)
                • API String ID: 3519838083-778572818
                • Opcode ID: ac6227d8403fd78fa72e3b1b1dbfbaebd5e6679db9e705c5c52e2a5fb44eaff0
                • Instruction ID: 4e6e0563b22fb279f9115b36b4ea8f2f229353e7383cc66f1524e5911ac984c3
                • Opcode Fuzzy Hash: ac6227d8403fd78fa72e3b1b1dbfbaebd5e6679db9e705c5c52e2a5fb44eaff0
                • Instruction Fuzzy Hash: AEC1E670B0420DAADF58AF69D9517FE3EA56B15701F20801FF81AEA2C1CE7C4BC1965E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414430 Relevance: 11.4, Strings: 9, Instructions: 195COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.2765194502.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.000000000057D000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D7000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D9000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765410200.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765429418.00000000005EF000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765443358.00000000005F0000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765458671.00000000005F8000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765472870.00000000005FE000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765521155.0000000000690000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765549400.00000000006D1000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765565125.00000000006D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765579772.00000000006D6000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765616553.0000000000731000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_Dtldt.jbxd
                Similarity
                • API ID: H_prolog
                • String ID: Edit$ListBox$RICHEDIT$SysHeader32$SysIPAddress32$SysListView32$SysTabControl32$SysTreeView32$msctls_trackbar32
                • API String ID: 3519838083-1485315085
                • Opcode ID: 696aa2a8f190c64ba7ccbbbf9e02e57f5c37d4120587583b53fbe452b2a670fc
                • Instruction ID: aecb75d3286cdd77751de1033035295991afe75e6fc574e18052f4de222e0f9e
                • Opcode Fuzzy Hash: 696aa2a8f190c64ba7ccbbbf9e02e57f5c37d4120587583b53fbe452b2a670fc
                • Instruction Fuzzy Hash: C4718771C45158EEDB41EBF8C855AEDBBB8AF1A300F14808EE46667292DA741E08DF35
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042E7D0 Relevance: 10.4, Strings: 8, Instructions: 384COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.2765194502.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.000000000057D000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D7000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D9000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765410200.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765429418.00000000005EF000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765443358.00000000005F0000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765458671.00000000005F8000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765472870.00000000005FE000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765521155.0000000000690000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765549400.00000000006D1000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765565125.00000000006D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765579772.00000000006D6000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765616553.0000000000731000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_Dtldt.jbxd
                Similarity
                • API ID:
                • String ID: $&$.$6$>$@$d$e
                • API String ID: 0-2702541336
                • Opcode ID: 2a7f3580ca243aecfe75ad1fbb1a42ff8d4b2ce4270ded13bfc48303b62d24c6
                • Instruction ID: 9a9323a1d08443b5c7ad518ffd851957c2db0c335e51a15eeeb8de25b837bd7b
                • Opcode Fuzzy Hash: 2a7f3580ca243aecfe75ad1fbb1a42ff8d4b2ce4270ded13bfc48303b62d24c6
                • Instruction Fuzzy Hash: A0D1E1713083519FEB24DB2AD885B2FB7E9EFC4714F840A1EF59483281C779D8058B5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01470183 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0138F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_138f000_Dtldt.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: [
                • API String ID: 48624451-784033777
                • Opcode ID: d303d9cbccb44c0c8dde02a755f4b0dc86ad410793161eee0eea7cf7ba406c92
                • Instruction ID: 9b1b477846cf1efdd31e18574457dc6209e0fc7e8d1a8d87298e8ca9fbde8aa5
                • Opcode Fuzzy Hash: d303d9cbccb44c0c8dde02a755f4b0dc86ad410793161eee0eea7cf7ba406c92
                • Instruction Fuzzy Hash: 032181B2A01119AB9B11DFAAC8409FFBBF8EF15250B44012BFD05E3350EB30DA118BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004114E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.2765194502.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.000000000057D000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D7000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D9000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765410200.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765429418.00000000005EF000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765443358.00000000005F0000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765458671.00000000005F8000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765472870.00000000005FE000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765521155.0000000000690000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765549400.00000000006D1000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765565125.00000000006D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765579772.00000000006D6000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765616553.0000000000731000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_Dtldt.jbxd
                Similarity
                • API ID: H_prolog
                • String ID: SetLayeredWindowAttributes$User32.dll
                • API String ID: 3519838083-2510956139
                • Opcode ID: b8c50c929015d896256776c1d14f10529acc58ae289994a235b140e70cd3dc9e
                • Instruction ID: f2122eaac543ee4e87c9681b6cdebff770e5921032e0c60e68518806e08118d5
                • Opcode Fuzzy Hash: b8c50c929015d896256776c1d14f10529acc58ae289994a235b140e70cd3dc9e
                • Instruction Fuzzy Hash: A4F0F43160528467CB11FB79AC99BEEBFAAFF42700F50841AF08157103D768854A976E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414207 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.2765194502.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.000000000057D000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D7000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765217331.00000000005D9000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765410200.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765429418.00000000005EF000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765443358.00000000005F0000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765458671.00000000005F8000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765472870.00000000005FE000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765521155.0000000000690000.00000040.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765549400.00000000006D1000.00000080.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765565125.00000000006D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765579772.00000000006D6000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.2765616553.0000000000731000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_Dtldt.jbxd
                Similarity
                • API ID: H_prolog
                • String ID: Button$GroupBox$Radio$Static
                • API String ID: 3519838083-1181569466
                • Opcode ID: 93a90577c10da5ce67ec726e46de5a500d3ec8206a5ebe7e656fb6865502cd85
                • Instruction ID: 563dbf6bdf59c30974a92fc3ca0533c7eb6812272e92fe5cefcaad2ef3dacaa8
                • Opcode Fuzzy Hash: 93a90577c10da5ce67ec726e46de5a500d3ec8206a5ebe7e656fb6865502cd85
                • Instruction Fuzzy Hash: C431A661C46198ADDB45E7F8C855AEDBFB5DF1A300F24808EE86567282EA741D0DCB38
                Uniqueness

                Uniqueness Score: -1.00%